dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SAML: IDP option to sign SSO requests

Browse Source
This commit is contained in:
Clément Oudot 2010-04-01 09:55:33 +00:00
parent c3140c9c8a
commit 70f853e681
4 changed files with 43 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
View File

@ -60,7 +60,7 @@ sub cstruct {
. ":samlIDPMetaDataXML:filearea",
samlIDPMetaDataOptions => {
_nodes => [
qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime)
qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP samlIDPMetaDataOptionsAdaptSessionUtime samlIDPMetaDataOptionsSignSSORequest)
],
samlIDPMetaDataOptionsNameIDFormat =>
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat"
@ -81,6 +81,8 @@ sub cstruct {
"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAllowLoginFromIDP",
samlIDPMetaDataOptionsAdaptSessionUtime =>
"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAdaptSessionUtime",
samlIDPMetaDataOptionsSignSSORequest =>
"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSignSSORequest",
},
}
}
@ -1180,6 +1182,7 @@ sub defaultConf {
samlIDPMetaDataOptionsResolutionRule => '',
samlIDPMetaDataOptionsAllowLoginFromIDP => '1',
samlIDPMetaDataOptionsAdaptSessionUtime => '1',
samlIDPMetaDataOptionsSignSSORequest => '1',
samlSPMetaDataOptionsRequestedAuthnContext => '',
samlSPSSODescriptorAuthnRequestsSigned => '0',
samlSPSSODescriptorKeyDescriptorSigning => '',

2
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
View File

@ -209,6 +209,7 @@ sub en {
'Allow proxied authentication',
samlIDPMetaDataOptionsAllowLoginFromIDP => 'Allow login from IDP',
samlIDPMetaDataOptionsAdaptSessionUtime => 'Adapt session lifetime',
samlIDPMetaDataOptionsSignSSORequest => 'Sign SSO request',
samlIDPMetaDataOptionsSSOBinding => 'SSO binding',
samlIDPMetaDataOptionsSLOBinding => 'SLO binding',
samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
@ -432,6 +433,7 @@ sub fr {
'Authentification depuis le fournisseur autorisée',
samlIDPMetaDataOptionsAdaptSessionUtime =>
'Adapatation de la durée de vie de la session',
samlIDPMetaDataOptionsSignSSORequest => 'Signature requête SSO',
samlIDPMetaDataOptionsSSOBinding => 'Méthode SSO',
samlIDPMetaDataOptionsSLOBinding => 'Méthode SLO',
samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',

8
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
View File

@ -793,10 +793,16 @@ sub extractFormInfo {
$self->lmLog( "Use method $method with IDP $idp for SSO profile", 'debug' );
# Signature hint
my $signSSORequest =
$self->{samlIDPMetaDataOptions}->{$idp}
->{samlIDPMetaDataOptionsSignSSORequest};
$signSSORequest = 1 unless defined $signSSORequest;
# Create SSO request
$login =
$self->createAuthnRequest( $server, $IDPentityID, $method, $forceAuthn,
$nameIDFormat, $allowProxiedAuthn );
$nameIDFormat, $allowProxiedAuthn, $signSSORequest );
unless ($login) {
$self->lmLog( "Could not create authentication request on $IDPentityID",

