...
 
Commits (3)
...@@ -241,6 +241,7 @@ sub defaultValues { ...@@ -241,6 +241,7 @@ sub defaultValues {
'samlOrganizationDisplayName' => 'Example', 'samlOrganizationDisplayName' => 'Example',
'samlOrganizationName' => 'Example', 'samlOrganizationName' => 'Example',
'samlOrganizationURL' => 'http://www.example.com', 'samlOrganizationURL' => 'http://www.example.com',
'samlOverrideIDPEntityID' => '',
'samlRelayStateTimeout' => 600, 'samlRelayStateTimeout' => 600,
'samlServiceSignatureMethod' => 'RSA_SHA1', 'samlServiceSignatureMethod' => 'RSA_SHA1',
'samlSPSSODescriptorArtifactResolutionServiceArtifact' => 'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
......
...@@ -66,7 +66,7 @@ our $issuerParameters = { ...@@ -66,7 +66,7 @@ our $issuerParameters = {
issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)], issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)],
issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)], issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
}; };
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive)]; our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)]; our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
1; 1;
...@@ -23,7 +23,7 @@ my $dataStart = tell(DATA); ...@@ -23,7 +23,7 @@ my $dataStart = tell(DATA);
# SAML 2 description. # SAML 2 description.
# @return string # @return string
sub serviceToXML { sub serviceToXML {
my ( $self, $conf ) = @_; my ( $self, $conf, $type ) = @_;
seek DATA, $dataStart, 0; seek DATA, $dataStart, 0;
my $s = join '', <DATA>; my $s = join '', <DATA>;
...@@ -41,10 +41,23 @@ sub serviceToXML { ...@@ -41,10 +41,23 @@ sub serviceToXML {
samlOrganizationURL samlOrganizationURL
); );
if ($type eq 'idp') {
$template->param( 'hideSPMetadata', 1);
}
if ($type eq 'sp') {
$template->param( 'hideIDPMetadata', 1);
}
foreach (@param_auto) { foreach (@param_auto) {
$template->param( $_, $self->getValue( $_, $conf ) ); $template->param( $_, $self->getValue( $_, $conf ) );
} }
# When asked to provide only IDP metadata, take into account EntityID override
if ( $type eq "idp" and $conf->{samlOverrideIDPEntityID} ) {
$template->param( 'samlEntityID', $conf->{samlOverrideIDPEntityID} );
}
# Boolean parameters # Boolean parameters
my @param_boolean = qw( my @param_boolean = qw(
samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorAuthnRequestsSigned
...@@ -195,6 +208,7 @@ __DATA__ ...@@ -195,6 +208,7 @@ __DATA__
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="<TMPL_VAR NAME="samlEntityID">"> entityID="<TMPL_VAR NAME="samlEntityID">">
<TMPL_UNLESS NAME="hideIDPMetadata">
<IDPSSODescriptor <IDPSSODescriptor
WantAuthnRequestsSigned="<TMPL_VAR NAME="samlIDPSSODescriptorWantAuthnRequestsSigned">" WantAuthnRequestsSigned="<TMPL_VAR NAME="samlIDPSSODescriptorWantAuthnRequestsSigned">"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...@@ -253,7 +267,9 @@ __DATA__ ...@@ -253,7 +267,9 @@ __DATA__
ResponseLocation="<TMPL_VAR NAME="samlIDPSSODescriptorSingleSignOnServiceHTTPArtifactResponseLocation">" ResponseLocation="<TMPL_VAR NAME="samlIDPSSODescriptorSingleSignOnServiceHTTPArtifactResponseLocation">"
</TMPL_IF>/> </TMPL_IF>/>
</IDPSSODescriptor> </IDPSSODescriptor>
</TMPL_UNLESS>
<TMPL_UNLESS NAME="hideSPMetadata">
<SPSSODescriptor <SPSSODescriptor
AuthnRequestsSigned="<TMPL_VAR NAME="samlSPSSODescriptorAuthnRequestsSigned">" AuthnRequestsSigned="<TMPL_VAR NAME="samlSPSSODescriptorAuthnRequestsSigned">"
WantAssertionsSigned="<TMPL_VAR NAME="samlSPSSODescriptorWantAssertionsSigned">" WantAssertionsSigned="<TMPL_VAR NAME="samlSPSSODescriptorWantAssertionsSigned">"
...@@ -305,7 +321,9 @@ __DATA__ ...@@ -305,7 +321,9 @@ __DATA__
Binding="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostBinding">" Binding="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostBinding">"
Location="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostLocation">" /> Location="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostLocation">" />
</SPSSODescriptor> </SPSSODescriptor>
</TMPL_UNLESS>
<TMPL_UNLESS NAME="hideIDPMetadata">
<AttributeAuthorityDescriptor <AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
...@@ -328,6 +346,7 @@ __DATA__ ...@@ -328,6 +346,7 @@ __DATA__
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
</AttributeAuthorityDescriptor> </AttributeAuthorityDescriptor>
</TMPL_UNLESS>
<Organization> <Organization>
<OrganizationName xml:lang="en"><TMPL_VAR NAME="samlOrganizationName"></OrganizationName> <OrganizationName xml:lang="en"><TMPL_VAR NAME="samlOrganizationName"></OrganizationName>
......
