// Helper method for benchmarking various methods
func benchmarkSigning(b *testing.B, method jwt.SigningMethod, key interface{}) {
t := jwt.New(method)
b.RunParallel(func(pb *testing.PB) {
for pb.Next() {
if _, err := t.SignedString(key); err != nil {
b.Fatal(err)
}
}
})
}
// Login performs the necessary actions to start an SP initiated login.
func (sp *ServiceProvider) InitiateLogin(w http.ResponseWriter) error {
acsURL, _ := url.Parse(sp.AcsURL)
binding := HTTPRedirectBinding
bindingLocation := sp.GetSSOBindingLocation(binding)
if bindingLocation == "" {
binding = HTTPPostBinding
bindingLocation = sp.GetSSOBindingLocation(binding)
}
req, err := sp.MakeAuthenticationRequest(bindingLocation)
if err != nil {
return err
}
relayState := base64.URLEncoding.EncodeToString(randomBytes(42))
state := jwt.New(jwt.GetSigningMethod("HS256"))
claims := state.Claims.(jwt.MapClaims)
claims["id"] = req.ID
signedState, err := state.SignedString(sp.cookieSecret())
if err != nil {
return err
}
http.SetCookie(w, &http.Cookie{
Name: fmt.Sprintf("saml_%s", relayState),
Value: signedState,
MaxAge: int(MaxIssueDelay.Seconds()),
HttpOnly: false,
Path: acsURL.Path,
})
if binding == HTTPRedirectBinding {
redirectURL := req.Redirect(relayState)
w.Header().Add("Location", redirectURL.String())
w.WriteHeader(http.StatusFound)
return nil
}
if binding == HTTPPostBinding {
w.Header().Set("Content-Security-Policy", ""+
"default-src; "+
"script-src 'sha256-D8xB+y+rJ90RmLdP72xBqEEc0NUatn7yuCND0orkrgk='; "+
"reflected-xss block; "+
"referrer no-referrer;")
w.Header().Add("Content-type", "text/html")
w.Write([]byte(`<!DOCTYPE html><html><body>`))
w.Write(req.Post(relayState))
w.Write([]byte(`</body></html>`))
return nil
}
panic("not reached")
}
