-
Notifications
You must be signed in to change notification settings - Fork 603
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tweaking the organization of the config doc(s)
- Loading branch information
Erik Dahl
committed
Jan 28, 2018
1 parent
7b60515
commit 4b58595
Showing
17 changed files
with
239 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<compatibility>`` Element | ||
=========================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<contactPerson>`` Element | ||
=========================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<federations>`` Element | ||
========================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<identityProviders>`` Element | ||
=============================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<metadata>`` Element | ||
====================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<nameIdPolicy>`` Element | ||
========================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<organization>`` Element | ||
========================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<requestedAttributes>`` Element | ||
================================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<requestedAuthnContext>`` Element | ||
=================================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<serviceCertificates>`` Element | ||
================================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
``<signingCertificate>`` Element | ||
================================ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
``<sustainsys.saml2>`` Element | ||
============================== | ||
The ``<sustainsys.saml2>`` element is a child node of the ``<configuration>`` element. Its | ||
attributes are listed and described below, and its child elements are listed as well and | ||
are linked to full explanations of each. | ||
|
||
Attributes | ||
---------- | ||
``returnUrl`` | ||
The Url that you want users to be redirected to once the authentication is complete. This is typically the start | ||
page of the application, or a special signed in start page. | ||
|
||
``entityId`` | ||
The name that this service provider will use for itself when sending messages. The name will end up in the ``Issuer`` | ||
field in outcoing authnRequests. | ||
|
||
The SAML standard requires the entityId to be an absolute URI. Typically it should be the URL where the metadata | ||
is presented. E.g. http://sp.example.com/Saml2/. | ||
|
||
``discoveryService`` (Optional) | ||
Specifies an idp discovery service to use if no idp is specified when calling sign in. Without | ||
this attribute, the first idp known will be used if none is specified. | ||
|
||
``modulePath`` (Optional) | ||
Indicates the base path of the Saml2 endpoints. Defaults to /Saml2 if not specified. This can usually be left as the | ||
default, but if several instances of Saml2 are loaded into the same process they must each get a separate base path. | ||
|
||
``authenticateRequestSigningBehavior`` (Optional) | ||
Sets the signing behavior for generated AuthnRequests. Three values are supported: | ||
|
||
* ``Never``: Saml2 will never sign any created AuthnRequests. | ||
* ``Always``: Saml2 will always sign all AuthnRequests. | ||
* ``IfIdpWantAuthnRequestsSigned`` (default if the attribute is missing): Saml2 will sign AuthnRequests if the idp is configured for it (through config or listed in idp metadata). | ||
|
||
``validateCertificates`` (Optional) | ||
Normally certificates for the IDPs signing use is communicated through metadata and in case of a breach, the | ||
metadata is updated with new data. If you want extra security, you can enable certificate validation (the | ||
default value for this attribute is ``false``). Please note that the SAML metadata specification explicitly | ||
places no requirements on certificate validation, so don't be surprised if an Idp certificate doesn't pass validation. | ||
|
||
``publicOrigin`` (Optional) | ||
Indicates the base url of the Saml2 endpoints. It should be the root path of the application. E.g. The SignIn url is | ||
built up as ``PublicOrigin + / + modulePath + /SignIn``. Defaults to Url of the current http request if not | ||
specified. This can usually be left as the default, but if your internal address of the application is | ||
different than the external address the generated URLs (such as ``AssertionConsumerServiceURL`` in the | ||
``saml2p:AuthnRequest``) then this will be incorrect. The use case for this is typically with load balancers | ||
or reverse proxies. It can also be used if the application can be accessed by several external URLs to make sure | ||
that the registered in metadata is used in communication with the Idp. | ||
|
||
If you need to set this value on a per-request basis, provide a ``GetPublicOrigin`` Notification function instead. | ||
|
||
``outboundSignAlgorithm`` (Optional) | ||
By default Saml2 uses SHA256 signatures if running on .NET 4.6.2 or later or when you | ||
have called ``GlobalEnableSha256XmlSignatures()``. Otherwise, it uses SHA1 signatures. Use this attribute to | ||
set the default signing algorithm for any messages (including metadata) that Saml2 generates. Possible values: | ||
