Possibility to use certificate in SAML response (#836)
This commit is contained in:
parent
56f9c128d3
commit
607641dcfd
|
@ -271,14 +271,15 @@ sub defaultValues {
|
||||||
'samlNameIDFormatMapX509' => 'mail',
|
'samlNameIDFormatMapX509' => 'mail',
|
||||||
'samlOrganizationDisplayName' => 'Example',
|
'samlOrganizationDisplayName' => 'Example',
|
||||||
'samlOrganizationName' => 'Example',
|
'samlOrganizationName' => 'Example',
|
||||||
'samlOrganizationURL' => 'http://www.example.com',
|
'samlOrganizationURL' => 'http://www.example.com',
|
||||||
'samlRelayStateTimeout' => 600,
|
'samlRelayStateTimeout' => 600,
|
||||||
'samlServicePrivateKeyEnc' => '',
|
'samlServicePrivateKeyEnc' => '',
|
||||||
'samlServicePrivateKeySig' => '',
|
'samlServicePrivateKeySig' => '',
|
||||||
'samlServicePrivateKeySigPwd' => '',
|
'samlServicePrivateKeySigPwd' => '',
|
||||||
'samlServicePublicKeyEnc' => '',
|
'samlServicePublicKeyEnc' => '',
|
||||||
'samlServicePublicKeySig' => '',
|
'samlServicePublicKeySig' => '',
|
||||||
'samlSPMetaDataExportedAttributes' => {},
|
'samlServiceUseCertificateInResponse' => 0,
|
||||||
|
'samlSPMetaDataExportedAttributes' => {},
|
||||||
'samlSPMetaDataOptionsCheckSLOMessageSignature' => 0,
|
'samlSPMetaDataOptionsCheckSLOMessageSignature' => 0,
|
||||||
'samlSPMetaDataOptionsCheckSSOMessageSignature' => 0,
|
'samlSPMetaDataOptionsCheckSSOMessageSignature' => 0,
|
||||||
'samlSPMetaDataOptionsEnableIDPInitiatedURL' => 0,
|
'samlSPMetaDataOptionsEnableIDPInitiatedURL' => 0,
|
||||||
|
|
|
@ -186,7 +186,7 @@ qr/^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\
|
||||||
'test' => sub {
|
'test' => sub {
|
||||||
my $test =
|
my $test =
|
||||||
grep( { $_ eq $_[0]; }
|
grep( { $_ eq $_[0]; }
|
||||||
map( { $_->{'k'}; } @{ $_[2]{'select'}; } ) );
|
map( { $$_{'k'}; } @{ $_[2]{'select'}; } ) );
|
||||||
return $test
|
return $test
|
||||||
? 1
|
? 1
|
||||||
: ( 0, "Invalid value '$_[0]' for this select" );
|
: ( 0, "Invalid value '$_[0]' for this select" );
|
||||||
|
@ -1011,7 +1011,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
||||||
'default' => 'ldap://localhost',
|
'default' => 'ldap://localhost',
|
||||||
'test' => sub {
|
'test' => sub {
|
||||||
my $l = shift();
|
my $l = shift();
|
||||||
my @s = split( /[\s,]+/, $l, 0 );
|
my (@s) = split( /[\s,]+/, $l, 0 );
|
||||||
foreach my $s (@s) {
|
foreach my $s (@s) {
|
||||||
return 0, qq[Bad ldap uri "$s"]
|
return 0, qq[Bad ldap uri "$s"]
|
||||||
unless $s =~
|
unless $s =~
|
||||||
|
@ -2119,6 +2119,10 @@ qr/^(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.
