...
 
Commits (3)
...@@ -241,6 +241,7 @@ sub defaultValues { ...@@ -241,6 +241,7 @@ sub defaultValues {
'samlOrganizationDisplayName' => 'Example', 'samlOrganizationDisplayName' => 'Example',
'samlOrganizationName' => 'Example', 'samlOrganizationName' => 'Example',
'samlOrganizationURL' => 'http://www.example.com', 'samlOrganizationURL' => 'http://www.example.com',
'samlOverrideIDPEntityID' => '',
'samlRelayStateTimeout' => 600, 'samlRelayStateTimeout' => 600,
'samlServiceSignatureMethod' => 'RSA_SHA1', 'samlServiceSignatureMethod' => 'RSA_SHA1',
'samlSPSSODescriptorArtifactResolutionServiceArtifact' => 'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
......
...@@ -66,7 +66,7 @@ our $issuerParameters = { ...@@ -66,7 +66,7 @@ our $issuerParameters = {
issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)], issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)],
issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)], issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
}; };
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive)]; our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)]; our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
1; 1;
...@@ -53,6 +53,11 @@ sub serviceToXML { ...@@ -53,6 +53,11 @@ sub serviceToXML {
$template->param( $_, $self->getValue( $_, $conf ) ); $template->param( $_, $self->getValue( $_, $conf ) );
} }
# When asked to provide only IDP metadata, take into account EntityID override
if ( $type eq "idp" and $conf->{samlOverrideIDPEntityID} ) {
$template->param( 'samlEntityID', $conf->{samlOverrideIDPEntityID} );
}
# Boolean parameters # Boolean parameters
my @param_boolean = qw( my @param_boolean = qw(
samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorAuthnRequestsSigned
......
...@@ -2865,6 +2865,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -2865,6 +2865,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 'http://www.example.com', 'default' => 'http://www.example.com',
'type' => 'text' 'type' => 'text'
}, },
'samlOverrideIDPEntityID' => {
'default' => '',
'type' => 'text'
},
'samlRelayStateTimeout' => { 'samlRelayStateTimeout' => {
'default' => 600, 'default' => 600,
'type' => 'int' 'type' => 'int'
......
...@@ -1992,6 +1992,11 @@ sub attributes { ...@@ -1992,6 +1992,11 @@ sub attributes {
default => 600, default => 600,
documentation => 'SAML timeout of relay state', documentation => 'SAML timeout of relay state',
}, },
samlOverrideIDPEntityID => {
type => 'text',
documentation => 'Override SAML EntityID when acting as an IDP',
default => '',
},
samlUseQueryStringSpecific => { samlUseQueryStringSpecific => {
default => 0, default => 0,
type => 'bool', type => 'bool',
......
...@@ -997,7 +997,8 @@ sub tree { ...@@ -997,7 +997,8 @@ sub tree {
'samlDiscoveryProtocolPolicy', 'samlDiscoveryProtocolPolicy',
'samlDiscoveryProtocolIsPassive' 'samlDiscoveryProtocolIsPassive'
] ]
} },
'samlOverrideIDPEntityID',
] ]
} }
] ]
......
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"يو آر إل القارئ", "samlCommonDomainCookieReader":"يو آر إل القارئ",
"samlCommonDomainCookieWriter":"يو آر إل الكاتب", "samlCommonDomainCookieWriter":"يو آر إل الكاتب",
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ", "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين" "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Reader URL", "samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL", "samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout", "samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method" "samlUseQueryStringSpecific":"Use specific query_string method",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Reader URL", "samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL", "samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout", "samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method" "samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
} }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"URL de lecture", "samlCommonDomainCookieReader":"URL de lecture",
"samlCommonDomainCookieWriter":"URL d'écriture", "samlCommonDomainCookieWriter":"URL d'écriture",
"samlRelayStateTimeout":"Durée de vie d'une session RelayState", "samlRelayStateTimeout":"Durée de vie d'une session RelayState",
"samlUseQueryStringSpecific":"Utilisation d'une fonction spécifique pour query_string" "samlUseQueryStringSpecific":"Utilisation d'une fonction spécifique pour query_string",
"samlOverrideIDPEntityID": "Valeur de l'Entity ID en mode IDP"
} }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"URL del lettore", "samlCommonDomainCookieReader":"URL del lettore",
"samlCommonDomainCookieWriter":"URL dell'autore", "samlCommonDomainCookieWriter":"URL dell'autore",
"samlRelayStateTimeout":"Timeout di sessione di RelayState", "samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string" "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Trình đọc URL", "samlCommonDomainCookieReader":"Trình đọc URL",
"samlCommonDomainCookieWriter":"Trình viết URL", "samlCommonDomainCookieWriter":"Trình viết URL",
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ", "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể" "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
...@@ -969,5 +969,6 @@ ...@@ -969,5 +969,6 @@
"samlCommonDomainCookieReader":"Reader URL", "samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL", "samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout", "samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method" "samlUseQueryStringSpecific":"Use specific query_string method",
} "samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
\ No newline at end of file }
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -91,6 +91,11 @@ qr/^($saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_u ...@@ -91,6 +91,11 @@ qr/^($saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_u
); );
return 0 unless ($res); return 0 unless ($res);
if ( $self->conf->{samlOverrideIDPEntityID} ) {
$self->lassoServer->ProviderID(
$self->conf->{samlOverrideIDPEntityID} );
}
# Single logout routes # Single logout routes
$self->addUnauthRouteFromMetaDataURL( $self->addUnauthRouteFromMetaDataURL(
"samlIDPSSODescriptorSingleLogoutServiceSOAP", "samlIDPSSODescriptorSingleLogoutServiceSOAP",
......
...@@ -184,7 +184,7 @@ sub loadService { ...@@ -184,7 +184,7 @@ sub loadService {
# Create Lasso server with service metadata # Create Lasso server with service metadata
my $server = $self->createServer( my $server = $self->createServer(
$service_metadata->serviceToXML( $self->conf ), $service_metadata->serviceToXML( $self->conf, ''),
$self->conf->{samlServicePrivateKeySig}, $self->conf->{samlServicePrivateKeySig},
$self->conf->{samlServicePrivateKeySigPwd}, $self->conf->{samlServicePrivateKeySigPwd},
...@@ -3072,7 +3072,7 @@ sub importRealSession { ...@@ -3072,7 +3072,7 @@ sub importRealSession {
sub metadata { sub metadata {
my ( $self, $req ) = @_; my ( $self, $req ) = @_;
my $type = $req->param('type'); my $type = $req->param('type') || 'all';
require Lemonldap::NG::Common::Conf::SAML::Metadata; require Lemonldap::NG::Common::Conf::SAML::Metadata;
if ( my $metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new() ) { if ( my $metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new() ) {
my $s = $metadata->serviceToXML( $self->conf, $type); my $s = $metadata->serviceToXML( $self->conf, $type);
......
...@@ -7,7 +7,7 @@ BEGIN { ...@@ -7,7 +7,7 @@ BEGIN {
require 't/test-lib.pm'; require 't/test-lib.pm';
} }
my $maintests = 3; my $maintests = 10;
my $debug = 'error'; my $debug = 'error';
my ( $issuer, $res ); my ( $issuer, $res );
my %handlerOR = ( issuer => [], sp => [] ); my %handlerOR = ( issuer => [], sp => [] );
...@@ -25,6 +25,15 @@ SKIP: { ...@@ -25,6 +25,15 @@ SKIP: {
ok( $res = $issuer->_get('/saml/metadata'), 'Get metadata' ); ok( $res = $issuer->_get('/saml/metadata'), 'Get metadata' );
ok( $res->[2]->[0] =~ m#^<\?xml version="1.0"\?>#s, 'Metadata is XML' ); ok( $res->[2]->[0] =~ m#^<\?xml version="1.0"\?>#s, 'Metadata is XML' );
ok( $res = $issuer->_get('/saml/metadata/idp'), 'Get IDP metadata' );
ok( $res->[2]->[0] =~ m#^<\?xml version="1.0"\?>#s, 'Metadata is XML' );
ok( $res->[2]->[0] !~ m#<SPSSODescriptor#s, 'Metadata does not contain SP information' );
ok( $res->[2]->[0] =~ m#entityID="urn:example\.com"#s, 'IDP EntityID is overriden' );
ok( $res = $issuer->_get('/saml/metadata/sp'), 'Get SP metadata' );
ok( $res->[2]->[0] =~ m#^<\?xml version="1.0"\?>#s, 'Metadata is XML' );
ok( $res->[2]->[0] !~ m#<IDPSSODescriptor#s, 'Metadata does not contain IDP information' );
#print STDERR Dumper($res); #print STDERR Dumper($res);
} }
...@@ -41,6 +50,7 @@ sub issuer { ...@@ -41,6 +50,7 @@ sub issuer {
authentication => 'Demo', authentication => 'Demo',
userDB => 'Same', userDB => 'Same',
issuerDBSAMLActivation => 1, issuerDBSAMLActivation => 1,
samlOverrideIDPEntityID => 'urn:example.com',
samlSPMetaDataOptions => { samlSPMetaDataOptions => {
'sp.com' => { 'sp.com' => {
samlSPMetaDataOptionsEncryptionMode => 'none', samlSPMetaDataOptionsEncryptionMode => 'none',
......