Wednesday, 19 March 2025

crewJawSAML middleware

 

Understanding authMiddleware and samlMiddleware in SAML SP Authentication

In our Go SAML SP setup, we have two middlewares that handle authentication:

  1. samlMiddleware (from samlsp.New) → Handles SAML authentication, session management, and IdP interactions.
  2. authMiddleware (custom middleware) → Stores and restores the original request before authentication.

1️⃣ samlMiddleware – Handles SAML Authentication

This middleware is created using:

go
samlMiddleware, err := samlsp.New(samlsp.Options{
    URL:         *urlMustParse(spEntityID),
    Key:         keyPair.PrivateKey.(*rsa.PrivateKey),
    Certificate: keyPair.Leaf,
    IDPMetadata: getIDPMetadata(),
})

What it does:

  • Redirects users to the IdP if not authenticated.
  • Validates SAML assertions after login.
  • Stores user session (e.g., NameID, attributes).
  • Provides an endpoint /saml/ to handle SAML requests & responses.

🔹 How it works in routing:

go
http.Handle("/saml/", samlMiddleware) // Handles SAML authentication flow

2️⃣ authMiddleware – Stores and Restores Original Request

This is a custom middleware that:

  1. Saves the original request URL before redirecting to the IdP.
  2. Passes control to samlMiddleware for authentication.
  3. After successful login, redirects the user back to the stored URL.

Code:

go
authMiddleware := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    storeOriginalRequest(w, r) // Save original request
    samlMiddleware.RequireAccount(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        http.Redirect(w, r, getOriginalRequest(r), http.StatusFound)
    })).ServeHTTP(w, r)
})

🔹 What it does step-by-step:

  1. Intercepts the request before authentication.
  2. Stores the original request URL (so we can return after login).
  3. Passes the request to samlMiddleware.RequireAccount, which:
    • Redirects to the IdP if the user is not authenticated.
    • Lets the request pass if the user is authenticated.
  4. After successful authentication, redirects back to the original request.

🔹 How it works in routing:

go
http.Handle("/secure", authMiddleware) // Protects "/secure"




FUll implementation 



Updated Project Structure


bash
/saml-sp-project
│── main.go              # Entry point, initializes the Gin server
│── sp.go                # SAML SP setup (Service Provider initialization)
│── auth_middleware.go   # Middleware for authentication
│── middleware.go        # Handles session storage (original request)
│── sp-cert.pem          # SP X.509 Certificate
│── sp-key.pem           # SP Private Key
│── go.mod               # Go module file
│── go.sum               # Go dependencies





1️⃣ Install Dependencies


First, make sure you have Gin and Gorilla Sessions installed:


bash
go get github.com/gin-gonic/gin
go get github.com/gorilla/sessions
go get github.com/crewjam/saml/samlsp





2️⃣ sp.go – SAML Service Provider Setup


This file initializes the SAML SP, loads the certificates, and defines the IdP metadata.


📝 sp.go


go
package main

import (
    "crypto/rsa"
    "crypto/tls"
    "crypto/x509"
    "encoding/pem"
    "log"

    "github.com/crewjam/saml"
    "github.com/crewjam/saml/samlsp"
)

// Load X.509 Certificate and Private Key
func loadCertificate(certPath, keyPath string) (*x509.Certificate, *rsa.PrivateKey, error) {
    certPEM, err := tls.LoadX509KeyPair(certPath, keyPath)
    if err != nil {
        return nil, nil, err
    }

    certBlock, _ := pem.Decode(certPEM.Certificate[0])
    if certBlock == nil {
        return nil, nil, err
    }

    cert, err := x509.ParseCertificate(certBlock.Bytes)
    if err != nil {
        return nil, nil, err
    }

    key, ok := certPEM.PrivateKey.(*rsa.PrivateKey)
    if !ok {
        return nil, nil, err
    }

    return cert, key, nil
}

// Define IdP Metadata
func getIDPMetadata() *saml.EntityDescriptor {
    idpCertPEM := `-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIJAPoVnx9vAgxwMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
...
-----END CERTIFICATE-----`