|
||||||
'default' => '',
|
'default' => '',
|
||||||
'type' => 'RSAPublicKeyOrCertificate'
|
'type' => 'RSAPublicKeyOrCertificate'
|
||||||
},
|
},
|
||||||
|
'samlServiceUseCertificateInResponse' => {
|
||||||
|
'default' => 0,
|
||||||
|
'type' => 'bool'
|
||||||
|
},
|
||||||
'samlSPMetaDataExportedAttributes' => {
|
'samlSPMetaDataExportedAttributes' => {
|
||||||
'default' => {},
|
'default' => {},
|
||||||
'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,
|
'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,
|
||||||
|
|
|
@ -1112,6 +1112,12 @@ sub attributes {
|
||||||
default => '',
|
default => '',
|
||||||
documentation => 'SAML encryption public key',
|
documentation => 'SAML encryption public key',
|
||||||
},
|
},
|
||||||
|
samlServiceUseCertificateInResponse => {
|
||||||
|
type => 'bool',
|
||||||
|
default => 0,
|
||||||
|
documentation =>
|
||||||
|
'Use certificate instead of public key in SAML responses',
|
||||||
|
},
|
||||||
samlIdPResolveCookie => {
|
samlIdPResolveCookie => {
|
||||||
type => 'text',
|
type => 'text',
|
||||||
default => 'lemonldapidp',
|
default => 'lemonldapidp',
|
||||||
|
|
|
@ -689,7 +689,8 @@ sub tree {
|
||||||
'samlServicePrivateKeyEncPwd',
|
'samlServicePrivateKeyEncPwd',
|
||||||
'samlServicePublicKeyEnc'
|
'samlServicePublicKeyEnc'
|
||||||
]
|
]
|
||||||
}
|
},
|
||||||
|
'samlServiceUseCertificateInResponse'
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -735,6 +735,7 @@
|
||||||
"samlServicePrivateKeyEnc": "Private key",
|
"samlServicePrivateKeyEnc": "Private key",
|
||||||
"samlServicePrivateKeyEncPwd": "Private key password",
|
"samlServicePrivateKeyEncPwd": "Private key password",
|
||||||
"samlServicePublicKeyEnc": "Public key",
|
"samlServicePublicKeyEnc": "Public key",
|
||||||
|
"samlServiceUseCertificateInResponse": "Use certificate in responses",
|
||||||
"samlAdvanced": "Advanced",
|
"samlAdvanced": "Advanced",
|
||||||
"samlIdPResolveCookie": "IDP resolution cookie name",
|
"samlIdPResolveCookie": "IDP resolution cookie name",
|
||||||
"samlPartnerName": "Name of SAML partner",
|
"samlPartnerName": "Name of SAML partner",
|
||||||
|
|
|
@ -735,6 +735,7 @@
|
||||||
"samlServicePrivateKeyEnc": "Clef privée",
|
"samlServicePrivateKeyEnc": "Clef privée",
|
||||||
"samlServicePrivateKeyEncPwd": "Mot de passe de la clef privée",
|
"samlServicePrivateKeyEncPwd": "Mot de passe de la clef privée",
|
||||||
"samlServicePublicKeyEnc": "Clef publique",
|
"samlServicePublicKeyEnc": "Clef publique",
|
||||||
|
"samlServiceUseCertificateInResponse": "Utilisation du certificat dans les réponses",
|
||||||
"samlAdvanced": "Avancé",
|
"samlAdvanced": "Avancé",
|
||||||
"samlIdPResolveCookie": "Nom du cookie de résolution IDP",
|
"samlIdPResolveCookie": "Nom du cookie de résolution IDP",
|
||||||
"samlPartnerName": "Nom du partenaire SAML",
|
"samlPartnerName": "Nom du partenaire SAML",
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -22,7 +22,7 @@ use URI; # Get metadata URL path
|
||||||
#inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
|
#inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
|
||||||
|
|
||||||
our @ISA = (qw(Lemonldap::NG::Portal::_Browser));
|
our @ISA = (qw(Lemonldap::NG::Portal::_Browser));
|
||||||
our $VERSION = '1.4.4';
|
our $VERSION = '1.9.0';
|
||||||
our $samlCache;
|
our $samlCache;
|
||||||
our $initGlibDone;
|
our $initGlibDone;
|
||||||
|
|
||||||
|
@ -165,6 +165,15 @@ sub loadService {
|
||||||
$privateKeyEncPwd = $privateKeySigPwd;
|
$privateKeyEncPwd = $privateKeySigPwd;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check if certificate should be inserted in SAML responses
|
||||||
|
my $serviceCertificate;
