Add RequestedAuthnContext (#413)

* Add support for RequestedAuthnContext

Co-authored-by: David Venhoek <[email protected]>

Author: atezet

samlsp/new.go

@@ -14,20 +14,21 @@ import (
 
 // Options represents the parameters for creating a new middleware
 type Options struct {
-	EntityID            string
-	URL                 url.URL
-	Key                 *rsa.PrivateKey
-	Certificate         *x509.Certificate
-	Intermediates       []*x509.Certificate
-	HTTPClient          *http.Client
-	AllowIDPInitiated   bool
-	DefaultRedirectURI  string
-	IDPMetadata         *saml.EntityDescriptor
-	SignRequest         bool
-	UseArtifactResponse bool
-	ForceAuthn          bool // TODO(ross): this should be *bool
-	CookieSameSite      http.SameSite
-	RelayStateFunc      func(w http.ResponseWriter, r *http.Request) string
+	EntityID              string
+	URL                   url.URL
+	Key                   *rsa.PrivateKey
+	Certificate           *x509.Certificate
+	Intermediates         []*x509.Certificate
+	HTTPClient            *http.Client
+	AllowIDPInitiated     bool
+	DefaultRedirectURI    string
+	IDPMetadata           *saml.EntityDescriptor
+	SignRequest           bool
+	UseArtifactResponse   bool
+	ForceAuthn            bool // TODO(ross): this should be *bool
+	RequestedAuthnContext *saml.RequestedAuthnContext
+	CookieSameSite        http.SameSite
+	RelayStateFunc        func(w http.ResponseWriter, r *http.Request) string
 }
 
 // DefaultSessionCodec returns the default SessionCodec for the provided options,
@@ -102,19 +103,20 @@ func DefaultServiceProvider(opts Options) saml.ServiceProvider {
 	}
 
 	return saml.ServiceProvider{
-		EntityID:           opts.EntityID,
-		Key:                opts.Key,
-		Certificate:        opts.Certificate,
-		HTTPClient:         opts.HTTPClient,
-		Intermediates:      opts.Intermediates,
-		MetadataURL:        *metadataURL,
-		AcsURL:             *acsURL,
-		SloURL:             *sloURL,
-		IDPMetadata:        opts.IDPMetadata,
-		ForceAuthn:         forceAuthn,
-		SignatureMethod:    signatureMethod,
-		AllowIDPInitiated:  opts.AllowIDPInitiated,
-		DefaultRedirectURI: opts.DefaultRedirectURI,
+		EntityID:              opts.EntityID,
+		Key:                   opts.Key,
+		Certificate:           opts.Certificate,
+		HTTPClient:            opts.HTTPClient,
+		Intermediates:         opts.Intermediates,
+		MetadataURL:           *metadataURL,
+		AcsURL:                *acsURL,
+		SloURL:                *sloURL,
+		IDPMetadata:           opts.IDPMetadata,
+		ForceAuthn:            forceAuthn,
+		RequestedAuthnContext: opts.RequestedAuthnContext,
+		SignatureMethod:       signatureMethod,
+		AllowIDPInitiated:     opts.AllowIDPInitiated,
+		DefaultRedirectURI:    opts.DefaultRedirectURI,
 	}
 }
 

schema.go

@@ -11,6 +11,24 @@ import (
 	"github.com/russellhaering/goxmldsig/etreeutils"
 )
 
+// RequestedAuthnContext represents the SAML object of the same name, an indication of the
+// requirements on the authentication process.
+type RequestedAuthnContext struct {
+	XMLName              xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol RequestedAuthnContext"`
+	Comparison           string   `xml:",attr"`
+	AuthnContextClassRef string   `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnContextClassRef"`
+}
+
+// Element returns an etree.Element representing the object in XML form.
+func (r *RequestedAuthnContext) Element() *etree.Element {
+	el := etree.NewElement("samlp:RequestedAuthnContext")
+	el.CreateAttr("Comparison", r.Comparison)
+	elContext := etree.NewElement("saml:AuthnContextClassRef")
+	elContext.SetText(r.AuthnContextClassRef)
+	el.AddChild(elContext)
+	return el
+}
+
 // AuthnRequest represents the SAML object of the same name, a request from a service provider
 // to authenticate a user.
 //
@@ -26,10 +44,10 @@ type AuthnRequest struct {
 	Issuer       *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
 	Signature    *etree.Element
 
-	Subject      *Subject
-	NameIDPolicy *NameIDPolicy `xml:"urn:oasis:names:tc:SAML:2.0:protocol NameIDPolicy"`
-	Conditions   *Conditions
-	//RequestedAuthnContext *RequestedAuthnContext // TODO
+	Subject               *Subject
+	NameIDPolicy          *NameIDPolicy `xml:"urn:oasis:names:tc:SAML:2.0:protocol NameIDPolicy"`
+	Conditions            *Conditions
+	RequestedAuthnContext *RequestedAuthnContext
 	//Scoping               *Scoping // TODO
 
 	ForceAuthn                     *bool  `xml:",attr"`
@@ -159,7 +177,6 @@ func (r *LogoutRequest) Deflate() ([]byte, error) {
 	return b.Bytes(), nil
 }
 
-// Element returns an etree.Element representing the object
 // Element returns an etree.Element representing the object in XML form.
 func (r *AuthnRequest) Element() *etree.Element {
 	el := etree.NewElement("samlp:AuthnRequest")
@@ -189,9 +206,9 @@ func (r *AuthnRequest) Element() *etree.Element {
 	if r.Conditions != nil {
 		el.AddChild(r.Conditions.Element())
 	}
-	//if r.RequestedAuthnContext != nil {
-	//	el.AddChild(r.RequestedAuthnContext.Element())
-	//}
+	if r.RequestedAuthnContext != nil {
+		el.AddChild(r.RequestedAuthnContext.Element())
+	}
 	//if r.Scoping != nil {
 	//	el.AddChild(r.Scoping.Element())
 	//}

schema_test.go

@@ -95,6 +95,19 @@ func TestAuthnStatementMarshalWithoutSessionNotOnOrAfter(t *testing.T) {
 	assert.Check(t, is.DeepEqual(expected, actual))
 }
 
+func TestRequestedAuthnContext(t *testing.T) {
+	expected := RequestedAuthnContext{
+		Comparison: "comparison",
+	}
+
+	doc := etree.NewDocument()
+	doc.SetRoot(expected.Element())
+	x, err := doc.WriteToBytes()
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<samlp:RequestedAuthnContext Comparison="comparison"><saml:AuthnContextClassRef/></samlp:RequestedAuthnContext>`,
+		string(x)))
+}
+
 func TestArtifactResolveElement(t *testing.T) {
 	issueInstant := time.Date(2020, 7, 21, 12, 30, 45, 0, time.UTC)
 	expected := ArtifactResolve{

service_provider.go

@@ -102,6 +102,10 @@ type ServiceProvider struct {
 	// has a SSO session at the IdP.
 	ForceAuthn *bool
 
+	// RequestedAuthnContext allow you to specify the requested authentication
+	// context in authentication requests
+	RequestedAuthnContext *RequestedAuthnContext
+
 	// AllowIdpInitiated
 	AllowIDPInitiated bool
 
@@ -407,7 +411,8 @@ func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string, binding stri
 			// urn:oasis:names:tc:SAML:2.0:nameid-format:transient
 			Format: &nameIDFormat,
 		},
-		ForceAuthn: sp.ForceAuthn,
+		ForceAuthn:            sp.ForceAuthn,
+		RequestedAuthnContext: sp.RequestedAuthnContext,
 	}
 	// We don't need to sign the XML document if the IDP uses HTTP-Redirect binding
 	if len(sp.SignatureMethod) > 0 && binding == HTTPPostBinding {