openauth_saml/
options.rs

1use std::collections::BTreeMap;
2
3use openauth_core::secret::SecretString;
4use serde::{Deserialize, Serialize};
5
6#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
7#[serde(rename_all = "camelCase")]
8/// SAML configuration for an enterprise SSO provider.
9pub struct SamlProviderConfig {
10    /// Service provider issuer/entity id expected by the IdP.
11    pub issuer: String,
12    #[serde(default)]
13    /// IdP SSO entry point for AuthnRequest redirects.
14    pub entry_point: String,
15    /// IdP signing certificate, either PEM or base64 body.
16    pub cert: String,
17    /// OpenAuth callback URL used after SAML login.
18    pub callback_url: String,
19    #[serde(skip_serializing_if = "Option::is_none")]
20    /// Explicit assertion consumer service URL.
21    pub acs_url: Option<String>,
22    #[serde(skip_serializing_if = "Option::is_none")]
23    /// Expected SAML audience. Defaults to issuer semantics when omitted.
24    pub audience: Option<String>,
25    #[serde(skip_serializing_if = "Option::is_none")]
26    /// Parsed or configured IdP metadata.
27    pub idp_metadata: Option<SamlIdpMetadata>,
28    /// Service provider metadata configuration.
29    pub sp_metadata: SamlSpMetadata,
30    #[serde(skip_serializing_if = "Option::is_none")]
31    /// Provider attribute mapping.
32    pub mapping: Option<SamlMapping>,
33    /// Require valid XMLDSig over the SAML Assertion.
34    pub want_assertions_signed: bool,
35    /// Sign outbound AuthnRequest messages.
36    pub authn_requests_signed: bool,
37    #[serde(skip_serializing_if = "Option::is_none")]
38    /// Signature algorithm URI or short name for outbound signed requests.
39    pub signature_algorithm: Option<String>,
40    #[serde(skip_serializing_if = "Option::is_none")]
41    /// Digest algorithm URI or short name for outbound signed requests.
42    pub digest_algorithm: Option<String>,
43    #[serde(skip_serializing_if = "Option::is_none")]
44    /// SAML NameID format requested from the IdP.
45    pub identifier_format: Option<String>,
46    #[serde(skip_serializing_if = "Option::is_none")]
47    /// Service provider signing private key. Debug output is redacted.
48    pub private_key: Option<SecretString>,
49    #[serde(skip_serializing_if = "Option::is_none")]
50    /// Service provider decryption private key for encrypted assertions.
51    pub decryption_pvk: Option<SecretString>,
52    #[serde(skip_serializing_if = "Option::is_none")]
53    /// Additional AuthnRequest parameters sent to the IdP.
54    pub additional_params: Option<BTreeMap<String, serde_json::Value>>,
55}
56
57/// Backward-compatible SAML config alias.
58pub type SamlConfig = SamlProviderConfig;
59
60#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
61#[serde(rename_all = "camelCase")]
62/// IdP metadata fields accepted by SAML provider configuration.
63pub struct SamlIdpMetadata {
64    pub metadata: Option<String>,
65    #[serde(alias = "entityID")]
66    pub entity_id: Option<String>,
67    pub entity_url: Option<String>,
68    pub redirect_url: Option<String>,
69    pub cert: Option<String>,
70    pub private_key: Option<SecretString>,
71    pub private_key_pass: Option<SecretString>,
72    pub is_assertion_encrypted: Option<bool>,
73    pub enc_private_key: Option<SecretString>,
74    pub enc_private_key_pass: Option<SecretString>,
75    pub single_sign_on_service: Option<Vec<SamlService>>,
76    pub single_logout_service: Option<Vec<SamlService>>,
77}
78
79#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
80/// SAML metadata service endpoint.
81pub struct SamlService {
82    #[serde(rename = "Binding")]
83    pub binding: String,
84    #[serde(rename = "Location")]
85    pub location: String,
86}
87
88#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
89#[serde(rename_all = "camelCase")]
90/// Service provider metadata overrides.
91pub struct SamlSpMetadata {
92    pub metadata: Option<String>,
93    #[serde(alias = "entityID")]
94    pub entity_id: Option<String>,
95    pub binding: Option<String>,
96    pub private_key: Option<SecretString>,
97    pub private_key_pass: Option<SecretString>,
98    pub is_assertion_encrypted: Option<bool>,
99    pub enc_private_key: Option<SecretString>,
100    pub enc_private_key_pass: Option<SecretString>,
101}
102
103#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
104#[serde(rename_all = "camelCase")]
105/// Mapping from SAML attributes to OpenAuth profile fields.
106pub struct SamlMapping {
107    pub id: Option<String>,
108    pub email: Option<String>,
109    pub email_verified: Option<String>,
110    pub name: Option<String>,
111    pub first_name: Option<String>,
112    pub last_name: Option<String>,
113    pub extra_fields: Option<BTreeMap<String, String>>,
114}
openauth_saml/options.rs

openauth_saml/
options.rs
