Skip to content

Commit

Permalink
feat: add support for encrypted assertions
Browse files Browse the repository at this point in the history
  • Loading branch information
hf committed Aug 30, 2024
1 parent c6efec4 commit b614d68
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
2 changes: 1 addition & 1 deletion internal/api/saml.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func (a *API) SAMLMetadata(w http.ResponseWriter, r *http.Request) error {
var keyDescriptors []saml.KeyDescriptor

for _, kd := range spd.KeyDescriptors {
if kd.Use == "signing" {
if kd.Use == "signing" || (a.config.SAML.AllowEncryptedAssertions && kd.Use == "encryption") {
keyDescriptors = append(keyDescriptors, kd)
}
}
Expand Down
5 changes: 5 additions & 0 deletions internal/conf/saml.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
type SAMLConfiguration struct {
Enabled bool `json:"enabled"`
PrivateKey string `json:"-" split_words:"true"`
AllowEncryptedAssertions bool `json:"allow_encrypted_assertions" split_words:"true"`
RelayStateValidityPeriod time.Duration `json:"relay_state_validity_period" split_words:"true"`

RSAPrivateKey *rsa.PrivateKey `json:"-"`
Expand Down Expand Up @@ -111,6 +112,10 @@ func (c *SAMLConfiguration) PopulateFields(externalURL string) error {
},
}

if c.AllowEncryptedAssertions {
certTemplate.KeyUsage = certTemplate.KeyUsage | x509.KeyUsageDataEncipherment
}

certDer, err := x509.CreateCertificate(nil, certTemplate, certTemplate, c.RSAPublicKey, c.RSAPrivateKey)
if err != nil {
return err
Expand Down

0 comments on commit b614d68

Please sign in to comment.