Possibility to use certificate in SAML response (#836)
This commit is contained in:
parent
56f9c128d3
commit
607641dcfd
|
@ -271,14 +271,15 @@ sub defaultValues {
|
|||
'samlNameIDFormatMapX509' => 'mail',
|
||||
'samlOrganizationDisplayName' => 'Example',
|
||||
'samlOrganizationName' => 'Example',
|
||||
'samlOrganizationURL' => 'http://www.example.com',
|
||||
'samlRelayStateTimeout' => 600,
|
||||
'samlServicePrivateKeyEnc' => '',
|
||||
'samlServicePrivateKeySig' => '',
|
||||
'samlServicePrivateKeySigPwd' => '',
|
||||
'samlServicePublicKeyEnc' => '',
|
||||
'samlServicePublicKeySig' => '',
|
||||
'samlSPMetaDataExportedAttributes' => {},
|
||||
'samlOrganizationURL' => 'http://www.example.com',
|
||||
'samlRelayStateTimeout' => 600,
|
||||
'samlServicePrivateKeyEnc' => '',
|
||||
'samlServicePrivateKeySig' => '',
|
||||
'samlServicePrivateKeySigPwd' => '',
|
||||
'samlServicePublicKeyEnc' => '',
|
||||
'samlServicePublicKeySig' => '',
|
||||
'samlServiceUseCertificateInResponse' => 0,
|
||||
'samlSPMetaDataExportedAttributes' => {},
|
||||
'samlSPMetaDataOptionsCheckSLOMessageSignature' => 0,
|
||||
'samlSPMetaDataOptionsCheckSSOMessageSignature' => 0,
|
||||
'samlSPMetaDataOptionsEnableIDPInitiatedURL' => 0,
|
||||
|
|
|
@ -186,7 +186,7 @@ qr/^(?:(?:\-+\s*BEGIN\s+(?:PUBLIC\s+KEY|CERTIFICATE)\s*\-+\r?\n)?[a-zA-Z0-9\/\+\
|
|||
'test' => sub {
|
||||
my $test =
|
||||
grep( { $_ eq $_[0]; }
|
||||
map( { $_->{'k'}; } @{ $_[2]{'select'}; } ) );
|
||||
map( { $$_{'k'}; } @{ $_[2]{'select'}; } ) );
|
||||
return $test
|
||||
? 1
|
||||
: ( 0, "Invalid value '$_[0]' for this select" );
|
||||
|
@ -1011,7 +1011,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
'default' => 'ldap://localhost',
|
||||
'test' => sub {
|
||||
my $l = shift();
|
||||
my @s = split( /[\s,]+/, $l, 0 );
|
||||
my (@s) = split( /[\s,]+/, $l, 0 );
|
||||
foreach my $s (@s) {
|
||||
return 0, qq[Bad ldap uri "$s"]
|
||||
unless $s =~
|
||||
|
@ -2119,6 +2119,10 @@ qr/^(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.
|
|||
'default' => '',
|
||||
'type' => 'RSAPublicKeyOrCertificate'
|
||||
},
|
||||
'samlServiceUseCertificateInResponse' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'samlSPMetaDataExportedAttributes' => {
|
||||
'default' => {},
|
||||
'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,
|
||||
|
|
|
@ -1112,6 +1112,12 @@ sub attributes {
|
|||
default => '',
|
||||
documentation => 'SAML encryption public key',
|
||||
},
|
||||
samlServiceUseCertificateInResponse => {
|
||||
type => 'bool',
|
||||
default => 0,
|
||||
documentation =>
|
||||
'Use certificate instead of public key in SAML responses',
|
||||
},
|
||||
samlIdPResolveCookie => {
|
||||
type => 'text',
|
||||
default => 'lemonldapidp',
|
||||
|
|
|
@ -689,7 +689,8 @@ sub tree {
|
|||
'samlServicePrivateKeyEncPwd',
|
||||
'samlServicePublicKeyEnc'
|
||||
]
|
||||
}
|
||||
},
|
||||
'samlServiceUseCertificateInResponse'
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
@ -735,6 +735,7 @@
|
|||
"samlServicePrivateKeyEnc": "Private key",
|
||||
"samlServicePrivateKeyEncPwd": "Private key password",
|
||||
"samlServicePublicKeyEnc": "Public key",
|
||||
"samlServiceUseCertificateInResponse": "Use certificate in responses",
|
||||
"samlAdvanced": "Advanced",
|
||||
"samlIdPResolveCookie": "IDP resolution cookie name",
|
||||
"samlPartnerName": "Name of SAML partner",
|
||||
|
|
|
@ -735,6 +735,7 @@
|
|||
"samlServicePrivateKeyEnc": "Clef privée",
