Commit 9992c56f authored by Clément OUDOT's avatar Clément OUDOT

Configure mapping between SAML authentication contexts and authentication levels (#152)

parent 8d6899c2
......@@ -760,6 +760,7 @@ sub struct {
qw(samlEntityID
n:samlServiceSecurity
n:samlNameIDFormatMap
n:samlAuthnContextMap
n:samlOrganization
n:samlSPSSODescriptor
n:samlIDPSSODescriptor
......@@ -820,6 +821,22 @@ sub struct {
'text:/samlNameIDFormatMapKerberos',
},
# AUTHN CONTEXT MAP
samlAuthnContextMap => {
_nodes => [
qw(samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos)
],
_help => 'default',
samlAuthnContextMapPassword =>
'int:/samlAuthnContextMapPassword',
samlAuthnContextMapPasswordProtectedTransport =>
'int:/samlAuthnContextMapPasswordProtectedTransport',
samlAuthnContextMapTLSClient =>
'int:/samlAuthnContextMapTLSClient',
samlAuthnContextMapKerberos =>
'int:/samlAuthnContextMapKerberos',
},
# ORGANIZATION
samlOrganization => {
_nodes => [
......@@ -1378,6 +1395,10 @@ sub testStruct {
keyTest => qr/^\w+$/,
keyMsgFail => 'Bad parameter',
},
samlAuthnContextMapPassword => $integer,
samlAuthnContextMapPasswordProtectedTransport => $integer,
samlAuthnContextMapTLSClient => $integer,
samlAuthnContextMapKerberos => $integer,
# SSL
SSLAuthnLevel => $integer,
......@@ -1625,6 +1646,10 @@ sub defaultConf {
samlServicePrivateKeyEncPwd => '',
samlServicePublicKeyEnc => '',
samlMetadataForceUTF8 => 1,
samlAuthnContextMapPassword => 2,
samlAuthnContextMapPasswordProtectedTransport => 3,
samlAuthnContextMapTLSClient => 5,
samlAuthnContextMapKerberos => 4,
# Authentication levels
ldapAuthnLevel => 2,
......
......@@ -351,6 +351,12 @@ sub en {
samlUserDBIdentityKey => 'SAML identity storage key',
samlStorage => 'SAML sessions module name',
samlStorageOptions => 'SAML sessions module options',
samlAuthnContextMap => 'Authentication contexts',
samlAuthnContextMapPassword => 'Password',
samlAuthnContextMapPasswordProtectedTransport =>
'Password protected transport',
samlAuthnContextMapTLSClient => 'TLS client',
samlAuthnContextMapKerberos => 'Kerberos',
};
}
......@@ -673,6 +679,12 @@ sub fr {
samlUserDBIdentityKey => 'Clé de stockage de l\'identité SAML',
samlStorage => 'Nom du module des session SAML',
samlStorageOptions => 'Options du module des sessions SAML',
samlAuthnContextMap => 'Contextes d\'authentification',
samlAuthnContextMapPassword => 'Mot de passe',
samlAuthnContextMapPasswordProtectedTransport =>
'Mot de passe protégé',
samlAuthnContextMapTLSClient => 'Client TLS',
samlAuthnContextMapKerberos => 'Kerberos',
};
}
......@@ -483,6 +483,14 @@ sub setDefaultValues {
$self->{samlStorageOptions} ||= $self->{globalStorageOptions};
$self->{samlMetadataForceUTF8} = 1
unless ( defined( $self->{samlMetadataForceUTF8} ) );
$self->{samlAuthnContextMapPassword} = 2
unless defined $self->{samlAuthnContextMapPassword};
$self->{samlAuthnContextMapPasswordProtectedTransport} = 3
unless defined $self->{samlAuthnContextMapPasswordProtectedTransport};
$self->{samlAuthnContextMapTLSClient} = 5
unless defined $self->{samlAuthnContextMapTLSClient};
$self->{samlAuthnContextMapKerberos} = 4
unless defined $self->{samlAuthnContextMapKerberos};
# CAS
$self->{casStorage} ||= $self->{globalStorage};
......
......@@ -2669,12 +2669,16 @@ sub checkSignatureStatus {
sub authnContext2authnLevel {
my ( $self, $authnContext ) = splice @_;
return 2 if ( $authnContext eq $self->getAuthnContext("password") );
return 3
return $self->{samlAuthnContextMapPassword}
if ( $authnContext eq $self->getAuthnContext("password") );
return $self->{samlAuthnContextMapPasswordProtectedTransport}
if (
$authnContext eq $self->getAuthnContext("password-protected-transport")
);
return 5 if ( $authnContext eq $self->getAuthnContext("tls-client") );
return $self->{samlAuthnContextMapKerberos}
if ( $authnContext eq $self->getAuthnContext("kerberos") );
return $self->{samlAuthnContextMapTLSClient}
if ( $authnContext eq $self->getAuthnContext("tls-client") );
return 0;
}
......@@ -2686,10 +2690,15 @@ sub authnContext2authnLevel {
sub authnLevel2authnContext {
my ( $self, $authnLevel ) = splice @_;
return $self->getAuthnContext("password") if ( $authnLevel == 2 );
return $self->getAuthnContext("password")
if ( $authnLevel == $self->{samlAuthnContextMapPassword} );
return $self->getAuthnContext("password-protected-transport")
if ( $authnLevel == 3 );
return $self->getAuthnContext("tls-client") if ( $authnLevel == 5 );
if (
$authnLevel == $self->{samlAuthnContextMapPasswordProtectedTransport} );
return $self->getAuthnContext("kerberos")
if ( $authnLevel == $self->{samlAuthnContextMapKerberos} );
return $self->getAuthnContext("tls-client")
if ( $authnLevel == $self->{samlAuthnContextMapTLSClient} );
return $self->getAuthnContext("unspecified");
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment