Documentation

Consider rate-limiting these end-points to mitigate DOS attacks. APIAuthReq uses database space, and APIAuthResp uses both database space and CPU.

2/3.5.4

An AuthnResponseBody contains a AuthnResponse, but you need to give it an SPId for IdP lookup and trust base for signature verification first. As a consequence, you will get the signature validation error when looking at it, but the type still guarantees that the signature verification cannot be circumvented.

The Issuer is an identifier of a SAML participant. In this case, it's the SP, ie., ourselves. For simplicity, we re-use the response URI here.

The URI that AuthnResponse values are delivered to (APIAuthResp).

Implies verification, hence the constraints and the optional service provider ID (needed for IdP lookup).

Pull assertions sub-forest and pass unparsed xml input to verify with a reference to each assertion individually. The input must be a valid AuthnResponse. All assertions need to be signed by the issuer given in the arguments using the same key.

The assertions are returned.

NEVER PROCESS AN ASSERTION NOT RETURNED BY A SIGNATURE VERifICATION FUNCTION.

simpleVerifyAuthnResponse ensures that the assertion list is non-empty, and (more importantly) that the IDs are unique accross the entire document we pass to the signature validation function. REASON: since we use xml-conduit as a parser here, and signature validation uses a different one, we can't guarantee that the assertions we return here are the ones of which we validated the signatures. this problem can get very real very quickly: https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials

Call verify and, if that fails, any work-arounds we have. Discard all errors from work-arounds, and throw the error from the regular verification.

ADFS illegally breaks whitespace after signing documents; here we try to fix that. https://github.com/wireapp/wire-server/issues/656 (This may also have been a copy&paste issue in customer support, but let's just leave it in just in case.)

Create authnreq, store it for comparison against assertions later, and return it in an HTTP redirect together with the IdP's URI.

authreq with request life expectancy defaulting to 8 hours.

parse and validate response, and pass the verdict to a user-provided verdict handler. the handler takes a response and a verdict (provided by this package), and can cause any effects in m and return anything it likes.

a variant of authresp with a less general verdict handler.

We support two cases: redirect with a cookie, and a generic response with arbitrary status, headers, and body. The latter case fits the ServerError type well, but we give it a more suitable name here.