Configuration for SAML signature method (#1247)
This commit is contained in:
Clément OUDOT
parent
a18037ba33
commit
28c4429b75
|
|
@ -221,8 +221,9 @@ sub defaultValues {
|
|||
'samlNameIDFormatMapX509' => 'mail',
|
||||
'samlOrganizationDisplayName' => 'Example',
|
||||
'samlOrganizationName' => 'Example',
|
||||
'samlOrganizationURL' => 'http://www.example.com',
|
||||
'samlRelayStateTimeout' => 600,
|
||||
'samlOrganizationURL' => 'http://www.example.com',
|
||||
'samlRelayStateTimeout' => 600,
|
||||
'samlServiceSignatureMethod' => 'RSA_SHA256',
|
||||
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
|
||||
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
|
||||
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' =>
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ our $issuerParameters = {
|
|||
issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)],
|
||||
issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
|
||||
};
|
||||
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)];
|
||||
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)];
|
||||
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
|
||||
|
||||
1;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ sub types {
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -662,7 +662,7 @@ sub attributes {
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1032,7 +1032,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval $s;
|
||||
my $err = join(
|
||||
|
|
@ -1117,7 +1117,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1140,7 +1140,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1495,7 +1495,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval $s;
|
||||
my $err = join(
|
||||
|
|
@ -1541,7 +1541,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1900,7 +1900,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -2237,7 +2237,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -2822,6 +2822,20 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'default' => '',
|
||||
'type' => 'RSAPublicKeyOrCertificate'
|
||||
},
|
||||
'samlServiceSignatureMethod' => {
|
||||
'default' => 'RSA_SHA256',
|
||||
'select' => [
|
||||
{
|
||||
'k' => 'RSA_SHA1',
|
||||
'v' => 'RSA SHA1'
|
||||
},
|
||||
{
|
||||
'k' => 'RSA_SHA256',
|
||||
'v' => 'RSA SHA256'
|
||||
}
|
||||
],
|
||||
'type' => 'select'
|
||||
},
|
||||
'samlServiceUseCertificateInResponse' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
|
|
@ -2940,7 +2954,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
|
|||
|
|
@ -1441,7 +1441,7 @@ sub attributes {
|
|||
grep { $_ =~ /Undefined subroutine/ ? () : $_ }
|
||||
split( /\n/, $@ ) );
|
||||
return $err ? ( 1, "__badExpression__: $err" ) : (1);
|
||||
}
|
||||
}
|
||||
},
|
||||
documentation => 'Virtualhost headers',
|
||||
flags => 'h',
|
||||
|
|
@ -1741,6 +1741,14 @@ sub attributes {
|
|||
default => '',
|
||||
documentation => 'SAML encryption public key',
|
||||
},
|
||||
samlServiceSignatureMethod => {
|
||||
type => 'select',
|
||||
select => [
|
||||
{ k => 'RSA_SHA1', v => 'RSA SHA1' },
|
||||
{ k => 'RSA_SHA256', v => 'RSA SHA256' },
|
||||
],
|
||||
default => 'RSA_SHA256',
|
||||
},
|
||||
samlServiceUseCertificateInResponse => {
|
||||
type => 'bool',
|
||||
default => 0,
|
||||
|
|
|
|||
|
|
@ -818,7 +818,8 @@ sub tree {
|
|||
'samlServicePublicKeyEnc'
