NAME
MojoX::Authentication::Model::SAML2
SYNOPSIS
use MojoX::Authentication::Model::SAML2;
DESCRIPTION
Manage the model for the interaction with an Identity Provider in SAML 2.0.
Outstanding requests are cached for some time, based on a time-to-live that can be provided (either set in the object as "ttl" or when caching a user) and defaults to 5 minutes.
INTERFACE
cache
my $cache = $provider->cache;
Accessor to the cache management object. You're not supposed to need this.
create
my $provider = MojoX::Authentication::Model::SAML2->create(
$config, %args);
Create a new instance, according to the interface consumed by MojoX::Authentication::Model.
The merging of $config and %args is such that $config wins except for the name key, which either comes from $args{name} or defaults to saml2.
Supported keys are "cache", "idp", "name" (only from %args, see above), "remaps", "request_ttl", "sig_hash", "sp_configuration", "user_key", "user_ttl", and "username_validator".
The value for key "cache" is turned into a cache-management object with an interface like MojoX::Authentication::Model::SAML2::Hash. In particular, you can pass:
an object of class MojoX::MojoDbWrap, in which case class MojoX::Authentication::Model::SAML2::Db is used, passing the object as parameter
wmdba blessed object, in which case it's assumed to be already a valid cache management object
a hash reference with instructions to instantiate a cache management object. Expected to provide a
class(required) andargs(optional, either as hash or array reference if present).
The value for key "idp" is turned into a Net::SAML2::IdP if not blessed (in this case it's supposed to support that interface anyway).
The value for key "remaps" is an array reference, see the accessor documentation for its format.
handles_username
my $bool = $provider->handles_username($controller, $username);
Returns a true value if the provider handles the provided username, false otherwise. Useful to figure out what provider supports a username, especially if there can be multiple SAML 2.0 providers.
idp
my $idp_object = $provider->idp;
Accessor for the Net::SAML2::IdP object (or interface-compatible).
idp_login
my ($id, $url) = $provider->idp_login;
Create a new login context, providing back its identifier and the URL to send back to the client, redirecting them to the identity provider endpoint with the correct parameters.
The login context is saved for later processing and it's set to last for "request_ttl" seconds.
load_user
my $user = $provider->load_user($ignored, $uid);
Load a user, if present. The interface is compatible with the call done by MojoX::Authentication::Model, which in turn implements what expected by Mojolicious::Plugin::Authentication.
logout
$provider->logout($controller, $user);
Do the logout. It's currently just a thin wrapper around the logout provided by Mojolicious::Plugin::Authentication but it should be enhanced in the future to support proper remote logout.
name
my $string = $provider->name;
Accessor to the name of the provider.
parse_assertion
$provider->parse_assertion($request_id, $response);
Parse an incoming $response, arguably associated to an ongoing request with identifier $request_id. In case the parsing is successful, the user is considered logged in and saved in the case for "user_ttl" seconds.
remaps
my $aref = $provider->remaps;
Array holding the mappings applied by "normalize_user" over the passed $user hashref.
Items in the array can be:
code reference: the sub is called passing the user hashref to be normalized.
hash reference: all key/value pairs are iterated. Each key is interpreted as a key to be found in the user hashref (it is skipped if not present) and the corresponding value a target key. As an example:
user hashref { foo => 'hello!', bar => 'not for much...' } mapping { bar => 'foo' } { foo => 'bar' }looks for key
fooin the user hashref and, if found, sets the same value for keybarin the same hashref.
request_ttl
my $secs = $provider->request_ttl;
Accessor for the time-to-live related to caching of request identifiers. When a request is received past this time-to-live, it is considered expired.
sig_hash
my $string = $provider->sig_hash;
Accessor for the string holding the signature hashing function to be used. Defaults to undef, which means that none will be set in "idp_login".
sp_configuration
my $cfg = $provider->sp_configuration;
Accessor for the Service Provider configuration (hash reference). It is supposed to contain the following keys:
identifier: the value set as theissuerin "idp_login".key: the private key of the Service Provider, used to sign the redirect. It's the path to a file.sso-post-url-override: the URL to pass as parameterassertion_urlwhen building the request in "idp_login".
user_key
my $key = $provider->user_key;
Accessor to the key that is set in the user's data with the user identifier.
user_ttl
my $secs = $provider->user_ttl;
The time-to-live of the cached user when it is correctly parsed. After this, there will be the need to perform a new interaction with the Identity Provider.
username_validator
my $sub = $provider->username_validator;
Accessor for the username validation function. This is wrapped by "handles_username" behind the scenes, so it should be set to some validation mechanism that allows figuring out if the specific SAML2 Identity Provider is the right one for the username.
validate_user
my $uid = $provider->validate_user($ctr, $user, $secret, $extra);
Do the user validation, compatibly with Mojolicious::Plugin::Authentication.
wipe_user
$provider->wipe_user($user);
Remove the user from the cache.
ANYTHING ELSE (INCLUDING AUTHOR, COPYRIGHT AND LICENSE)
See documentation for MojoX::Authentication.