48
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
View File

@ -167,9 +167,8 @@ sub loadIDPs {
}
# Add this IDP to Lasso::Server
my $result = $self->addIDP(
$self->{_lassoServer}, $idp_metadata->toXML()
);
my $result =
$self->addIDP( $self->{_lassoServer}, $idp_metadata->toXML() );
unless ($result) {
$self->lmLog( "Fail to use IDP $_ Metadata", 'error' );
@ -178,7 +177,8 @@ sub loadIDPs {
# Store IDP entityID and Organization Name
my $entityID = $idp_metadata->{entityID};
my $name = $self->getOrganizationName( $self->{_lassoServer}, $entityID )
my $name =
$self->getOrganizationName( $self->{_lassoServer}, $entityID )
|| ucfirst($_);
$self->{_idpList}->{$_} = ();
$self->{_idpList}->{$_}->{entityID} = $entityID;
@ -230,9 +230,8 @@ sub loadSPs {
}
# Add this SP to Lasso::Server
my $result = $self->addSP(
$self->{_lassoServer}, $sp_metadata->toXML()
);
my $result =
$self->addSP( $self->{_lassoServer}, $sp_metadata->toXML() );
unless ($result) {
$self->lmLog( "Fail to use SP $_ Metadata", 'error' );
@ -241,7 +240,8 @@ sub loadSPs {
# Store SP entityID and Organization Name
my $entityID = $sp_metadata->{entityID};
my $name = $self->getOrganizationName( $self->{_lassoServer}, $entityID )
my $name =
$self->getOrganizationName( $self->{_lassoServer}, $entityID )
|| ucfirst($_);
$self->{_spList}->{$_} = ();
$self->{_spList}->{$_}->{entityID} = $entityID;
@ -271,7 +271,7 @@ sub checkMessage {
my $artifact;
# Check if SAML service is loaded
return ($request, $response, $method, $relaystate)
return ( $request, $response, $method, $relaystate )
unless $self->{_lassoServer};
# Create Login object
@ -290,8 +290,7 @@ sub checkMessage {
# Response in query string
$response = $self->query_string();
$self->lmLog( "HTTP-REDIRECT: SAML Response $response",
'debug' );
$self->lmLog( "HTTP-REDIRECT: SAML Response $response", 'debug' );
}
@ -307,13 +306,11 @@ sub checkMessage {
# Artifact in query string
$artifact = $self->query_string();
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact",
'debug' );
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact", 'debug' );
# Resolve Artifact
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_GET;
my $message =
$self->resolveArtifact( $login, $artifact, $method );
my $message = $self->resolveArtifact( $login, $artifact, $method );
# Request or response ?
if ( $message =~ /samlp:response/i ) {
@ -355,7 +352,8 @@ sub checkMessage {
# Artifcat in SAMLart param
$artifact = $self->param('SAMLart');
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact", 'debug' );
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact",
'debug' );
# Resolve Artifact
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_POST;
@ -536,7 +534,7 @@ sub getOrganizationName {
return $data->{OrganizationName}->{content};
}
## @method Lasso::Login createAuthnRequest(Lasso::Server server, string idp, int method, boolean forceAuthn, string nameIDFormat, boolean allowProxiedAuthn)
## @method Lasso::Login createAuthnRequest(Lasso::Server server, string idp, int method, boolean forceAuthn, string nameIDFormat, boolean allowProxiedAuthn, boolean signSSORequest)
# Create authentication request for selected IDP
# @param server Lasso::Server object
# @param entityID IDP entityID
@ -544,10 +542,11 @@ sub getOrganizationName {
# @param forceAuthn force authentication on IDP
# @param nameIDFormat SAML2 NameIDFormat
# @param allowProxiedAuthn allow proxy on IDP
# @param signSSORequest sign request
# @return Lasso::Login object
sub createAuthnRequest {
my ( $self, $server, $idp, $method, $forceAuthn, $nameIDFormat,
$allowProxiedAuthn )
$allowProxiedAuthn, $signSSORequest )
= splice @_;
# Create Lasso Login
@ -610,6 +609,19 @@ sub createAuthnRequest {
}
}
# Signature
unless ($signSSORequest) {
$self->lmLog( "Do not sign this request", 'debug' );
eval {
$login->set_signature_hint
(Lasso::Constants::PROFILE_SIGNATURE_HINT_FORBID);
};
if ($@) {
$self->checkLassoError($@);
return;
}
}
# Build authentication request
unless ( $self->buildAuthnRequestMsg($login) ) {
$self->lmLog( "Could not build authentication request on $idp",