|
||
* ``SHA1`` (or http://www.w3.org/2000/09/xmldsig#rsa-sha1) | ||
* ``SHA256`` | ||
* ``SHA384`` | ||
* ``SHA512`` | ||
|
||
The full url identifying the algorithm can also be provided. The algorithm can be overridden for each IdentityProvider | ||
too. | ||
|
||
``minIncomingSigningAlgorithm`` (Optional) | ||
The minimum strength required on signatures on incoming messages. Messages with a too weak signing algorithm will be | ||
rejected. By default Saml2 requires SHA256 signatures if running on .NET 4.6.2 or later or when you have | ||
called ``GlobalEnableSha256XmlSignatures()``. Otherwise, it uses SHA1 signatures. | ||
|
||
Possible values: | ||
|
||
* ``SHA1`` (or http://www.w3.org/2000/09/xmldsig#rsa-sha1) | ||
* ``SHA256`` | ||
* ``SHA384`` | ||
* ``SHA512`` | ||
|
||
The full url identifying the algorithm can also be provided. | ||
|
||
Elements | ||
-------- | ||
The following are the possible children elements of the ``<sustainsys.saml2>`` element. Each are provided as a | ||
link below with full explanations of each. | ||
|
||
* :doc:`nameIdPolicy <name-id-policy>` | ||
* :doc:`requestedAuthnContext <requested-authn-context>` | ||
* :doc:`metadata <metadata>` | ||
* :doc:`identityProviders <identity-providers>` | ||
* :doc:`federations <federations>` | ||
* :doc:`serviceCertificates <service-certificates>` | ||
* :doc:`compatibility <compatibility>` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
Contributing | ||
============ | ||
Sustainsys.Saml2 is maintained by and have mostly been developed by Sustainsys in Stockholm, Sweden. The library's | ||
source code is hosted on `github <https://github.com/Sustainsys/Saml2>`_. When doing work on protocol features, it is recommended to consult | ||
`the official SAML specifications <https://wiki.oasis-open.org/security/FrontPage#SAMLV2.0Standard>`_. | ||
|
||
Issue tracking | ||
-------------- | ||
Github issues are used to keep track of issues and releases. For requests of functionality or to | ||
report bugs, please open an issue in the github repo. It is advised to open an issue describing the plans | ||
before starting any major coding work. Discussing before writing code significantly reduces the risk of | ||
getting a pull request denied. | ||
|
||
Versioning | ||
---------- | ||
Sustainsys uses semantic versioning as defined on http://semver.org/. | ||
Given a version number MAJOR.MINOR.PATCH, increment the: | ||
|
||
* MAJOR version when you make incompatible API changes, | ||
* MINOR version when you add functionality in a backwards-compatible manner, and | ||
* PATCH version when you make backwards-compatible bug fixes. | ||
|
||
Coding Conventions | ||
------------------ | ||
The coding conventions follow the classic .NET style of coding, with the following styles: | ||
|
||
* Always use ``{}`` for if statements, even when there is only one line. | ||
* Code analysis is enabled and all code should compile without compiler warnings or code analysis errors. Code analysis warnings that are not relevant are supressed in the source. Rules should only be disabled on a global level if it really is appropriate to disable the rule for the entire code base. Unknown words are added to CustomDictionary.xml instead of suppressing individual warnings. | ||
* Private members in classes are named with camelCasing, no underscores or similar. | ||
* Member variables are not prefixed with ``this``. unless required to resolve ambiguity (such as in a constructor having parameters with the same name as the members). | ||
* Any single method is short enough to fit on one screen (on a typical laptop monitor, not a 30-inch development monster-monitor in vertical orientation). | ||
* The code is formatted to (mostly) fit in 80 columns. | ||
|
||
Unit Tests | ||
---------- | ||
The Sustainsys.Saml2 library has been developed using TDD (Test Driven Development). All functionality is covered | ||
by tests, and it will remain that way. Pull requests will only be merged if they contain tests covering the | ||
added functionality. Parts of the code that aren't practically possible to test because of tight integration with | ||
the web server (see e.g. ``CommandResult.ApplyPrincipal``) are excluded from this rule and should be | ||
marked with an ``[ExcludeFromCodeCoverage]`` attribute. The code coverage report is at 100.00% coverage | ||
and should remain so. | ||
|
||
Continuous Integration / Build Server | ||
------------------------------------- | ||
All pull requests are built on AppVeyor and code coverage is checked. | ||
|
||
Branching | ||
--------- | ||
To make a clean pull request, it is important to follow some git best practices. Nancy has an | ||
`excellent guide <https://github.com/NancyFx/Nancy/wiki/Git-Workflow>`_ that outlines the steps required. | ||
|
||
Licensing | ||
--------- | ||
The library is licensed under LGPL and by submitting code it is accepted that the submitted code will be | ||
released under the same license. Third party code may only be added to the library if the author of the | ||
pull request holds the copyright to the code, or the code is previously licensed under a | ||
license compatible with LGPL. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters