line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
3
|
|
|
3
|
|
6977
|
use strict; |
|
3
|
|
|
|
|
11
|
|
|
3
|
|
|
|
|
85
|
|
2
|
3
|
|
|
3
|
|
12
|
use warnings; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
152
|
|
3
|
|
|
|
|
|
|
package Net::SAML2; |
4
|
|
|
|
|
|
|
our $VERSION = "0.72"; |
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
require 5.012; |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
# ABSTRACT: SAML2 bindings and protocol implementation |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
# entities |
11
|
3
|
|
|
3
|
|
1245
|
use Net::SAML2::IdP; |
|
3
|
|
|
|
|
32235
|
|
|
3
|
|
|
|
|
163
|
|
12
|
3
|
|
|
3
|
|
1137
|
use Net::SAML2::SP; |
|
3
|
|
|
|
|
832
|
|
|
3
|
|
|
|
|
124
|
|
13
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
|
# bindings |
15
|
3
|
|
|
3
|
|
25
|
use Net::SAML2::Binding::Redirect; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
72
|
|
16
|
3
|
|
|
3
|
|
15
|
use Net::SAML2::Binding::POST; |
|
3
|
|
|
|
|
8
|
|
|
3
|
|
|
|
|
70
|
|
17
|
3
|
|
|
3
|
|
17
|
use Net::SAML2::Binding::SOAP; |
|
3
|
|
|
|
|
8
|
|
|
3
|
|
|
|
|
60
|
|
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
# protocol |
20
|
3
|
|
|
3
|
|
17
|
use Net::SAML2::Protocol::AuthnRequest; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
62
|
|
21
|
3
|
|
|
3
|
|
15
|
use Net::SAML2::Protocol::LogoutRequest; |
|
3
|
|
|
|
|
5
|
|
|
3
|
|
|
|
|
54
|
|
22
|
3
|
|
|
3
|
|
1748
|
use Net::SAML2::Protocol::LogoutResponse;; |
|
3
|
|
|
|
|
1111
|
|
|
3
|
|
|
|
|
116
|
|
23
|
3
|
|
|
3
|
|
1662
|
use Net::SAML2::Protocol::Assertion; |
|
3
|
|
|
|
|
15
|
|
|
3
|
|
|
|
|
139
|
|
24
|
3
|
|
|
3
|
|
1851
|
use Net::SAML2::Protocol::Artifact; |
|
3
|
|
|
|
|
11
|
|
|
3
|
|
|
|
|
132
|
|
25
|
3
|
|
|
3
|
|
1735
|
use Net::SAML2::Protocol::ArtifactResolve; |
|
3
|
|
|
|
|
1211
|
|
|
3
|
|
|
|
|
158
|
|
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
1; |
28
|
|
|
|
|
|
|
|
29
|
|
|
|
|
|
|
__END__ |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
=pod |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
=encoding UTF-8 |
34
|
|
|
|
|
|
|
|
35
|
|
|
|
|
|
|
=head1 NAME |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
Net::SAML2 - SAML2 bindings and protocol implementation |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
=head1 VERSION |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
version 0.72 |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
=head1 SYNOPSIS |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
See TUTORIAL.md for implementation documentation and |
46
|
|
|
|
|
|
|
t/12-full-client.t for a pseudo implementation following the tutorial |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
# generate a redirect off to the IdP: |
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
my $idp = Net::SAML2::IdP->new($IDP); |
51
|
|
|
|
|
|
|
my $sso_url = $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'); |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
my $authnreq = Net::SAML2::Protocol::AuthnRequest->new( |
54
|
|
|
|
|
|
|
issuer => 'http://localhost:3000/metadata.xml', |
55
|
|
|
|
|
|
|
destination => $sso_url, |
56
|
|
|
|
|
|
|
nameid_format => $idp->format('persistent'), |
57
|
|
|
|
|
|
|
)->as_xml; |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
my $authnreq = Net::SAML2::Protocol::AuthnRequest->new( |
60
|
|
|
|
|
|
|
id => 'NETSAML2_Crypt::OpenSSL::Random::random_pseudo_bytes(16), |
61
|
|
|
|
|
|
|
issuer => $self->{id}, # Service Provider (SP) Entity ID |
62
|
|
|
|
|
|
|
destination => $sso_url, # Identity Provider (IdP) SSO URL |
63
|
|
|
|
|
|
|
provider_name => $provider_name, # Service Provider (SP) Human Readable Name |
64
|
|
|
|
|
|
|
issue_instant => DateTime->now, # Defaults to Current Time |
65
|
|
|
|
|
|
|
); |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
my $request_id = $authnreq->id; # Store and Compare to InResponseTo |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
# or |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
my $request_id = 'NETSAML2_' . unpack 'H*', Crypt::OpenSSL::Random::random_pseudo_bytes(16); |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
my $authnreq = Net::SAML2::Protocol::AuthnRequest->as_xml( |
74
|
|
|
|
|
|
|
id => $request_id, # Unique Request ID will be returned in response |
75
|
|
|
|
|
|
|
issuer => $self->{id}, # Service Provider (SP) Entity ID |
76
|
|
|
|
|
|
|
destination => $sso_url, # Identity Provider (IdP) SSO URL |
77
|
|
|
|
|
|
|
provider_name => $provider_name, # Service Provider (SP) Human Readable Name |
78
|
|
|
|
|
|
|
issue_instant => DateTime->now, # Defaults to Current Time |
79
|
|
|
|
|
|
|
); |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
my $redirect = Net::SAML2::Binding::Redirect->new( |
82
|
|
|
|
|
|
|
key => '/path/to/SPsign-nopw-key.pem', |
83
|
|
|
|
|
|
|
url => $sso_url, |
84
|
|
|
|
|
|
|
param => 'SAMLRequest' OR 'SAMLResponse', |
85
|
|
|
|
|
|
|
cert => '/path/to/IdP-cert.pem' |
86
|
|
|
|
|
|
|
); |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
my $url = $redirect->sign($authnreq); |
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
my $ret = $redirect->verify($url); |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
# handle the POST back from the IdP, via the browser: |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
my $post = Net::SAML2::Binding::POST->new; |
95
|
|
|
|
|
|
|
my $ret = $post->handle_response( |
96
|
|
|
|
|
|
|
$saml_response |
97
|
|
|
|
|
|
|
); |
98
|
|
|
|
|
|
|
|
99
|
|
|
|
|
|
|
if ($ret) { |
100
|
|
|
|
|
|
|
my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml( |
101
|
|
|
|
|
|
|
xml => decode_base64($saml_response), |
102
|
|
|
|
|
|
|
key_file => "SP-Private-Key.pem", # Required for EncryptedAssertions |
103
|
|
|
|
|
|
|
cacert => "IdP-cacert.pem", # Required for EncryptedAssertions |
104
|
|
|
|
|
|
|
); |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
# ... |
107
|
|
|
|
|
|
|
} |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
=head1 DESCRIPTION |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
Support for the Web Browser SSO profile of SAML2. |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
Net::SAML2 correctly perform the SSO process against numerous SAML |
114
|
|
|
|
|
|
|
Identity Providers (IdPs). It has been tested against: |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
Version 0.54 and newer support EncryptedAssertions. No changes required to existing |
117
|
|
|
|
|
|
|
SP applications if EncryptedAssertions are not in use. |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
=over |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
=item Auth0 (requires Net::SAML2 >=0.39) |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
=item Azure (Microsoft Office 365) |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
=item GSuite (Google) |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
=item Jump |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
=item Keycloak |
130
|
|
|
|
|
|
|
|
131
|
|
|
|
|
|
|
=item Mircosoft ADFS |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
=item Okta |
134
|
|
|
|
|
|
|
|
135
|
|
|
|
|
|
|
=item OneLogin |
136
|
|
|
|
|
|
|
|
137
|
|
|
|
|
|
|
=item PingIdentity (requires Net::SAML2 >=0.54) |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
=item SAMLTEST.ID (requires Net::SAML2 >=0.63) |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
=item Shibboleth (requires Net::SAML2 >=0.63) |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
=item SimpleSAMLphp |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
=back |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
=head1 MAJOR CAVEATS |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
=over |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
=item SP-side protocol only |
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
=item Requires XML metadata from the IdP |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=back |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=head1 AUTHORS |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
=over 4 |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
=item * |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
Chris Andrews <chrisa@cpan.org> |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
=item * |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
Timothy Legge <timlegge@gmail.com> |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
=back |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
This software is copyright (c) 2023 by Venda Ltd, see the CONTRIBUTORS file for others. |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
This is free software; you can redistribute it and/or modify it under |
176
|
|
|
|
|
|
|
the same terms as the Perl 5 programming language system itself. |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
=cut |