initial commit

internal/saml/idp.go

@@ -0,0 +1,70 @@
+package saml
+
+import (
+	"encoding/base64"
+	"time"
+
+	"shamilnunhuck/saml-oidc-bridge/internal/config"
+	"shamilnunhuck/saml-oidc-bridge/internal/crypto"
+
+	"github.com/crewjam/saml"
+)
+
+type IdP struct {
+	keys     *crypto.KeyStore
+	sec      config.Security
+	entityID string
+	ssoURL   string
+}
+
+func NewIdP(cfg *config.Config, ks *crypto.KeyStore) *IdP {
+	return &IdP{
+		keys:     ks,
+		sec:      cfg.Security,
+		entityID: cfg.Server.ExternalURL,
+		ssoURL:   cfg.Server.ExternalURL + "/saml/sso",
+	}
+}
+
+func (i *IdP) Metadata() *saml.EntityDescriptor {
+	// we need to publish all certs, to allow safe rotation
+	keyDescriptors := []saml.KeyDescriptor{}
+
+	for _, der := range i.keys.AllCertsDER() {
+		keyDescriptors = append(keyDescriptors, saml.KeyDescriptor{
+			Use: "signing",
+			KeyInfo: saml.KeyInfo{
+				X509Data: saml.X509Data{
+					X509Certificates: []saml.X509Certificate{{
+						Data: base64.StdEncoding.EncodeToString(der),
+					}},
+				},
+			},
+		})
+	}
+
+	entityDescriptor := &saml.EntityDescriptor{
+		EntityID: i.entityID,
+		// crewjam expects time.Time for ValidUntil and time.Duration for CacheDuration
+		ValidUntil:    time.Now().UTC().Add(time.Duration(i.sec.MetadataValidUntilDays) * 24 * time.Hour),
+		CacheDuration: time.Duration(i.sec.MetadataCacheDurationSeconds) * time.Second,
+		IDPSSODescriptors: []saml.IDPSSODescriptor{
+			{
+				SSODescriptor: saml.SSODescriptor{
+					RoleDescriptor: saml.RoleDescriptor{
+						ProtocolSupportEnumeration: "urn:oasis:names:tc:SAML:2.0:protocol",
+						KeyDescriptors:             keyDescriptors,
+					},
+				},
+				SingleSignOnServices: []saml.Endpoint{
+					{
+						Binding:  saml.HTTPPostBinding,
+						Location: i.ssoURL,
+					},
+				},
+			},
+		},
+	}
+
+	return entityDescriptor
+}