    return &saml.EntityDescriptor{
        EntityID: "https://idp.example.com",
        IDPSSODescriptor: &saml.IDPSSODescriptor{
            SingleSignOnServices: []saml.Endpoint{
                { Binding: saml.HTTPRedirectBinding, Location: "https://idp.example.com/sso/redirect" },
                { Binding: saml.HTTPPostBinding, Location: "https://idp.example.com/sso/post" },
            },
            SingleLogoutServices: []saml.Endpoint{
                { Binding: saml.HTTPRedirectBinding, Location: "https://idp.example.com/slo/redirect" },
                { Binding: saml.HTTPPostBinding, Location: "https://idp.example.com/slo/post" },
            },
            KeyDescriptors: []saml.KeyDescriptor{
                {
                    Use: "signing",
                    KeyInfo: saml.KeyInfo{
                        XMLName:  saml.XMLName{Local: "ds:KeyInfo"},
                        X509Data: &saml.X509Data{X509Certificates: []string{idpCertPEM}},
                    },
                },
            },
        },
    }
}

// Initialize SAML Service Provider
func InitSAMLSP() (*samlsp.Middleware, error) {
    cert, key, err := loadCertificate("sp-cert.pem", "sp-key.pem")
    if err != nil {
        return nil, err
    }

    sp := saml.ServiceProvider{
        EntityID: "https://myservice.example.com/metadata",
        Key:      key,
        Certificate: cert,
        AssertionConsumerServices: []saml.Endpoint{
            { Binding: saml.HTTPPostBinding, Location: "https://myservice.example.com/saml/acs" },
            { Binding: saml.HTTPRedirectBinding, Location: "https://myservice.example.com/saml/acs" },
        },
        SingleLogoutServices: []saml.Endpoint{
            { Binding: saml.HTTPPostBinding, Location: "https://myservice.example.com/saml/logout" },
            { Binding: saml.HTTPRedirectBinding, Location: "https://myservice.example.com/saml/logout" },
        },
        NameIDFormat: saml.EmailAddressNameIDFormat,
        IDPMetadata:  getIDPMetadata(),
    }

    return &samlsp.Middleware{ServiceProvider: sp}, nil
}





3️⃣ middleware.go – Session Management


This file stores and retrieves the original request using Gorilla Sessions.


📝 middleware.go


go
package main

import (
    "github.com/gin-gonic/gin"
    "github.com/gorilla/sessions"
)

var sessionStore = sessions.NewCookieStore([]byte("super-secret-key"))

// Store the original request URL in session
func storeOriginalRequest(c *gin.Context) {
    session, _ := sessionStore.Get(c.Request, "saml-session")
    session.Values["original_request"] = c.Request.URL.String()
    session.Save(c.Request, c.Writer)
}

// Retrieve the original request URL from session
func getOriginalRequest(c *gin.Context) string {
    session, _ := sessionStore.Get(c.Request, "saml-session")
    if originalURL, ok := session.Values["original_request"].(string); ok {
        return originalURL
    }
    return "/"
}





4️⃣ auth_middleware.go – Authentication Middleware


This middleware will:


    

  • Store the original request before authentication.
    • 

  • Redirect back to the original request after login.
    • 



📝 auth_middleware.go


go
package main

import (
    "github.com/gin-gonic/gin"
    "github.com/crewjam/saml/samlsp"
)

// Gin middleware for authentication
func authMiddleware(samlMiddleware *samlsp.Middleware) gin.HandlerFunc {
    return func(c *gin.Context) {
        storeOriginalRequest(c)
        samlMiddleware.RequireAccount(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            originalRequest := getOriginalRequest(c)
            c.Redirect(302, originalRequest)
        })).ServeHTTP(c.Writer, c.Request)
        c.Abort()
    }
}





5️⃣ main.go – Gin Web Server


This file initializes the Gin server and registers the routes.


📝 main.go


go
package main

import (
    "log"
    "github.com/gin-gonic/gin"
    "github.com/crewjam/saml/samlsp"
)

func main() {
    r := gin.Default()
    
    samlMiddleware, err := InitSAMLSP()
    if err != nil {
        log.Fatalf("Failed to initialize SAML SP: %v", err)
    }

    // Secure route
    r.GET("/hello", authMiddleware(samlMiddleware), func(c *gin.Context) {
        user, _ := samlsp.SessionFromContext(c.Request.Context())
        c.String(200, "Hello, "+user.(samlsp.Session).GetNameID()+"!")
    })

    // Register SAML routes
    r.Any("/saml/*action", gin.WrapH(samlMiddleware))

    log.Println("Gin server started at :8000")
    r.Run(":8000")
}
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)