Commit 63f7c34b authored by ale's avatar ale

Update go-sso

parent 3396b96b
Pipeline #891 passed with stages
in 44 seconds
Login server (or *identity provider*, IDP) using the
[ai/sso]( protocol (version 5) for
single-sign on and [auth-server]( to
authenticate users.
This repository includes a few separate binaries:
* *sso-server* is the login server / IDP
* *saml-server* is a SSO-to-SAML bridge (for third-party software)
* *sso-proxy* is a reverse HTTP proxy that adds single-sign-on access
controls to backends
# Configuration
The *sso-server* daemon requires a YAML configuration file,
*/etc/sso/server.yml* by default. It understands the following
* `secret_key_file`: path to the Ed25519 secret key (should be exactly
64 bytes)
* `public_key_file`: path to the Ed25519 public key (should be exactly
32 bytes)
* `domain`: SSO domain
* `allowed_services`: a list of regular expressions. A request will be
allowed only if the target SSO services matches one of these
* `allowed_exchanges`: a list of regular expression source /
destination pairs (dictionaries with `src_regexp` and `dst_regexp`
attributes). Exchange requests will only be allowed if source and
destination SSO services both match one of these pairs.
* `service_ttls`: a list of dictionaries used to set time-to-live for
SSO tickets for specific services. Each dictionary should have the
following attributes:
* `regexp`: regular expression that should match the SSO service
* `ttl`: TTL in seconds
* `auth_session_lifetime`: time-to-live (in seconds) for the
sso-server user authentication session. When it expires, the user
will have to login again.
* `session_secrets`: a list of two (or more, as long as the number is
even) secret keys to use for HTTP cookie-based sessions, in
*authentication-key*, *encryption-key* pairs. Authentication keys
can be 32 bytes (SHA128) or 64 bytes (SHA512), encryption keys
should be 16 (AES-128), 24 (AES-192) or 32 (AES-256) bytes long. For
key rotation, multiple pairs (old, new) can be specified so that
sessions are not immediately invalidated.
* `csrf_secret`: a secret key used for CSRF protection
* `auth_service`: the service name to use for the authentication
request sent to *auth-server* (generally "sso")
* `device_manager`: configuration for the device tracking module:
* `auth_key`: a long-term key to authenticate HTTP-based cookies
* `geo_ip_data_files`: GeoIP databases to use (in mmdb format), if
unset the module will use the default GeoLite2-Country db
* `keystore`: configures the connection to the keystore service
* `url`: URL for the keystore service
* `sharded`: if true, requests to the keystore service will be
partitioned according to the user's *shard* attribute
* `tls_config`: client TLS configuration
* `cert`: path to the client certificate
* `key`: path to the private key
* `ca`: path to the CA used to validate the server
* `http_server`: specifies standard parameters for the HTTP server
* `tls`: server-side TLS configuration
* `cert`: path to the server certificate
* `key`: path to the server's private key
* `ca`: path to the CA used to validate clients
* `acl`: TLS-based access controls, a list of entries with the
following attributes:
* `path` is a regular expression to match the request URL path
* `cn` is a regular expression that must match the CommonName
part of the subject of the client certificate
* `trusted_forwarders`: list of trusted IP addresses (reverse
proxies). If a request comes from here, we will trust the
X-Forwarded-Proto and X-Real-IP headers when determining the
client IP address
* `max_inflight_requests`: maximum number of in-flight requests to
allow before server-side throttling kicks in
## Device tracking
The idea is to track a small amount of non-personally-identifying data
for each device, and use it to notify users of unexpected
accesses. This information is tracked by the
It is implemented very simply, with a long-term cookie stored in the
## Key store
On login, the login server can unlock the user's key store
(see [keystore]( The
associated key will be cleared either on logout, or when the login
session expires.
The *sso-server* binary serves different types of HTTP traffic:
* the login/logout interface (user-facing)
* the SSO login endpoint (user-facing)
* the SSO ticket exchange endpoint (service-facing)
The ticket exchange API allows a service (the *source*) to exchange a
valid SSO ticket for itself with a SSO ticket, for the same user,
meant for a third-party service (*destination*). Its endpoint is
located at the URL `/exchange` and it accepts the following query
* `cur_tkt`: valid source SSO ticket
* `cur_svc`: source SSO service
* `cur_nonce`: nonce for *cur_tkt*
* `new_svc`: destination SSO service
* `new_nonce`: nonce for the new SSO ticket
* `new_groups` (optional): a comma-separated list of groups that the
destination service might check membership for
Note that annoyingly *cur_svc* and *cur_nonce* are redundant, as they
are already contained within *cur_tkt*, but the SSO ticket API won't
allow us to decode the ticket without verifying it at the same time.
......@@ -11,18 +11,43 @@ import (
var (
// Errors.
ErrMissingRequiredField = errors.New("missing required field")
ErrBadNonceLength = errors.New("bad nonce length")
ErrDeserialization = errors.New("deserialization error")
// ErrMissingRequiredField is returned when a ticket does not
// contain a required field.
ErrMissingRequiredField = errors.New("missing required field")
// ErrDeserialization means that the input is not valid base64.
ErrDeserialization = errors.New("deserialization error")
// ErrUnsupportedTicketVersion is returned for unsupported
// ticket versions (either too old or too recent).
ErrUnsupportedTicketVersion = errors.New("unsupported ticket version")
ErrMessageTooShort = errors.New("encoded message too short")
ErrBadSignature = errors.New("bad signature")
ErrBadService = errors.New("service mismatch")
ErrBadDomain = errors.New("auth domain mismatch")
ErrBadNonce = errors.New("nonce mismatch")
ErrExpired = errors.New("ticket expired")
ErrUnauthorized = errors.New("unauthorized")
// ErrMessageTooShort means that the input is shorter than the
// fixed signature length + minimum ticket size.
ErrMessageTooShort = errors.New("encoded message too short")
// ErrBadSignature is returned when the signature does not
// match the given public key.
ErrBadSignature = errors.New("bad signature")
// ErrBadService is returned when validation fails due to a
// SSO service mismatch.
ErrBadService = errors.New("service mismatch")
// ErrBadDomain is returned when validation fails due to a SSO
// domain mismatch.
ErrBadDomain = errors.New("auth domain mismatch")
// ErrBadNonce is returned when validation fails due to a
// nonce mismatch.
ErrBadNonce = errors.New("nonce mismatch")
// ErrExpired means the ticket has expired.
ErrExpired = errors.New("ticket expired")
// ErrUnauthorized is returned when the user lacks the
// necessary group membership.
ErrUnauthorized = errors.New("unauthorized")
const (
......@@ -234,7 +259,7 @@ func (v *ssoValidator) Validate(encoded, nonce, service string, allowedGroups []
if t.Expires.Before(time.Now()) {
return nil, ErrExpired
if t.Nonce != nonce {
if nonce != "" && t.Nonce != nonce {
return nil, ErrBadNonce
......@@ -33,10 +33,10 @@
"revisionTime": "2018-01-12T09:10:27Z"
"checksumSHA1": "DFjm2ZJpUwioPApa3htGXLEFWl8=",
"checksumSHA1": "zvdsYaPEZrgcsRJy1bOo6YF5rVQ=",
"path": "",
"revision": "2f1d893daf6ea55c4c3a704d14cf3c0996e1fec5",
"revisionTime": "2017-12-14T07:43:49Z"
"revision": "10356d2430081e5f6dc60a68d576ef5b476f83ea",
"revisionTime": "2018-02-16T18:29:55Z"
"checksumSHA1": "spyv5/YFBjYyZLZa1U2LBfDR8PM=",
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment