perl-net-saml2
diff --git a/‎README‎
Lines changed: 1 addition & 0 deletions b/‎README‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎TUTORIAL.md‎
Lines changed: 1 addition & 1 deletion b/‎TUTORIAL.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/Net/SAML2.pm‎
Lines changed: 2 additions & 0 deletions b/‎lib/Net/SAML2.pm‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/Net/SAML2/Binding/Redirect.pm‎
Lines changed: 46 additions & 3 deletions b/‎lib/Net/SAML2/Binding/Redirect.pm‎
Lines changed: 46 additions & 3 deletions
diff --git a/‎lib/Net/SAML2/Protocol/LogoutRequest.pm‎
Lines changed: 4 additions & 1 deletion b/‎lib/Net/SAML2/Protocol/LogoutRequest.pm‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎lib/Net/SAML2/SP.pm‎
Lines changed: 5 additions & 0 deletions b/‎lib/Net/SAML2/SP.pm‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎xt/testapp/.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎xt/testapp/.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎xt/testapp/README.md‎
Lines changed: 98 additions & 0 deletions b/‎xt/testapp/README.md‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎xt/testapp/config.yml‎
Lines changed: 6 additions & 1 deletion b/‎xt/testapp/config.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎xt/testapp/lib/Saml2Test.pm‎
Lines changed: 47 additions & 13 deletions b/‎xt/testapp/lib/Saml2Test.pm‎
Lines changed: 47 additions & 13 deletions
@@ -80,6 +80,7 @@ DESCRIPTION
     Mircosoft ADFS
     Keycloak
     Auth0 (requires Net::SAML2 >=0.39)
+    PingIdentity
 
 NAME
     Net::SAML2 - SAML bindings and protocol implementation
 
@@ -463,7 +463,7 @@ this results in the following XML
           ISvnu1/xomsSS+aenG5toWmhoJIKFbfhQkpnBlgGD5+12Cxn2jHpgv15262ZZIJS
           WPp/0bQqdAAUzkJZPpUGUN1sTXPJexYT6na7XvLd6mvO1g+WDk6aZnW/zcT3T9tL
           Iavyic/p4gZtXckweq+VTn9CdZp6ZTQtVw==
- 
+
           </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
 
@@ -98,6 +98,8 @@ Identity Providers (IdPs).  It has been tested against:
 
 =item Auth0 (requires Net::SAML2 >=0.39)
 
+=item PingIdentity
+
 =back
 
 =head1 MAJOR CAVEATS
 
@@ -17,6 +17,7 @@ Net::SAML2::Binding::Redirect
     url     => $sso_url,							# Service Provider Single Sign Out URL
     param   => 'SAMLRequest' OR 'SAMLResponse',		# Type of request
     cert    => $idp->cert('signing')				# Identity Provider (IdP) certificate
+    sig_hash => 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'  # Signature to sign request
   );
 
   my $url = $redirect->sign($authnreq);
@@ -64,6 +65,16 @@ IdP's SSO (Single Sign Out) service url for the Redirect binding
 
 query param name to use (SAMLRequest, SAMLResponse)
 
+=item B<sig_hash>
+
+RSA hash to use to sign request
+
+Supported:
+
+sha1, sha224, sha256, sha384, sha512
+
+sha1 is current default but will change by version 44
+
 =back
 
 =cut
@@ -72,6 +83,7 @@ has 'key'   => (isa => 'Str', is => 'ro', required => 1);
 has 'cert'  => (isa => 'Str', is => 'ro', required => 1);
 has 'url'   => (isa => Uri, is => 'ro', required => 1, coerce => 1);
 has 'param' => (isa => 'Str', is => 'ro', required => 1);
+has 'sig_hash' => (isa => 'Str', is => 'ro', required => 0);
 
 =head2 sign( $request, $relaystate )
 
@@ -96,11 +108,30 @@ sub sign {
     my $u = URI->new($self->url);
     $u->query_param($self->param, $req);
     $u->query_param('RelayState', $relaystate) if defined $relaystate;
-    $u->query_param('SigAlg', 'http://www.w3.org/2000/09/xmldsig#rsa-sha1');
 
     my $key_string = read_file($self->key);
     my $rsa_priv = Crypt::OpenSSL::RSA->new_private_key($key_string);
 
+    if ( exists $self->{ sig_hash } && grep { $_ eq $self->{ sig_hash } } ('sha224', 'sha256', 'sha384', 'sha512'))
+    {
+        if ($self->{ sig_hash } eq 'sha224') {
+            $rsa_priv->use_sha224_hash;
+        } elsif ($self->{ sig_hash } eq 'sha256') {
+            $rsa_priv->use_sha256_hash;
+        } elsif ($self->{ sig_hash } eq 'sha384') {
+            $rsa_priv->use_sha384_hash;
+        } elsif ($self->{ sig_hash } eq 'sha512') {
+            $rsa_priv->use_sha512_hash;
+        } else {
+            die "Unsupported Signing Hash";
+        }
+        $u->query_param('SigAlg', 'http://www.w3.org/2001/04/xmldsig-more#rsa-' . $self->{ sig_hash });
+    }
+    else { #$self->{ sig_hash } eq 'sha1' or something unsupported
+        $rsa_priv->use_sha1_hash;
+        $u->query_param('SigAlg', 'http://www.w3.org/2000/09/xmldsig#rsa-sha1');
+    }
+
     my $to_sign = $u->query;
     my $sig = encode_base64($rsa_priv->sign($to_sign), '');
     $u->query_param('Signature', $sig);
@@ -123,12 +154,24 @@ sub verify {
 
     # verify the response
     my $sigalg = $u->query_param('SigAlg');
-    die "can't verify '$sigalg' signatures"
-         unless $sigalg eq 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
 
     my $cert = Crypt::OpenSSL::X509->new_from_string($self->cert);
     my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($cert->pubkey);
 
+    if ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256') {
+        $rsa_pub->use_sha256_hash;
+    } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224') {
+        $rsa_pub->use_sha224_hash;
+    } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384') {
+        $rsa_pub->use_sha384_hash;
+    } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512') {
+        $rsa_pub->use_sha512_hash;
+    } elsif ($sigalg eq 'http://www.w3.org/2000/09/xmldsig#rsa-sha1') {
+        $rsa_pub->use_sha1_hash;
+    } else {
+        die "Unsupported Signature Algorithim: $sigalg";
+    }
+
     my $sig = decode_base64($u->query_param_delete('Signature'));
     my $signed = $u->query;
     die "bad sig" unless $rsa_pub->verify($signed, $sig);
 
@@ -47,7 +47,8 @@ SP's identity URI
 
 =item B<destination>
 
-IdP's identity URI
+IdP's identity URI this is required for a signed message but likely should be
+sent regardless
 
 =back
 
@@ -56,6 +57,7 @@ IdP's identity URI
 has 'session'       => (isa => NonEmptySimpleStr, is => 'ro', required => 1);
 has 'nameid'        => (isa => NonEmptySimpleStr, is => 'ro', required => 1);
 has 'nameid_format' => (isa => NonEmptySimpleStr, is => 'ro', required => 1);
+has 'destination'   => (isa => NonEmptySimpleStr, is => 'ro', required => 0);
 
 =head2 new_from_xml( ... )
 
@@ -112,6 +114,7 @@ sub as_xml {
             $samlp,
             { ID => $self->id,
               IssueInstant => $self->issue_instant,
+              Destination => $self->destination,
               Version => '2.0' },
             $x->Issuer(
                 $saml,
 
@@ -339,6 +339,11 @@ sub metadata {
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                   Location  => $self->url . '/saml/sls-redirect-response' },
             ),
+            $x->SingleLogoutService(
+                $md,
+                { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                  Location  => $self->url . '/saml/sls-post-response' },
+            ),
             $x->AssertionConsumerService(
                 $md,
                 { Binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
 
