Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SAML Service Provider library #99

Merged
merged 69 commits into from
Sep 22, 2023
Merged

Add SAML Service Provider library #99

merged 69 commits into from
Sep 22, 2023

Conversation

hcjulz
Copy link
Collaborator

@hcjulz hcjulz commented Sep 8, 2023

This PR adds the initial SAML service provider library. It supports the Web Browser SSO Profile and provides the creation of SAML Authentication Requests with the SAML HTTP Redirect and POST bindings, as well as SAML Response parsing and validation. It also comes with a test IDP provider that can be used for unit testing.

A demo can be found under ./saml/demo/main.go. It makes use of example handlers available in the ./handlers package.

hcjulz and others added 30 commits February 24, 2023 10:34
As part of the tests, this commit refactors the sp.go and
adds a test provider with the feature to serve a metadata xml.
Add tests for Config and ServiceProvider
Add options for CreateMetadata and ParseResponse
…84)

* Adds ability to provide IdP metadata as XML or individual parameters

* DefaultGenerateAuthRequestID to GenerateAuthRequestID

* improve error message for URL parsing config params
hcjulz and others added 11 commits September 9, 2023 19:22
* fix (saml): address possible panic if clock.Clock is nil

* fix (saml): fix possible panic in WithAdditionalACSEndpoint(...)

changed  location url to be passed by value to eliminate possible
panic

* refactor (saml): add WithMetadataNameIDFormat(...)

Refactor WithAdditionalNameIDFormat(...) and WithNameIDFormats(...)
into one new option WithMetadataNameIDFormat(...)

* fix (saml): address possible panics in saml handlers

* tests (saml): minor code improvements
@austingebauer austingebauer self-requested a review September 11, 2023 18:57
remilapeyre and others added 10 commits September 13, 2023 09:59
* Add caching support to IDPMetadata()

Caching the metadata document will avoid an additional round-trip to the
IDP for every connection.

The Metadata for the OASIS Security Assertion Markup Language says
regarding caching:

	4.3 Post-Processing of Metadata
	The following sections describe the post-processing of metadata.

	4.3.1 Metadata Instance Caching
	[E94] Document caching MUST be based on the duration indicated by the cacheDuration attribute of
	the subject element(s). If metadata elements have parent elements which contain caching policies, the
	parent element takes precedence. To properly process the cacheDuration attribute, consumers must
	retain the date and time when an instance was obtained.

	Note that cache expiration does not imply a lack of validity in the absence of a validUntil attribute or
	other information; failure to update a cached instance (e.g., due to network failure) need not render
	metadata invalid, although implementations may offer such controls to deployers.
	When a document or element has expired, the consumer MUST retrieve a fresh copy, which may require
	a refresh of the document location(s). Consumers SHOULD process document cache processing
	according to [RFC2616] Section 13, and MAY request the Last-Modified date and time from the HTTP
	server. Publishers SHOULD ensure acceptable cache processing as described in [RFC2616] (Section
	10.3.5 304 Not Modified).

	4.3.2 [E94] Metadata Instance Validity
	Metadata MUST be considered invalid upon reaching the time specified in a validUntil attribute of the
	subject element(s). The effective expiration may be adjusted downward by parent element(s) with earlier
	expirations. Invalid metadata MUST NOT be used. This contrasts with "stale" metadata that may be
	beyond its optimum cache duration but is not explicitly invalid. Such metadata remains valid and MAY be
	used at the discretion of the implementation.

With this change the cached metadata is used until it expires. This behavior
can be disabled using WithCache().

Using a stale document when refreshing it fails is disabled by default
and users can opt-in using WithStale().

* Address code review comments

* Run go mod tidy

* Run go mod tidy

* Update saml/sp_test.go

Co-authored-by: Jim <jlambert@hashicorp.com>

---------

Co-authored-by: Jim <jlambert@hashicorp.com>
…ibutes (#104)

* saml: adds helpers for response assertions, subject, and attributes

* fix up comment

* Restructure test, add coverage, add issuer helpers
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gave this a look and think things would be good to merge to main. The major items we last discussed have been addressed. We should create some GH issues in this repo to address the remaining comments for cleaning up todos, godoc, and future enhancements.

Huge thanks to @hcjulz for all of the effort! Also to @jimlambrt @remilapeyre for the contributions, testing, and review!

Copy link
Collaborator

@jimlambrt jimlambrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ty!

@hcjulz hcjulz merged commit f7be17e into main Sep 22, 2023
6 checks passed
@hcjulz hcjulz deleted the saml-lib branch September 22, 2023 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants