From 9d3fd0ebd06e51767ae95ac6db11efe7b5bdaeb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Mon, 31 May 2010 10:37:43 +0000 Subject: [PATCH] SAML: * Add Attribute Authority metadata (#3) * Clean existing metadata (remove NameID management, and set NameIDFormat directly in XML) --- .../Lemonldap/NG/Common/Conf/SAML/Metadata.pm | 12 +-- .../lib/Lemonldap/NG/Manager/_Struct.pm | 98 ++++++------------- .../lib/Lemonldap/NG/Manager/_i18n.pm | 46 ++++----- .../example/skins/common/saml2-metadata.tpl | 52 +++++----- 4 files changed, 79 insertions(+), 129 deletions(-) diff --git a/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm b/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm index 1d01be386..09d37e744 100644 --- a/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm +++ b/modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm @@ -137,14 +137,6 @@ sub serviceToXML { samlOrganizationName samlOrganizationDisplayName samlOrganizationURL - samlSPSSODescriptorProtocolSupportEnumeration - samlSPSSODescriptorNameIDFormatX509SubjectName - samlSPSSODescriptorNameIDFormatPersistent - samlSPSSODescriptorNameIDFormatTransient - samlIDPSSODescriptorProtocolSupportEnumeration - samlIDPSSODescriptorNameIDFormatX509SubjectName - samlIDPSSODescriptorNameIDFormatPersistent - samlIDPSSODescriptorNameIDFormatTransient ); foreach (@param_auto) { @@ -156,6 +148,7 @@ sub serviceToXML { # Boolean parameters my @param_boolean = qw( samlSPSSODescriptorAuthnRequestsSigned + samlSPSSODescriptorWantAssertionsSigned samlIDPSSODescriptorWantAuthnRequestsSigned ); @@ -205,8 +198,7 @@ sub serviceToXML { samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP - samlIDPSSODescriptorManageNameIDServiceHTTP - samlIDPSSODescriptorManageNameIDServiceSOAP + samlAttributeAuthorityDescriptorAttributeServiceSOAP ); foreach (@param_service) { diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm index 516db0af5..9bb2257d3 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm @@ -616,7 +616,8 @@ sub struct { n:samlNameIDFormatMap n:samlOrganization n:samlSPSSODescriptor - n:samlIDPSSODescriptor) + n:samlIDPSSODescriptor + n:samlAttributeAuthorityDescriptor) ], _help => 'default', @@ -624,6 +625,8 @@ sub struct { samlEntityID => 'text:/samlEntityID', samlServicePrivateKey => 'filearea:/samlServicePrivateKey:samlServicePrivateKey:filearea', + + # NAMEID FORMAT MAP samlNameIDFormatMap => { _nodes => [ qw(samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos) @@ -636,6 +639,8 @@ sub struct { samlNameIDFormatMapKerberos => 'text:/samlNameIDFormatMapKerberos', }, + + # ORGANIZATION samlOrganization => { _nodes => [ qw(samlOrganizationDisplayName @@ -653,16 +658,19 @@ sub struct { 'samlSPSSODescriptor' => { _nodes => [ qw(samlSPSSODescriptorAuthnRequestsSigned + samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorKeyDescriptorSigning n:samlSPSSODescriptorSingleLogoutService n:samlSPSSODescriptorAssertionConsumerService n:samlSPSSODescriptorArtifactResolutionService - n:samlSPSSODescriptorNameIDFormat) + ) ], _help => 'default', samlSPSSODescriptorAuthnRequestsSigned => 'bool:/samlSPSSODescriptorAuthnRequestsSigned', + samlSPSSODescriptorWantAssertionsSigned => + 'bool:/samlSPSSODescriptorWantAssertionsSigned', samlSPSSODescriptorKeyDescriptorSigning => 'filearea:/samlSPSSODescriptorKeyDescriptorSigning', @@ -704,21 +712,6 @@ sub struct { samlSPSSODescriptorArtifactResolutionServiceArtifact => 'samlAssertion:/samlSPSSODescriptorArtifactResolutionServiceArtifact', }, - - samlSPSSODescriptorNameIDFormat => { - _nodes => [ - qw(samlSPSSODescriptorNameIDFormatX509SubjectName - samlSPSSODescriptorNameIDFormatPersistent - samlSPSSODescriptorNameIDFormatTransient) - ], - _help => 'default', - samlSPSSODescriptorNameIDFormatX509SubjectName => -'bool:/samlSPSSODescriptorNameIDFormatX509SubjectName:samlNameIDFormatX509SubjectName:bool', - samlSPSSODescriptorNameIDFormatPersistent => -'bool:/samlSPSSODescriptorNameIDFormatPersistent:samlNameIDFormatPersistent:bool', - samlSPSSODescriptorNameIDFormatTransient => -'bool:/samlSPSSODescriptorNameIDFormatTransient:samlNameIDFormatTransient:bool', - }, }, # IDENTITY PROVIDER @@ -728,9 +721,7 @@ sub struct { samlIDPSSODescriptorKeyDescriptorSigning n:samlIDPSSODescriptorSingleSignOnService n:samlIDPSSODescriptorSingleLogoutService - n:samlIDPSSODescriptorArtifactResolutionService - n:samlIDPSSODescriptorNameIDFormat - n:samlIDPSSODescriptorManageNameIDService) + n:samlIDPSSODescriptorArtifactResolutionService) ], _help => 'default', @@ -778,33 +769,22 @@ sub struct { 'samlAssertion:/samlIDPSSODescriptorArtifactResolutionServiceArtifact', }, - samlIDPSSODescriptorNameIDFormat => { - _nodes => [ - qw(samlIDPSSODescriptorNameIDFormatX509SubjectName - samlIDPSSODescriptorNameIDFormatPersistent - samlIDPSSODescriptorNameIDFormatTransient) - ], - _help => 'default', - samlIDPSSODescriptorNameIDFormatX509SubjectName => -'bool:/samlIDPSSODescriptorNameIDFormatX509SubjectName:samlNameIDFormatX509SubjectName:bool', - samlIDPSSODescriptorNameIDFormatPersistent => -'bool:/samlIDPSSODescriptorNameIDFormatPersistent:samlNameIDFormatPersistent:bool', - samlIDPSSODescriptorNameIDFormatTransient => -'bool:/samlIDPSSODescriptorNameIDFormatTransient:samlNameIDFormatTransient:bool', }, - samlIDPSSODescriptorManageNameIDService => { + # ATTRIBUTE AUTHORITY + samlAttributeAuthorityDescriptor => { + _nodes => + [qw(n:samlAttributeAuthorityDescriptorAttributeService)], + _help => 'default', + samlAttributeAuthorityDescriptorAttributeService => { _nodes => [ - qw(samlIDPSSODescriptorManageNameIDServiceHTTP - samlIDPSSODescriptorManageNameIDServiceSOAP) + qw(samlAttributeAuthorityDescriptorAttributeServiceSOAP) ], - _help => 'default', - samlIDPSSODescriptorManageNameIDServiceHTTP => -'samlService:/samlIDPSSODescriptorManageNameIDServiceHTTP', - samlIDPSSODescriptorManageNameIDServiceSOAP => -'samlService:/samlIDPSSODescriptorManageNameIDServiceSOAP', + samlAttributeAuthorityDescriptorAttributeServiceSOAP => +'samlService:/samlAttributeAuthorityDescriptorAttributeServiceSOAP', }, }, + }, }; } @@ -1133,6 +1113,7 @@ sub testStruct { samlOrganizationName => $testNotDefined, samlOrganizationURL => $testNotDefined, samlSPSSODescriptorAuthnRequestsSigned => $boolean, + samlSPSSODescriptorWantAssertionsSigned => $boolean, samlSPSSODescriptorKeyDescriptorSigning => $testNotDefined, samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => $testNotDefined, samlSPSSODescriptorSingleLogoutServiceHTTPPost => $testNotDefined, @@ -1143,9 +1124,6 @@ sub testStruct { samlSPSSODescriptorAssertionConsumerServiceHTTPRedirect => $testNotDefined, samlSPSSODescriptorArtifactResolutionServiceArtifact => $testNotDefined, - samlSPSSODescriptorNameIDFormatX509SubjectName => $boolean, - samlSPSSODescriptorNameIDFormatPersistent => $boolean, - samlSPSSODescriptorNameIDFormatTransient => $boolean, samlIDPSSODescriptorWantAuthnRequestsSigned => $boolean, samlIDPSSODescriptorKeyDescriptorSigning => $testNotDefined, samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => $testNotDefined, @@ -1156,15 +1134,11 @@ sub testStruct { samlIDPSSODescriptorSingleLogoutServiceSOAP => $testNotDefined, samlIDPSSODescriptorArtifactResolutionServiceArtifact => $testNotDefined, - samlIDPSSODescriptorNameIDFormatX509SubjectName => $boolean, - samlIDPSSODescriptorNameIDFormatPersistent => $boolean, - samlIDPSSODescriptorNameIDFormatTransient => $boolean, - samlIDPSSODescriptorManageNameIDServiceHTTP => $testNotDefined, - samlIDPSSODescriptorManageNameIDServiceSOAP => $testNotDefined, samlNameIDFormatMapEmail => $testNotDefined, samlNameIDFormatMapX509 => $testNotDefined, samlNameIDFormatMapWindows => $testNotDefined, samlNameIDFormatMapKerberos => $testNotDefined, + samlAttributeAuthorityDescriptorAttributeServiceSOAP => $testNotDefined, # SSL SSLVar => $testNotDefined, @@ -1312,7 +1286,8 @@ sub defaultConf { samlSPMetaDataOptionsCheckSSOMessageSignature => '1', samlSPMetaDataOptionsSignSLOMessage => '1', samlSPMetaDataOptionsCheckSLOMessageSignature => '1', - samlSPSSODescriptorAuthnRequestsSigned => '0', + samlSPSSODescriptorAuthnRequestsSigned => '1', + samlSPSSODescriptorWantAssertionsSigned => '1', samlSPSSODescriptorKeyDescriptorSigning => '', samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;' @@ -1346,10 +1321,7 @@ sub defaultConf { '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' . $portal . '/saml/artifact', - samlSPSSODescriptorNameIDFormatX509SubjectName => '0', - samlSPSSODescriptorNameIDFormatPersistent => '1', - samlSPSSODescriptorNameIDFormatTransient => '0', - samlIDPSSODescriptorWantAuthnRequestsSigned => '0', + samlIDPSSODescriptorWantAuthnRequestsSigned => '1', samlIDPSSODescriptorKeyDescriptorSigning => '', samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;' @@ -1383,23 +1355,15 @@ sub defaultConf { '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' . $portal . '/saml/artifact', - samlIDPSSODescriptorManageNameIDServiceHTTP => - 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;' - . $portal - . '/saml/manageNameId;' - . $portal - . '/saml/manageNameIdReturn', - samlIDPSSODescriptorManageNameIDServiceSOAP => - 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' - . $portal - . '/saml/manageNameIdSOAP;', - samlIDPSSODescriptorNameIDFormatX509SubjectName => '0', - samlIDPSSODescriptorNameIDFormatPersistent => '1', - samlIDPSSODescriptorNameIDFormatTransient => '0', samlNameIDFormatMapEmail => 'mail', samlNameIDFormatMapX509 => 'mail', samlNameIDFormatMapWindows => 'uid', samlNameIDFormatMapKerberos => 'uid', + samlAttributeAuthorityDescriptorAttributeServiceSOAP => + 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' + . $portal + . '/saml/AA/SOAP;', + }; } diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm index c10e85643..672b1d83e 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm @@ -268,6 +268,7 @@ sub en { samlSPSSODescriptor => 'Service Provider', samlSPSSODescriptorAuthnRequestsSigned => 'Signed Authentication Request', + samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed', samlSPSSODescriptorKeyDescriptorSigning => 'Signing Key', samlSPSSODescriptorSingleLogoutService => 'Single Logout', samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => 'HTTP Redirect', @@ -282,15 +283,11 @@ sub en { samlSPSSODescriptorArtifactResolutionService => 'Artifact Resolution', samlSPSSODescriptorArtifactResolutionServiceArtifact => 'Artifact Service', - samlSPSSODescriptorNameIDFormat => 'NameID Format', - samlSPSSODescriptorNameIDFormatX509SubjectName => 'x509', - samlSPSSODescriptorNameIDFormatPersistent => 'Persistent', - samlSPSSODescriptorNameIDFormatTransient => 'Transient', samlIDPSSODescriptor => 'Identity Provider', samlIDPSSODescriptorWantAuthnRequestsSigned => - 'Signed Authentication Request', + 'Want Authentication Request Signed', samlIDPSSODescriptorKeyDescriptorSigning => 'Signing Key', - samlIDPSSODescriptorSingleSignOnService => 'Single Sign on', + samlIDPSSODescriptorSingleSignOnService => 'Single Sign On', samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'HTTP Redirect', samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'HTTP POST', samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP', @@ -301,13 +298,9 @@ sub en { samlIDPSSODescriptorArtifactResolutionService => 'Artifact Resolution', samlIDPSSODescriptorArtifactResolutionServiceArtifact => 'Artifact Service', - samlIDPSSODescriptorNameIDFormat => 'NameID Format', - samlIDPSSODescriptorNameIDFormatX509SubjectName => 'x509', - samlIDPSSODescriptorNameIDFormatPersistent => 'Persistent', - samlIDPSSODescriptorNameIDFormatTransient => 'Transient', - samlIDPSSODescriptorManageNameIDService => 'NameID Manager', - samlIDPSSODescriptorManageNameIDServiceHTTP => 'HTTP Redirect', - samlIDPSSODescriptorManageNameIDServiceSOAP => 'SOAP', + samlAttributeAuthorityDescriptor => 'Attribute