@@ -0,0 +1,3 @@
+metadata-*.xml
+saml_cacert-*.pem
+logs/*
@@ -0,0 +1,98 @@
+# Saml2Test Application
+
+The Saml2Test application was created to allow the developers to test a SAML2 Service Provider (SP) application against an Identity Provider (IdP).  The application allows you to:
+
+   1. Produce a SP metadata.xml that can be uploaded to an Identity Provider
+   2. Login via a SAML2 AuthnRequest
+   3. Access user attributes provided in the SAML2 Assertion
+   3. Logout via a SAML2 LogoutRequest
+
+## Required Steps
+
+### Create host file entry
+
+The config.yml is configured for the testapp to be available at: https://netsaml2-testapp.local.  Add the following to your /etc/hosts entry (or the equivalent on windows).
+
+127.0.0.1   netsaml2-testapp.local   netsaml2-testapp
+
+### Generate new Service Provider (SP) signing Key and Certificate
+
+This is optional - you can generate your own certificates or use the existing certificates from the git repository.
+
+   1. openssl req -x509 -nodes -newkey rsa:4096 -keyout sign-private.pem -out sign-certonly.pem -days 36500
+   2. cat sign-certonly.pem sign-private.pem > sign-nopw-cert.pem
+
+### Start the Saml2Test application
+
+   1. cd xt/testapp
+   2. perl Saml2Test.pl
+
+The application starts and accepts browser connections on port 3000:
+
+Access http://localhost:3000
+
+### Run lighttpd to proxy https to the Saml2Test application
+
+Many SAML2 Identity Providers will not allow the application (Service Provider) URL to be http and force you to specify https to use SAML2.  lighttpd is used to listen on port 443 and use https protocol so that the Identity Provider can redirect or POST to a https site.  lighttpd then proxies that communication to the Dancer application listening on port 3000.
+
+   1. cd xt/testapp
+   2. sudo lighttpd -D -f lighttpd.conf
+
+Note that the command requires sudo to allow it to use the default https port of 443.
+
+TODO: maybe change it to use 8443
+
+### Create your metadata.xml file
+
+Download the metadata for you configured application from your Identity Provider and save it to:
+
+    xt/testapp/metadata.xml
+
+### Run lighttpd to deliver metadata.xml
+
+Net::SAML2 requires access to a URL containing the metadata.  The simplest method to provide this is to run the provided lighttpd-metadata.conf file:
+
+   1. cd xt/testapp
+   2. lighttpd -D -f lighttpd-metadata.conf
+
+The metadata has been configured to be available at: http://localhost:8880/metadata.xml.
+
+Note that the configuration attempts to only deliver a file named metadata.xml from the xt/testapp directory.  There are no guarantees - this is a test application so verify your own security.
+
+### Access the testapp to download the application metadata
+
+Saml2Test provides a metadata.xml for the Application that can be used to upload to the Identity Provider to make the configuration simpler.
+
+   1. Access http://localhost:3000
+   2. Click *SP Metadata* to download the metadata.xml
+   3. Save the metadata.xml file for upload to the Identity Provider
+
+### Configure your Identity Provider
+
+Depending on the Identity Provider this can range from simple to easy.  For testing purposes most Identity Providers will provide a free developer account.  Some require you to define users first, others will simply allow you to use whatever your admin user is as a SAML user.
+
+If there is an option to upload the metadata.xml that is probably your first step as it will set most configuration items properly for you.
+
+Saml2Test expects the Identity Provider to provide an assertion with the following values:
+
+   1. DN
+   2. CN
+   3. EmailAddress
+   4. FirstName
+   5. Address
+   6. Phone
+   7. EmployeeNumber
+
+Note that DN and CN (and others) may not be available.  That can be customized in views/user.tt if you want to choose other options.  However the Identity Provider must provide the assertion attributes that match the expected names in views/user.tt.
+
+## Debugging
+
+If you are making changes to Net::SAML2 and want to use the Saml2Test to test those changes do the following:
+
+   1. Make the changes as required in Net::SAML2
+   2. perl Makefile.PL
+   3. make
+   4. cd xt/testapp
+   5. perl -I ../../blib/lib/ -I ../../blib/arch/ Saml2Test.pl
+
+That allows you to test against the version of Net::SAML2 that you are modifying.  Note that Dancer caches the version it started with including the Net::SAML2 module so you will need to restart Saml2Test.pl to test the changes you made.
@@ -2,4 +2,9 @@ layout: "main"
 #logger: "console"
 appname: "Saml2Test"
 
