Mojo::SAML - A SAML2 toolkit using the Mojo toolkit
Mojo::SAML is a project to build a SAML toolkit using the Mojo stack. It is (for better or worse) completely reimplemented from the ground up. It is considered extremely experimental and unstable (see "CAVEATS").
That said, it can do basic SAML interactions given the proper configuration. For more on SAML, you might want to consult https://en.wikipedia.org/wiki/SAML_2.0 or https://wiki.oasis-open.org/security.
It currently has plenty of limitations and should be considered extremely experimental. The API can and will change without warning until this warning is removed.
It also relies heavily on using the simpler SAML bindings and is only really workable for RSA keys. Because of this, there are dependencies on Crypt::OpenSSL::RSA and Crypt::OpenSSL::X509 which really should be optional, though they are required until other signing mechanisms are included. Users are encouraged to add those modules to their own dependencies in case they become optional in the future.
Currently data extraction and documentation are very much separate sets of code. It is not yet decided if this will continue or if some effort will be made to unify them. This is a large part of the concern for api stability.
While most classes have API documentation, currently overall usage documentation is lacking. For the time being, examples can be seen in the ex/
directory within the source repository and/or distribution, especially ex/webapp.pl
. These examples will be modified as the API changes and eventually usage documentation should be written.
Mojo::XMLSig has some tests, the rest has precious few tests. There could always be more tests.
All of this should be improvable. PRs and comments are most welcome.
Mojo::SAML exports nothing by default. On request it can export any of the following symbols or tags.
The following symbols are constant functions which return the full name of Mojo::SAML::Document subclasses. Their name is both the name of the subclass and the tag that they create.
Constant shortcut to Mojo::SAML::Document::AssertionConsumerService.
Constant shortcut to Mojo::SAML::Document::AttributeConsumingService.
Constant shortcut to Mojo::SAML::Document::AuthnRequest.
Constant shortcut to Mojo::SAML::Document::ContactPerson.
Constant shortcut to Mojo::SAML::Document::EntityDescriptor.
Constant shortcut to Mojo::SAML::Document::KeyDescriptor.
Constant shortcut to Mojo::SAML::Document::KeyInfo.
Constant shortcut to Mojo::SAML::Document::NameIDPolicy.
Constant shortcut to Mojo::SAML::Document::Organization.
Constant shortcut to Mojo::SAML::Document::RequestedAttribute.
Constant shortcut to Mojo::SAML::Document::Signature.
Constant shortcut to Mojo::SAML::Document::SPSSODescriptor.
Exports all of the above document type constants.
While they aren't linked to from this module, some other modules that will likely be useful are:
Mojo::SAML::Names is a (fairly incomplete) list of naming conventions and standard used in SAML.
Mojo::SAML::IdP is a tool for examining the entity metadata returned from an identity provider and extracting useful inforamation.
Mojo::XMLSig is a tool for signing and verifying XML documents. Note that it is possible that this module could be spun out into its own distribution at some point. If it does, this module will depend on it.
Mojolicious::Plugin::SAML attempts to be a turn-key SAML Service Provider (SP) implementation. This is useful for interacting with a single Identity Provider (IdP) under simple circumstances. This is (as with all the rest) still highly experimental.
http://github.com/jberger/Mojo-SAML
Joel Berger, <joel.a.berger@gmail.com>
Copyright (C) 2018 by Joel Berger This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.