...@@ -2865,6 +2865,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -2865,6 +2865,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 'http://www.example.com', 'default' => 'http://www.example.com',
'type' => 'text' 'type' => 'text'
}, },
'samlOverrideIDPEntityID' => {
'default' => '',
'type' => 'text'
},
'samlRelayStateTimeout' => { 'samlRelayStateTimeout' => {
'default' => 600, 'default' => 600,
'type' => 'int' 'type' => 'int'
......
...@@ -1992,6 +1992,11 @@ sub attributes { ...@@ -1992,6 +1992,11 @@ sub attributes {
default => 600, default => 600,
documentation => 'SAML timeout of relay state', documentation => 'SAML timeout of relay state',
}, },
samlOverrideIDPEntityID => {
type => 'text',
documentation => 'Override SAML EntityID when acting as an IDP',
default => '',
},
samlUseQueryStringSpecific => { samlUseQueryStringSpecific => {
default => 0, default => 0,
type => 'bool', type => 'bool',
......
...@@ -997,7 +997,8 @@ sub tree { ...@@ -997,7 +997,8 @@ sub tree {
'samlDiscoveryProtocolPolicy', 'samlDiscoveryProtocolPolicy',
'samlDiscoveryProtocolIsPassive' 'samlDiscoveryProtocolIsPassive'
] ]
} },
'samlOverrideIDPEntityID',
] ]
} }
] ]
......
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"يو آر إل القارئ", "samlCommonDomainCookieReader":"يو آر إل القارئ",
"samlCommonDomainCookieWriter":"يو آر إل الكاتب", "samlCommonDomainCookieWriter":"يو آر إل الكاتب",
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ", "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين" "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Reader URL", "samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL", "samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout", "samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method" "samlUseQueryStringSpecific":"Use specific query_string method",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Reader URL", "samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL", "samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout", "samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method" "samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
} }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"URL de lecture", "samlCommonDomainCookieReader":"URL de lecture",
"samlCommonDomainCookieWriter":"URL d'écriture", "samlCommonDomainCookieWriter":"URL d'écriture",
"samlRelayStateTimeout":"Durée de vie d'une session RelayState", "samlRelayStateTimeout":"Durée de vie d'une session RelayState",
"samlUseQueryStringSpecific":"Utilisation d'une fonction spécifique pour query_string" "samlUseQueryStringSpecific":"Utilisation d'une fonction spécifique pour query_string",
"samlOverrideIDPEntityID": "Valeur de l'Entity ID en mode IDP"
} }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"URL del lettore", "samlCommonDomainCookieReader":"URL del lettore",
"samlCommonDomainCookieWriter":"URL dell'autore", "samlCommonDomainCookieWriter":"URL dell'autore",
"samlRelayStateTimeout":"Timeout di sessione di RelayState", "samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string" "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Trình đọc URL", "samlCommonDomainCookieReader":"Trình đọc URL",
"samlCommonDomainCookieWriter":"Trình viết URL", "samlCommonDomainCookieWriter":"Trình viết URL",
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ", "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể" "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Reader URL", "samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL", "samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout", "samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method" "samlUseQueryStringSpecific":"Use specific query_string method",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -91,6 +91,11 @@ qr/^($saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_u ...@@ -91,6 +91,11 @@ qr/^($saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_u
); );
return 0 unless ($res); return 0 unless ($res);
if ( $self->conf->{samlOverrideIDPEntityID} ) {
$self->lassoServer->ProviderID(
$self->conf->{samlOverrideIDPEntityID} );
}
# Single logout routes # Single logout routes
$self->addUnauthRouteFromMetaDataURL( $self->addUnauthRouteFromMetaDataURL(
"samlIDPSSODescriptorSingleLogoutServiceSOAP", "samlIDPSSODescriptorSingleLogoutServiceSOAP",
......
...@@ -145,11 +145,11 @@ sub init { ...@@ -145,11 +145,11 @@ sub init {
return 0 unless ( $self->lassoServer( $self->loadService ) ); return 0 unless ( $self->lassoServer( $self->loadService ) );
$self->addUnauthRoute( $self->addUnauthRoute(
( $self->{path} || 'saml' ) => { 'metadata' => 'metadata' }, ( $self->{path} || 'saml' ) => { 'metadata' => { ':type' => 'metadata' }},
['GET'] ['GET']
); );
$self->addAuthRoute( $self->addAuthRoute(
( $self->{path} || 'saml' ) => { 'metadata' => 'metadata' }, ( $self->{path} || 'saml' ) => { 'metadata' => { ':type' => 'metadata' }},
['GET'] ['GET']
); );
return 1; return 1;
...@@ -3072,9 +3072,10 @@ sub importRealSession { ...@@ -3072,9 +3072,10 @@ sub importRealSession {
sub metadata { sub metadata {
my ( $self, $req ) = @_; my ( $self, $req ) = @_;
my $type = $req->param('type');
require Lemonldap::NG::Common::Conf::SAML::Metadata; require Lemonldap::NG::Common::Conf::SAML::Metadata;
if ( my $metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new() ) { if ( my $metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new() ) {
my $s = $metadata->serviceToXML( $self->conf ); my $s = $metadata->serviceToXML( $self->conf, $type);
return [ return [
200, 200,
[ [
......