|
||||||
|
if ( $self->{samlServiceUseCertificateInResponse}
|
||||||
|
&& $publicKeySig =~ /CERTIFICATE/ )
|
||||||
|
{
|
||||||
|
$serviceCertificate = $publicKeySig;
|
||||||
|
$self->lmLog( 'Certificate will be used in SAML responses', 'debug' );
|
||||||
|
}
|
||||||
|
|
||||||
# Get metadata from configuration
|
# Get metadata from configuration
|
||||||
$self->lmLog( "Get Metadata for this service", 'debug' );
|
$self->lmLog( "Get Metadata for this service", 'debug' );
|
||||||
my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
|
my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
|
||||||
|
@ -179,6 +188,7 @@ sub loadService {
|
||||||
$privateKeySigPwd,
|
$privateKeySigPwd,
|
||||||
$privateKeyEnc,
|
$privateKeyEnc,
|
||||||
$privateKeyEncPwd,
|
$privateKeyEncPwd,
|
||||||
|
$serviceCertificate
|
||||||
);
|
);
|
||||||
|
|
||||||
# Log
|
# Log
|
||||||
|
@ -328,7 +338,8 @@ sub loadSPs {
|
||||||
|
|
||||||
$self->lmLog( "Get Metadata for SP $_", 'debug' );
|
$self->lmLog( "Get Metadata for SP $_", 'debug' );
|
||||||
|
|
||||||
my $sp_metadata = $self->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
|
my $sp_metadata =
|
||||||
|
$self->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
|
||||||
|
|
||||||
# Check metadata format
|
# Check metadata format
|
||||||
if ( ref $sp_metadata eq "HASH" ) {
|
if ( ref $sp_metadata eq "HASH" ) {
|
||||||
|
@ -2332,7 +2343,8 @@ sub timestamp2samldate {
|
||||||
sub samldate2timestamp {
|
sub samldate2timestamp {
|
||||||
my ( $self, $samldate ) = @_;
|
my ( $self, $samldate ) = @_;
|
||||||
|
|
||||||
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) = ( $samldate =~
|
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) =
|
||||||
|
( $samldate =~
|
||||||
/(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );
|
/(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );
|
||||||
|
|
||||||
my $timestamp =
|
my $timestamp =
|
||||||
|
@ -2442,7 +2454,8 @@ sub sendLogoutRequestToProvider {
|
||||||
# Get Provider Name and Conf Key from EntityID
|
# Get Provider Name and Conf Key from EntityID
|
||||||
my $providerName =
|
my $providerName =
|
||||||
$self->{ '_' . lc($type) . 'List' }->{$providerID}->{name};
|
$self->{ '_' . lc($type) . 'List' }->{$providerID}->{name};
|
||||||
my $confKey = $self->{ '_' . lc($type) . 'List' }->{$providerID}->{confKey};
|
my $confKey =
|
||||||
|
$self->{ '_' . lc($type) . 'List' }->{$providerID}->{confKey};
|
||||||
|
|
||||||
# Get first HTTP method
|
# Get first HTTP method
|
||||||
my $protocolType = Lasso::Constants::MD_PROTOCOL_TYPE_SINGLE_LOGOUT;
|
my $protocolType = Lasso::Constants::MD_PROTOCOL_TYPE_SINGLE_LOGOUT;
|
||||||
|
@ -2747,9 +2760,8 @@ sub authnContext2authnLevel {
|
||||||
return $self->{samlAuthnContextMapPassword}
|
return $self->{samlAuthnContextMapPassword}
|
||||||
if ( $authnContext eq $self->getAuthnContext("password") );
|
if ( $authnContext eq $self->getAuthnContext("password") );
|
||||||
return $self->{samlAuthnContextMapPasswordProtectedTransport}
|
return $self->{samlAuthnContextMapPasswordProtectedTransport}
|
||||||
if (
|
if ( $authnContext eq
|
||||||
$authnContext eq $self->getAuthnContext("password-protected-transport")
|
$self->getAuthnContext("password-protected-transport") );
|
||||||
);
|
|
||||||
return $self->{samlAuthnContextMapKerberos}
|
return $self->{samlAuthnContextMapKerberos}
|
||||||
if ( $authnContext eq $self->getAuthnContext("kerberos") );
|
if ( $authnContext eq $self->getAuthnContext("kerberos") );
|
||||||
return $self->{samlAuthnContextMapTLSClient}
|
return $self->{samlAuthnContextMapTLSClient}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user