|
||||
"samlServicePrivateKeyEncPwd": "Mot de passe de la clef privée",
|
||||
"samlServicePublicKeyEnc": "Clef publique",
|
||||
"samlServiceUseCertificateInResponse": "Utilisation du certificat dans les réponses",
|
||||
"samlAdvanced": "Avancé",
|
||||
"samlIdPResolveCookie": "Nom du cookie de résolution IDP",
|
||||
"samlPartnerName": "Nom du partenaire SAML",
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -22,7 +22,7 @@ use URI; # Get metadata URL path
|
|||
#inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
|
||||
|
||||
our @ISA = (qw(Lemonldap::NG::Portal::_Browser));
|
||||
our $VERSION = '1.4.4';
|
||||
our $VERSION = '1.9.0';
|
||||
our $samlCache;
|
||||
our $initGlibDone;
|
||||
|
||||
|
@ -165,6 +165,15 @@ sub loadService {
|
|||
$privateKeyEncPwd = $privateKeySigPwd;
|
||||
}
|
||||
|
||||
# Check if certificate should be inserted in SAML responses
|
||||
my $serviceCertificate;
|
||||
if ( $self->{samlServiceUseCertificateInResponse}
|
||||
&& $publicKeySig =~ /CERTIFICATE/ )
|
||||
{
|
||||
$serviceCertificate = $publicKeySig;
|
||||
$self->lmLog( 'Certificate will be used in SAML responses', 'debug' );
|
||||
}
|
||||
|
||||
# Get metadata from configuration
|
||||
$self->lmLog( "Get Metadata for this service", 'debug' );
|
||||
my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
|
||||
|
@ -179,6 +188,7 @@ sub loadService {
|
|||
$privateKeySigPwd,
|
||||
$privateKeyEnc,
|
||||
$privateKeyEncPwd,
|
||||
$serviceCertificate
|
||||
);
|
||||
|
||||
# Log
|
||||
|
@ -328,7 +338,8 @@ sub loadSPs {
|
|||
|
||||
$self->lmLog( "Get Metadata for SP $_", 'debug' );
|
||||
|
||||
my $sp_metadata = $self->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
|
||||
my $sp_metadata =
|
||||
$self->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
|
||||
|
||||
# Check metadata format
|
||||
if ( ref $sp_metadata eq "HASH" ) {
|
||||
|
@ -2332,7 +2343,8 @@ sub timestamp2samldate {
|
|||
sub samldate2timestamp {
|
||||
my ( $self, $samldate ) = @_;
|
||||
|
||||
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) = ( $samldate =~
|
||||
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) =
|
||||
( $samldate =~
|
||||
/(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );
|
||||
|
||||
my $timestamp =
|
||||
|
@ -2442,7 +2454,8 @@ sub sendLogoutRequestToProvider {
|
|||
# Get Provider Name and Conf Key from EntityID
|
||||
my $providerName =
|
||||
$self->{ '_' . lc($type) . 'List' }->{$providerID}->{name};
|
||||
my $confKey = $self->{ '_' . lc($type) . 'List' }->{$providerID}->{confKey};
|
||||
my $confKey =
|
||||
$self->{ '_' . lc($type) . 'List' }->{$providerID}->{confKey};
|
||||
|
||||
# Get first HTTP method
|
||||
my $protocolType = Lasso::Constants::MD_PROTOCOL_TYPE_SINGLE_LOGOUT;
|
||||
|
@ -2747,9 +2760,8 @@ sub authnContext2authnLevel {
|
|||
return $self->{samlAuthnContextMapPassword}
|
||||
if ( $authnContext eq $self->getAuthnContext("password") );
|
||||
return $self->{samlAuthnContextMapPasswordProtectedTransport}
|
||||
if (
|
||||
$authnContext eq $self->getAuthnContext("password-protected-transport")
|
||||
);
|
||||
if ( $authnContext eq
|
||||
$self->getAuthnContext("password-protected-transport") );
|
||||
return $self->{samlAuthnContextMapKerberos}
|
||||
if ( $authnContext eq $self->getAuthnContext("kerberos") );
|
||||
return $self->{samlAuthnContextMapTLSClient}
|
||||
|
|
Loading…
Reference in New Issue
Block a user