store saml initial request url with session

 

Install Gorilla Sessions

First, install the Gorilla Sessions package:

bash
go get github.com/gorilla/sessions

---

2️⃣ Updated Implementation: Using Sessions Instead of Cookies

We'll modify the authentication middleware to:

• Store the original request URL in a session.
• Retrieve it after authentication.
• Redirect the user back to the original request.

📝 Full Go Code with Session Storage

go
package main

import (
    "crypto/rsa"
    "crypto/tls"
    "encoding/gob"
    "log"
    "net/http"
    "net/url"

    "github.com/crewjam/saml/samlsp"
    "github.com/gorilla/sessions"
)

// Create a session store (secure it with a secret key)
var sessionStore = sessions.NewCookieStore([]byte("super-secret-key"))

// Store original request in session before authentication
func storeOriginalRequest(w http.ResponseWriter, r *http.Request) {
    session, _ := sessionStore.Get(r, "saml-session")
    session.Values["original_request"] = r.URL.String()
    session.Save(r, w)
}

// Retrieve original request after authentication
func getOriginalRequest(r *http.Request) string {
    session, _ := sessionStore.Get(r, "saml-session")
    if originalURL, ok := session.Values["original_request"].(string); ok {
        return originalURL
    }
    return "/"
}

// Custom middleware to store and restore original request
func authMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        storeOriginalRequest(w, r)
        samlMiddleware.RequireAccount(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            http.Redirect(w, r, getOriginalRequest(r), http.StatusFound)
        })).ServeHTTP(w, r)
    })
}

var samlMiddleware *samlsp.Middleware

func main() {
    // Register `string` type for session storage
    gob.Register(map[string]interface{}{})

    // Load SP certificate & key
    keyPair, err := tls.LoadX509KeyPair("sp-cert.pem", "sp-key.pem")
    if err != nil {
        log.Fatalf("Failed to load key pair: %v", err)
    }

    spEntityID := "https://myservice.example.com/metadata"
    spACSURL := "https://myservice.example.com/saml/acs"

    samlMiddleware, err = samlsp.New(samlsp.Options{
        URL:         *urlMustParse(spEntityID),
        Key:         keyPair.PrivateKey.(*rsa.PrivateKey),
        Certificate: keyPair.Leaf,
        IDPMetadata: getIDPMetadata(),
    })
    if err != nil {
        log.Fatalf("Failed to create SAML middleware: %v", err)
    }

    // Secure route using session-based request storage
    http.Handle("/secure", authMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        user, _ := samlsp.SessionFromContext(r.Context())
        w.Write([]byte("Hello, " + user.(samlsp.Session).GetNameID() + "!"))
    })))

    http.Handle("/saml/", samlMiddleware)

    log.Println("Server started at :8000")
    log.Fatal(http.ListenAndServe(":8000", nil))
}

func urlMustParse(raw string) *url.URL {
    u, err := url.Parse(raw)
    if err != nil {
        log.Fatalf("Invalid URL: %v", err)
    }
    return u
}

---

3️⃣ Why Use Sessions Instead of Cookies?

✅ More Secure:

• Session data is not exposed in the browser.
• Cookies can be intercepted or tampered with.

✅ Better for Large Data:

• Query parameters have size limits.
• Cookies have size limits (~4KB per domain).
• Session storage can hold more data.

✅ Supports Encrypted Storage:

• Gorilla Sessions supports secure, encrypted storage.

---

4️⃣ Testing the Flow

Step 1: User Visits a Protected Page

bash
GET /secure

🚀 What Happens?

• authMiddleware stores /secure in the session.