Authority', + samlAttributeAuthorityDescriptorAttributeService => 'Attribute Service', + samlAttributeAuthorityDescriptorAttributeServiceSOAP => 'SOAP', }; } @@ -538,8 +531,10 @@ sub fr { samlOrganizationURL => 'URL', samlSPSSODescriptor => 'Fournisseur de service', samlSPSSODescriptorAuthnRequestsSigned => - 'Requête d\'authentification signé', - samlSPSSODescriptorKeyDescriptorSigning => 'Clef de signature', + 'Requêtes d\'authentification signées', + samlSPSSODescriptorWantAssertionsSigned => + 'Exige des assertions signées', + samlSPSSODescriptorKeyDescriptorSigning => 'Clé de signature', samlSPSSODescriptorSingleLogoutService => 'Single Logout', samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => 'Redirection HTTP', @@ -555,15 +550,11 @@ sub fr { 'Résolution d\'Artifact', samlSPSSODescriptorArtifactResolutionServiceArtifact => 'Service Artifact', - samlSPSSODescriptorNameIDFormat => 'Format NameID', - samlSPSSODescriptorNameIDFormatX509SubjectName => 'x509', - samlSPSSODescriptorNameIDFormatPersistent => 'Persistant', - samlSPSSODescriptorNameIDFormatTransient => 'Temporaire', samlIDPSSODescriptor => 'Fournisseur d\'identité', samlIDPSSODescriptorWantAuthnRequestsSigned => - 'Requête d\'authentification signé', - samlIDPSSODescriptorKeyDescriptorSigning => 'Clef de signature', - samlIDPSSODescriptorSingleSignOnService => 'Single Sign on', + 'Exige des requêtes d\'authentification signées', + samlIDPSSODescriptorKeyDescriptorSigning => 'Clé de signature', + samlIDPSSODescriptorSingleSignOnService => 'Single Sign On', samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'Redirection HTTP', samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'POST HTTP', @@ -577,13 +568,10 @@ sub fr { 'Résolution d\'Artifact', samlIDPSSODescriptorArtifactResolutionServiceArtifact => 'Service Artifact', - samlIDPSSODescriptorNameIDFormat => 'Format NameID', - samlIDPSSODescriptorNameIDFormatX509SubjectName => 'x509', - samlIDPSSODescriptorNameIDFormatPersistent => 'Persistant', - samlIDPSSODescriptorNameIDFormatTransient => 'Temporaire', - samlIDPSSODescriptorManageNameIDService => 'Gestionnaire de NameID', - samlIDPSSODescriptorManageNameIDServiceHTTP => 'Redirection HTTP', - samlIDPSSODescriptorManageNameIDServiceSOAP => 'SOAP', + samlAttributeAuthorityDescriptor => 'Autorité d\'attributs', + samlAttributeAuthorityDescriptorAttributeService => + 'Service d\'attributs', + samlAttributeAuthorityDescriptorAttributeServiceSOAP => 'SOAP', }; } diff --git a/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl b/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl index ee8e85a6e..987e124d7 100644 --- a/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl +++ b/modules/lemonldap-ng-portal/example/skins/common/saml2-metadata.tpl @@ -41,15 +41,6 @@ ResponseLocation="" /> - " - Location="" /> - " - Location="" - - ResponseLocation="" - /> " Location="" /> @@ -65,19 +56,17 @@ ResponseLocation="" /> - + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName - - - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - - + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + urn:oasis:names:tc:SAML:2.0:nameid-format:entity urn:oasis:names:tc:SAML:2.0:nameid-format:transient - " + WantAssertionsSigned="" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> @@ -128,17 +117,34 @@ index="" Binding="" Location="" /> - + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName - - - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - - + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + urn:oasis:names:tc:SAML:2.0:nameid-format:entity urn:oasis:names:tc:SAML:2.0:nameid-format:transient - + + + + + + + + + " + Location=""/> + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName + urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName + urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos + urn:oasis:names:tc:SAML:2.0:nameid-format:entity + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + +