Crate saml_rs

A library for doing SAML things, terribly, in rust.

My main aim at the moment is to provide IdP capabilities for the Kanidm project.

#![deny(unsafe_code)] is used everywhere to avoid unsafe code tricks. This is why we’re using rust, after all! 🦀 //! If you would like to help - please log PRs/Issues against terminaloutcomes/saml-rs.

There’s a test application saml_test_server based on tide to allow one to test functionality.

Current progress:

• Compiles, most of the time
• saml_test_server runs on HTTP and HTTPS, parses Redirect requests as-needed. Doesn’t parse them well… or validate them if they’re signed, but it’s a start!
• Parses and … seems to handle SP XML data so we can store a representation of it and match them up later

Next steps:

• Support the SAML 2.0 Web Browser SSO (SP Redirect Bind/ IdP POST Response) flow
• Sign responses
• Support Signed AuthN Redirect Requests

SAML 2.0 Web Browser SSO (SP Redirect Bind/ IdP POST Response) flow

1. User attempts to access the SP resource (eg https://example.com/application)

2. User is HTTP 302 redirected to the IdP (that’s us!)

   • The URL is provided in the SAML2.0 metadata from the IdP
   • There should be two query parameters, SAMLRequest and RelayState details about them are available in SamlQuery

3. The SSO Service validates the request and responds with a document containing an XHTML form:

   NOTE: POSTed assertions MUST be signed

<form method="post" action="https://example.com/SAML2/SSO/POST" ...>
  <input type="hidden" name="SAMLResponse" value="response" />
  <input type="hidden" name="RelayState" value="token" />
etc etc...
<input type="submit" value="Submit" />
</form>

4. Request the Assertion Consumer Service at the SP. The user agent issues a POST request to the Assertion Consumer Service at the service provider:

POST /SAML2/SSO/POST HTTP/1.1
Host: sp.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLResponse=response&RelayState=token

To automate the submission of the form, the following line of JavaScript may appear anywhere on the XHTML page:

window.onload = function () { document.forms[0].submit(); }

Testing tools:

• Idp/SP online tester - https://samltest.id/
• Parser for requests and responses: https://samltool.io
• OneLogin SAMLTool - https://www.samltool.com/validate_xml.php great for validating things against schema.

Modules

assertion

Assertion-related things

cert

Certificate and signing-related things

constants

Constants for the saml-rs module.

metadata

Handy for the XML metadata part of SAML

response

Want to build a SAML response? Here’s your module. 🥳

sign

Functions for signing data

sp

Service Provider utilities and functions

test_samples

Random samples of XML I’ve found around the place

utils

Extensions for things and generic utilities

xml

Internal utilities for doing things with XML

Structs

AuthnDecodeError

Custom error for failing to parse an AuthN request

AuthnRequest

Stores the values one would expect in an AuthN Request

AuthnRequestParser

Used to pull apart a SAML AuthN Request and build a AuthnRequest

SamlQuery

Used in the SAML Redirect GET request to pull out the query values

Functions

_get_private_key 🔒

decode_authn_request_base64_encoded

Removes base64 encoding and also deflates the input String.

decode_authn_request_signature

Does the decoding to hand the signature to the verifier

parse_authn_request

Give it a string full of XML and it’ll give you back a AuthnRequest object which has the details

parse_authn_tokenizer_attribute 🔒

Used inside AuthnRequestParser to help parse the AuthN request

parse_authn_tokenizer_element_start 🔒

Used inside AuthnRequestParser to help parse the AuthN request