I am trying to build a Go-based webserver (running in Azure) that allows for single sign-on using SAML. Part of the criteria for the application is that there are two layers of access: first it should be decided whether a user has access to the webpage itself, and second the user should only be able to access the data that he is entitled to see.
I have looked at the listed libraries listed at godoc, but I cannot seem to find a way to implement the second criterion. We want to use the username/ID associated with the SAML response as a part of the database query. I cannot seem to find though where I can find this information. At the moment it seems like I should do something like
http.Handle("/apicall", samlSP.RequireAccount(http.HandlerFunc(foo)))
func foo(w http.ResponseWriter, r *http.Request) {
user := // ?
body, err := ioutil.ReadAll(r.Body)
if err != nil {
log.Println(err)
}
var filter FilterParameters
err = json.Unmarshal(body, &filter)
if err != nil {
log.Println(err)
}
apiStruct := API(filter, user)
json.NewEncoder(w).Encode(apiStruct)
}
However, I am not sure how to get the variable 'user' filled in the correct scope, and where I can get this information from. I was looking to use github.com/crewjam/saml, but I am flexible in switching to a different solution. The godoc mentions a pointer in the 'options' struct to a 'saml.EntityDescriptor' struct, which seems to contain a field for a username, but I am not sure if this would work, and how to even access this in the scope of my function "foo".
A "username" in SAML can come from the IdP in any form. It is contained in an attribute which you either know beforehand or you ask the IdP maintainer to release for you. Have a look at the SAML Response here
In the response there is an AttributeStatement containing multiple Attribute assertions. One of those Attribute assertions is uid which is interpreted as meaning "username". In this case the "username" is "test".
EntityDescriptor is part of the SAML2 Metadata specification and is not used to hold attributes. It's used to describe entities such as SP and IdP so they can trust each other.
For deciding which parts of an application a user should get access to you can use the eduPersonEntitlement Attribute. This usually contains a URI or URN such as https://your.app.com/entitlment/admin