NAME

Net::SAML2::SP - SAML Service Provider object

VERSION

version 0.72

SYNOPSIS

my $sp = Net::SAML2::SP->new(
  id   => 'http://localhost:3000',
  url  => 'http://localhost:3000',
  cert => 'sign-nopw-cert.pem',
  key => 'sign-nopw-key.pem',
);

METHODS

new( ... )

Constructor. Create an SP object.

Arguments:

url

Base for all SP service URLs

error_url

The error URI. Can be relative to the base URI or a regular URI

id

SP's identity URI.

cert

Path to the signing certificate

key

Path to the private key for the signing certificate

encryption_key

Path to the public key that the IdP should use for encryption. This is used when generating the metadata.

cacert

Path to the CA certificate for verification

org_name

SP organisation name

org_display_name

SP organisation display name

org_contact

SP contact email address

org_url

SP organization url. This is optional and url will be used as in previous versions if this is not provided.

authnreq_signed

Specifies in the metadata whether the SP signs the AuthnRequest Optional (0 or 1) defaults to 1 (TRUE) if not specified.

want_assertions_signed

Specifies in the metadata whether the SP wants the Assertion from the IdP to be signed Optional (0 or 1) defaults to 1 (TRUE) if not specified.

sign_metadata

Sign the metadata, defaults to 1 (TRUE) if not specified.

single_logout_service

The following option replaces the previous slo_url_post, slo_url_soap and slo_url_redirect constructor parameters. The former options are mapped to this new structure.

This expects an array of hash refs where you define one or more Single Logout Services

[
  {
      Binding => BINDING_HTTP_POST,
      Location => https://foo.example.com/your-post-endpoint,
  },
  {
      Binding => BINDING_HTTP_ARTIFACT,
      Location => https://foo.example.com/your-artifact-endpoint,
  }
]
assertion_consumer_service

The following option replaces the previous acs_url_post and acs_url_artifact constructor parameters. The former options are mapped to this new structure.

This expects an array of hash refs where you define one or more Assertion Consumer Services.

[
  # Order decides the index if not supplied, else we assume you have an index
  {
      Binding => BINDING_HTTP_POST,
      Location => https://foo.example.com/your-post-endpoint,
      isDefault => 'false',
      # optionally
      index => 1,
  },
  {
      Binding => BINDING_HTTP_ARTIFACT,
      Location => https://foo.example.com/your-artifact-endpoint,
      isDefault => 'true',
      index => 2,
  }
]

authn_request( $destination, $nameid_format, %params )

Returns an AuthnRequest object created by this SP, intended for the given destination, which should be the identity URI of the IdP.

%params is a hash containing parameters valid for Net::SAML2::Protocol::AuthnRequest. For example:

    my %params = ( force_authn => 1, is_passive => 1, )

    my $authnreq = authn_request( 'https://keycloak.local:8443/realms/Foswiki/protocol/saml', 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', %params );

logout_request( $destination, $nameid, $nameid_format, $session, $params )

Returns a LogoutRequest object created by this SP, intended for the given destination, which should be the identity URI of the IdP.

Also requires the nameid (+format) and session to be logged out.

    $params is a HASH reference for parameters to Net::SAML2::Protocol::LogoutRequest

    $params = ( # name qualifier parameters from Assertion NameId name_qualifier => "https://idp.shibboleth.local/idp/shibboleth" sp_name_qualifier => "https://netsaml2-testapp.local" );

logout_response( $destination, $status, $response_to )

Returns a LogoutResponse object created by this SP, intended for the given destination, which should be the identity URI of the IdP.

Also requires the status and the ID of the corresponding LogoutRequest.

artifact_request( $destination, $artifact )

Returns an ArtifactResolve request object created by this SP, intended for the given destination, which should be the identity URI of the IdP.

sp_post_binding ( $idp, $param )

Returns a POST binding object for this SP, configured against the given IDP for Single Sign On. $param specifies the name of the query parameter involved - typically SAMLRequest.

sso_redirect_binding( $idp, $param )

Returns a Redirect binding object for this SP, configured against the given IDP for Single Sign On. $param specifies the name of the query parameter involved - typically SAMLRequest.

slo_redirect_binding( $idp, $param )

Returns a Redirect binding object for this SP, configured against the given IDP for Single Log Out. $param specifies the name of the query parameter involved - typically SAMLRequest or SAMLResponse.

soap_binding( $ua, $idp_url, $idp_cert )

Returns a SOAP binding object for this SP, with a destination of the given URL and signing certificate.

XXX UA

post_binding( )

Returns a POST binding object for this SP.

generate_sp_desciptor_id ( )

Returns the Net::SAML2 unique ID from Net::SAML2::Util::generate_id.

generate_metadata( )

Generate the metadata XML document for this SP.

key_name($type)

Get the key name for either the signing or encryption key

metadata( )

Returns the metadata XML document for this SP.

get_default_assertion_service

Return the assertion service which is the default

AUTHORS

  • Chris Andrews <chrisa@cpan.org>

  • Timothy Legge <timlegge@gmail.com>

COPYRIGHT AND LICENSE

This software is copyright (c) 2023 by Venda Ltd, see the CONTRIBUTORS file for others.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.