Possibility to use certificate in SAML response (#836)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -271,14 +271,15 @@ sub defaultValues {
         'samlNameIDFormatMapX509'                     => 'mail',
         'samlOrganizationDisplayName'                 => 'Example',
         'samlOrganizationName'                        => 'Example',
-        'samlOrganizationURL'              => 'http://www.example.com',
-        'samlRelayStateTimeout'            => 600,
-        'samlServicePrivateKeyEnc'         => '',
-        'samlServicePrivateKeySig'         => '',
-        'samlServicePrivateKeySigPwd'      => '',
-        'samlServicePublicKeyEnc'          => '',
-        'samlServicePublicKeySig'          => '',
-        'samlSPMetaDataExportedAttributes' => {},
+        'samlOrganizationURL'                 => 'http://www.example.com',
+        'samlRelayStateTimeout'               => 600,
+        'samlServicePrivateKeyEnc'            => '',
+        'samlServicePrivateKeySig'            => '',
+        'samlServicePrivateKeySigPwd'         => '',
+        'samlServicePublicKeyEnc'             => '',
+        'samlServicePublicKeySig'             => '',
+        'samlServiceUseCertificateInResponse' => 0,
+        'samlSPMetaDataExportedAttributes'    => {},
         'samlSPMetaDataOptionsCheckSLOMessageSignature'   => 0,
         'samlSPMetaDataOptionsCheckSSOMessageSignature'   => 0,
         'samlSPMetaDataOptionsEnableIDPInitiatedURL'      => 0,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -186,7 +186,7 @@ qr/^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\
             'test' => sub {
                 my $test =
                   grep( { $_ eq $_[0]; }
-                    map( { $_->{'k'}; } @{ $_[2]{'select'}; } ) );
+                    map( { $$_{'k'}; } @{ $_[2]{'select'}; } ) );
                 return $test
                   ? 1
                   : ( 0, "Invalid value '$_[0]' for this select" );
@@ -1011,7 +1011,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
             'default' => 'ldap://localhost',
             'test'    => sub {
                 my $l = shift();
-                my @s = split( /[\s,]+/, $l, 0 );
+                my (@s) = split( /[\s,]+/, $l, 0 );
                 foreach my $s (@s) {
                     return 0, qq[Bad ldap uri "$s"]
                       unless $s =~
@@ -2119,6 +2119,10 @@ qr/^(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.
             'default' => '',
             'type'    => 'RSAPublicKeyOrCertificate'
         },
+        'samlServiceUseCertificateInResponse' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
         'samlSPMetaDataExportedAttributes' => {
             'default' => {},
             'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -1112,6 +1112,12 @@ sub attributes {
             default       => '',
             documentation => 'SAML encryption public key',
         },
+        samlServiceUseCertificateInResponse => {
+            type    => 'bool',
+            default => 0,
+            documentation =>
+              'Use certificate instead of public key in SAML responses',
+        },
         samlIdPResolveCookie => {
             type          => 'text',
             default       => 'lemonldapidp',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -689,7 +689,8 @@ sub tree {
                                 'samlServicePrivateKeyEncPwd',
                                 'samlServicePublicKeyEnc'
                             ]
-                        }
+                        },
+			'samlServiceUseCertificateInResponse'
                     ]
                 },
                 {

lemonldap-ng-manager/site/static/languages/en.json

@@ -735,6 +735,7 @@
 "samlServicePrivateKeyEnc": "Private key",
 "samlServicePrivateKeyEncPwd": "Private key password",
 "samlServicePublicKeyEnc": "Public key",
+"samlServiceUseCertificateInResponse": "Use certificate in responses",
 "samlAdvanced": "Advanced",
 "samlIdPResolveCookie": "IDP resolution cookie name",
 "samlPartnerName": "Name of SAML partner",

lemonldap-ng-manager/site/static/languages/fr.json

@@ -735,6 +735,7 @@
 "samlServicePrivateKeyEnc": "Clef privée",
 "samlServicePrivateKeyEncPwd": "Mot de passe de la clef privée",
 "samlServicePublicKeyEnc": "Clef publique",
+"samlServiceUseCertificateInResponse": "Utilisation du certificat dans les réponses",
 "samlAdvanced": "Avancé",
 "samlIdPResolveCookie": "Nom du cookie de résolution IDP",
 "samlPartnerName": "Nom du partenaire SAML",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm

@@ -22,7 +22,7 @@ use URI;                   # Get metadata URL path
 #inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
 
 our @ISA     = (qw(Lemonldap::NG::Portal::_Browser));
-our $VERSION = '1.4.4';
+our $VERSION = '1.9.0';
 our $samlCache;
 our $initGlibDone;
 
@@ -165,6 +165,15 @@ sub loadService {
         $privateKeyEncPwd = $privateKeySigPwd;
     }
 
+    # Check if certificate should be inserted in SAML responses
+    my $serviceCertificate;
+    if (   $self->{samlServiceUseCertificateInResponse}
+        && $publicKeySig =~ /CERTIFICATE/ )
+    {
+        $serviceCertificate = $publicKeySig;
+        $self->lmLog( 'Certificate will be used in SAML responses', 'debug' );
+    }
+
     # Get metadata from configuration
     $self->lmLog( "Get Metadata for this service", 'debug' );
     my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
@@ -179,6 +188,7 @@ sub loadService {
         $privateKeySigPwd,
         $privateKeyEnc,
         $privateKeyEncPwd,
+        $serviceCertificate
     );
 
     # Log
@@ -328,7 +338,8 @@ sub loadSPs {
 
         $self->lmLog( "Get Metadata for SP $_", 'debug' );
 
-        my $sp_metadata = $self->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
+        my $sp_metadata =
+          $self->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
 
         # Check metadata format
         if ( ref $sp_metadata eq "HASH" ) {
@@ -2332,7 +2343,8 @@ sub timestamp2samldate {
 sub samldate2timestamp {
     my ( $self, $samldate ) = @_;
 
-    my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) = ( $samldate =~
+    my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) =
+      ( $samldate =~
           /(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );
 
     my $timestamp =
@@ -2442,7 +2454,8 @@ sub sendLogoutRequestToProvider {
     # Get Provider Name and Conf Key from EntityID
     my $providerName =
       $self->{ '_' . lc($type) . 'List' }->{$providerID}->{name};
-    my $confKey = $self->{ '_' . lc($type) . 'List' }->{$providerID}->{confKey};
+    my $confKey =
+      $self->{ '_' . lc($type) . 'List' }->{$providerID}->{confKey};
 
     # Get first HTTP method
     my $protocolType = Lasso::Constants::MD_PROTOCOL_TYPE_SINGLE_LOGOUT;
@@ -2747,9 +2760,8 @@ sub authnContext2authnLevel {
     return $self->{samlAuthnContextMapPassword}
       if ( $authnContext eq $self->getAuthnContext("password") );
     return $self->{samlAuthnContextMapPasswordProtectedTransport}
-      if (
-        $authnContext eq $self->getAuthnContext("password-protected-transport")
-      );
+      if ( $authnContext eq
+        $self->getAuthnContext("password-protected-transport") );
     return $self->{samlAuthnContextMapKerberos}
       if ( $authnContext eq $self->getAuthnContext("kerberos") );
     return $self->{samlAuthnContextMapTLSClient}