-idp: "http://sso.dev.venda.com/opensso/saml2/jsp/exportmetadata.jsp"
+idp: "http://localhost:8880/metadata.xml"
+issuer: "https://netsaml2-testapp.local"
+url: "https://netsaml2-testapp.local"
+cert: "sign-certonly.pem"
+key: "sign-nopw-cert.pem"
+cacert: "saml_cacert.pem"
@@ -3,7 +3,7 @@ package                         # PAUSE hide
 use strict;
 use warnings;
 
-=head1 NAME 
+=head1 NAME
 
 Saml2Test - test Dancer app for Net::SAML2
 
@@ -16,6 +16,7 @@ Demo app to show use of Net::SAML2 as an SP.
 use Dancer ':syntax';
 use Net::SAML2;
 use MIME::Base64 qw/ decode_base64 /;
+use URI::Encode;
 
 our $VERSION = '0.1';
 
@@ -27,7 +28,7 @@ get '/login' => sub {
     my $idp = _idp();
     my $sp = _sp();
     my $authnreq = $sp->authn_request(
-        $idp->entityid,
+        $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
         $idp->format, # default format.
     )->as_xml;
 
@@ -47,7 +48,10 @@ get '/logout-redirect' => sub {
     my $sp = _sp();
 
     my $logoutreq = $sp->logout_request(
-        $idp->entityid, params->{nameid}, $idp->format, params->{session}
+        $idp->slo_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
+        params->{nameid},
+        $idp->format,
+        params->{session}
     )->as_xml;
 
     my $redirect = $sp->slo_redirect_binding($idp, 'SAMLRequest');
@@ -88,7 +92,7 @@ post '/consumer-post' => sub {
     my $ret = $post->handle_response(
         params->{SAMLResponse}
     );
-        
+
     if ($ret) {
         my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
             xml => decode_base64(params->{SAMLResponse})
@@ -123,7 +127,7 @@ get '/consumer-artifact' => sub {
         my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
             xml => $response
         );
-                
+
         template 'user', { assertion => $assertion };
     }
     else {
@@ -137,26 +141,56 @@ get '/sls-redirect-response' => sub {
 
     my $sp = _sp();
     my $redirect = $sp->slo_redirect_binding($idp, 'SAMLResponse');
-    my ($response, $relaystate) = $redirect->verify(request->request_uri);
-        
+
+    my $uri     = URI::Encode->new( { encode_reserved => 0 } );
+    my ($response, $relaystate) = $redirect->verify($uri->decode(request->request_uri));
+
     redirect $relaystate || '/', 302;
     return "Redirected\n";
 };
 
+post '/sls-post-response' => sub {
+    my $idp = _idp();
+    my $idp_cert = $idp->cert('signing');
+
+    my $sp = _sp();
+    my $post = $sp->post_binding(cacert => $idp_cert);
+
+    my $ret = $post->handle_response(
+        params->{SAMLResponse},
+    );
+
+    if ($ret) {
+        my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
+            xml => decode_base64(params->{SAMLResponse})
+        );
+        if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+            print STDERR "Logout Success Status\n";
+        }
+    }
+    else {
+        return "<html><pre>Bad Logout Response</pre></html>";
+    }
+
+    redirect '/', 302;
+    return "Redirected\n";
+};
+
 get '/metadata.xml' => sub {
+    content_type 'application/octet-stream';
     my $sp = _sp();
     return $sp->metadata;
 };
 
 sub _sp {
     my $sp = Net::SAML2::SP->new(
-        id     => 'http://localhost:3000',
-        url    => 'http://localhost:3000',
-        cert   => 'sign-nopw-cert.pem',
-        key    => 'sign-nopw-cert.pem',
-        cacert => 'saml_cacert.pem',
+        id     => config->{issuer},
+        url    => config->{url},
+        cert   => config->{cert},
+        key    => config->{key},
+        cacert => config->{cacert},
 
-        org_name	 => 'Saml2Test',
+        org_name	 => 'Net::SAML2 Saml2Test',
         org_display_name => 'Saml2Test app for Net::SAML2',
         org_contact	 => 'saml2test@example.com',
     );
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+metadata-*.xml`
	`2`	`+saml_cacert-*.pem`
	`3`	`+logs/*`