|
||||
]
|
||||
},
|
||||
'samlServiceUseCertificateInResponse'
|
||||
'samlServiceUseCertificateInResponse',
|
||||
'samlServiceSignatureMethod'
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -910,6 +910,7 @@
|
|||
"samlServicePrivateKeyEnc":"المفتاح الخاص",
|
||||
"samlServicePrivateKeyEncPwd":"مفتاح كلمة المرور الخاصة",
|
||||
"samlServicePublicKeyEnc":"المفتاح العام",
|
||||
"samlServiceSignatureMethod":"Signature method",
|
||||
"samlServiceUseCertificateInResponse":"استخدم الشهادة الرقمية في الردود",
|
||||
"samlAdvanced":"المتقدمة",
|
||||
"samlIdPResolveCookie":"اسم ملف تعريف الارتباط IDP",
|
||||
|
|
|
|||
|
|
@ -910,6 +910,7 @@
|
|||
"samlServicePrivateKeyEnc":"Private key",
|
||||
"samlServicePrivateKeyEncPwd":"Private key password",
|
||||
"samlServicePublicKeyEnc":"Public key",
|
||||
"samlServiceSignatureMethod":"Signature method",
|
||||
"samlServiceUseCertificateInResponse":"Use certificate in responses",
|
||||
"samlAdvanced":"Advanced",
|
||||
"samlIdPResolveCookie":"IDP resolution cookie name",
|
||||
|
|
|
|||
|
|
@ -910,6 +910,7 @@
|
|||
"samlServicePrivateKeyEnc":"Clef privée",
|
||||
"samlServicePrivateKeyEncPwd":"Mot de passe de la clef privée",
|
||||
"samlServicePublicKeyEnc":"Clef publique",
|
||||
"samlServiceSignatureMethod":"Méthode pour la signature",
|
||||
"samlServiceUseCertificateInResponse":"Utilisation du certificat dans les réponses",
|
||||
"samlAdvanced":"Avancé",
|
||||
"samlIdPResolveCookie":"Nom du cookie de résolution IDP",
|
||||
|
|
|
|||
|
|
@ -910,6 +910,7 @@
|
|||
"samlServicePrivateKeyEnc":"Chiave privata",
|
||||
"samlServicePrivateKeyEncPwd":"Password chiave privata",
|
||||
"samlServicePublicKeyEnc":"Chiave pubblica",
|
||||
"samlServiceSignatureMethod":"Signature method",
|
||||
"samlServiceUseCertificateInResponse":"Utilizza il certificato nelle risposte",
|
||||
"samlAdvanced":"Avanzato",
|
||||
"samlIdPResolveCookie":"Nome del cookie di risoluzione IDP",
|
||||
|
|
|
|||
|
|
@ -910,6 +910,7 @@
|
|||
"samlServicePrivateKeyEnc":"Khóa cá nhân",
|
||||
"samlServicePrivateKeyEncPwd":"Khóa mật khẩu cá nhân",
|
||||
"samlServicePublicKeyEnc":"Khóa công khai",
|
||||
"samlServiceSignatureMethod":"Signature method",
|
||||
"samlServiceUseCertificateInResponse":"Sử dụng chứng chỉ trong câu trả lời",
|
||||
"samlAdvanced":"Nâng cao",
|
||||
"samlIdPResolveCookie":"Tên cookie phân giải IDP",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -202,7 +202,7 @@ sub loadService {
|
|||
);
|
||||
|
||||
# Signature method
|
||||
my $method = $self->conf->{samlServiceSignatureMethod} || 'SHA1';
|
||||
my $method = $self->conf->{samlServiceSignatureMethod} || 'RSA_SHA1';
|
||||
$server->signature_method( $self->getSignatureMethod($method) );
|
||||
$self->logger->debug("Set $method as SAML server signature method ");
|
||||
|
||||
|
|
@ -3074,9 +3074,9 @@ sub getSignatureMethod {
|
|||
my $signature_method_none = eval 'Lasso::Constants::SIGNATURE_METHOD_NONE';
|
||||
|
||||
return $signature_method_rsa_sha1
|
||||
if ( $signature_method =~ /^SHA1$/i );
|
||||
if ( $signature_method =~ /^RSA_SHA1$/i );
|
||||
return $signature_method_rsa_sha256
|
||||
if ( $signature_method =~ /^SHA256$/i );
|
||||
if ( $signature_method =~ /^RSA_SHA256$/i );
|
||||
return $signature_method_none;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user