Is there a SAML library for The Go Language?

Asked 7/9, 2012 at 2:11 Answered 2/10, 2019 at 14:21

I see that the goauth and go-oauth OAuth libraries have been written for the Go Programming Language, but a couple of hours of searching online turns up nothing for SAML.

I would like to use Go to implement SSO support using SAML for a web service, but without a SAML library for Go it looks like I will have to "wrap" the SAML logic in a separate service, implemented in another language.

Does anyone know of a Go-friendly SAML library, or maybe some some trick for using a Java, C, or PHP library from a Go program?

Rappee answered 7/9, 2012 at 2:11 Comment(4)

You can wrap a C library really easily in Go using CGO. Details here: golang.org/doc/articles/c_go_cgo.html – Irenairene 9/9, 2012 at 1:10

Thanks for the link! It's nice to know that I at least have the option of writing a Go wrapper for Lasso, for example. It would of course be nice if Google were to provide a SAML library for their language and save me the trouble. – Rappee 10/9, 2012 at 2:15

If your SAML use case is simple enough you can implement it yourself with no library support pretty easily. Here is an example: sanatgersappa.blogspot.com/2012/11/… – Workmanship 3/1, 2013 at 23:32

@Workmanship - that's hardly a usable saml implementation. It's roughly the equivalent of basic password auth, and most systems wouldn't allow that assertion. – Liddell 10/1, 2013 at 19:38

I have used gosaml and it works pretty good but there is also go-saml from robots and pencils.

I figured after a year, it would be good to answer this question because it would still be good to have some sort of answer here for people looking for SAML libraries for Go.

Kobayashi answered 7/9, 2015 at 21:22 Comment(2)

Thanks for the links. For my purposes the go-saml project looks more useful, since in order to implement SAML SSO I'll need to generate SAML authRequests and validate SAML authResponses. – Rappee 8/9, 2015 at 18:56

Sweet. I am glad that I could help in some sense. I have used both and both are pretty decent. Validation is always a fun thing to deal with. – Kobayashi 8/9, 2015 at 18:59

I haven't seen a SAML implementation for Go, but you could use a server that already implements it in front of your app.

One of the best supported SAML implementations is Shibboleth. The apache module is the most mature, and is probably the easiest method to use, since you just put your app behind a reverse proxy in apache. There's also a fastcgi authenticator, which uses the same backend, but I can't speak for it's ease of implementation.

If you just need a service-provider, the simplest SAML binding is HTTP-POST-SimpleSign. I made a proof-of-concept implementation in python, to try and demonstrate the simplest SP I could. I make no claims to the robustness of this module, but you can see that it could be done with not too much code. That's assuming the Identity Providers you're working with support this binding. And as always, be wary when deploying any custom security-related code.

Liddell answered 10/1, 2013 at 19:59 Comment(4)

+1 for linking to a proof of concept implementation. It appears that your Assertion Checking Service (attached to relative URL /SSO) doesn't actually do anything except print the attributes of the "authResponse" security assertion - at the very least you should validate the IdP signature - but I take your point to be that it doesn't take much to generate an "authRequest" and catch the authResponse for further processing (& additional validation). True, but even if I only care about SSO login with POST bindings there are many details to get wrong when implementing from scratch. – Rappee 11/1, 2013 at 19:6

@Rappee - agree, and that's why I never took this little lib any further. I wrote this a while back, but I remember it definitely verifying the IdP signature (via M2Crypto). You need the IdP's cert in pem, and saml.py:118 throws a SAML_Error if the sig fails. I haven't checked what is entailed for basic signing/verification in Go yet though. – Liddell 11/1, 2013 at 19:17

In fact, I want my ACS to do a good deal more than simply validate the IdP signature, and one of the advantages of using a finished library (like SimpleSAMLphp, which I have used successfully to implement SP logic before) is that somebody has already built the machinery for handling "trust relationship metadata". I also know that I could build a reverse proxy to hide the "federated identity" implementation details from the rest of my application - the point is precisely that I would like to use Go to implement the proxy. – Rappee 12/1, 2013 at 15:13

Ah, yes - federation requires a lot more work. My example assumes that the cert is exchanged via a secure side-channel, which is still a very common use case. Though my disclaimer for anyone else reading is still, don't use this code in production (or at least be very careful, and vet everything). – Liddell 14/1, 2013 at 20:1

If you want to validate SAML replies from AWS IdP in your assertion consumer endpoint then you better go with https://github.com/crewjam/saml as it does not rely on libxmlsec1 system library.

For some reason libxmlsec1 does not validate SAML replies from some IdP (AWS) successfully (supposedly because of some undefined namespaces).

Evolute answered 2/10, 2019 at 14:21 Comment(0)

Recommended topics

Hot tags