Unsigned requests

README.md

@@ -9,7 +9,7 @@ Inspired by the early work of [Matt Baird](https://github.com/mattbaird/gosaml).
 
 The library supports:
 
-* generating signed AuthnRequests
+* generating signed/unsigned AuthnRequests
 * validating signed AuthnRequests
 * generating service provider metadata
 * generating signed Responses
@@ -40,6 +40,7 @@ sp := saml.ServiceProviderSettings{
   IDPSSOURL:                   "http://idp/saml2",
   IDPSSODescriptorURL:         "http://idp/issuer",
   IDPPublicCertPath:           "idpcert.crt",
+  SPSignRequest:               "true",
   AssertionConsumerServiceURL: "http://localhost:8000/saml_consume",
 }
 sp.Init()

authnrequest.go

@@ -91,14 +91,15 @@ func (s *ServiceProviderSettings) GetAuthnRequest() *AuthnRequest {
 }
 
 // GetAuthnRequestURL generate a URL for the AuthnRequest to the IdP with the SAMLRequst parameter encoded
-func GetAuthnRequestURL(baseURL string, b64XML string) (string, error) {
+func GetAuthnRequestURL(baseURL string, b64XML string, state string) (string, error) {
 	u, err := url.Parse(baseURL)
 	if err != nil {
 		return "", err
 	}
 
 	q := u.Query()
 	q.Add("SAMLRequest", b64XML)
+	q.Add("RelayState", state)
 	u.RawQuery = q.Encode()
 	return u.String(), nil
 }
@@ -257,3 +258,22 @@ func (r *AuthnRequest) CompressedEncodedSignedString(privateKeyPath string) (str
 	b64XML := base64.StdEncoding.EncodeToString(compressed)
 	return b64XML, nil
 }
+
+func (r *AuthnRequest) EncodedString() (string, error) {
+	saml, err := r.String()
+	if err != nil {
+		return "", err
+	}
+	b64XML := base64.StdEncoding.EncodeToString([]byte(saml))
+	return b64XML, nil
+}
+
+func (r *AuthnRequest) CompressedEncodedString() (string, error) {
+	saml, err := r.String()
+	if err != nil {
+		return "", err
+	}
+	compressed := util.Compress([]byte(saml))
+	b64XML := base64.StdEncoding.EncodeToString(compressed)
+	return b64XML, nil
+}

authnrequest_test.go

@@ -15,6 +15,7 @@ func TestGetSignedRequest(t *testing.T) {
 		IDPSSODescriptorURL:         "http://www.onelogin.net",
 		IDPPublicCertPath:           "./default.crt",
 		AssertionConsumerServiceURL: "http://localhost:8000/auth/saml/name",
+		SPSignRequest:               true,
 	}
 	err := sp.Init()
 	assert.NoError(err)
@@ -28,3 +29,21 @@ func TestGetSignedRequest(t *testing.T) {
 	err = VerifyRequestSignature(signedXML, sp.PublicCertPath)
 	assert.NoError(err)
 }
+
+func TestGetUnsignedRequest(t *testing.T) {
+	assert := assert.New(t)
+	sp := ServiceProviderSettings{
+		IDPSSOURL:                   "http://www.onelogin.net",
+		IDPSSODescriptorURL:         "http://www.onelogin.net",
+		IDPPublicCertPath:           "./default.crt",
+		AssertionConsumerServiceURL: "http://localhost:8000/auth/saml/name",
+		SPSignRequest:               false,
+	}
+	err := sp.Init()
+	assert.NoError(err)
+
+	// Construct an AuthnRequest
+	authnRequest := sp.GetAuthnRequest()
+	assert.NoError(err)
+	assert.NotEmpty(authnRequest)
+}

saml.go

@@ -12,6 +12,7 @@ type ServiceProviderSettings struct {
 	IDPSSODescriptorURL         string
 	IDPPublicCertPath           string
 	AssertionConsumerServiceURL string
+        SPSignRequest               bool
 
 	hasInit       bool
 	publicCert    string
@@ -28,14 +29,16 @@ func (s *ServiceProviderSettings) Init() (err error) {
 	}
 	s.hasInit = true
 
-	s.publicCert, err = util.LoadCertificate(s.PublicCertPath)
-	if err != nil {
-		panic(err)
-	}
+        if s.SPSignRequest {
+		s.publicCert, err = util.LoadCertificate(s.PublicCertPath)
+		if err != nil {
+			panic(err)
+		}
 
-	s.privateKey, err = util.LoadCertificate(s.PrivateKeyPath)
-	if err != nil {
-		panic(err)
+		s.privateKey, err = util.LoadCertificate(s.PrivateKeyPath)
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	s.iDPPublicCert, err = util.LoadCertificate(s.IDPPublicCertPath)