Skip to content

zitadel/saml

SAML SDK (server) for Go

semantic-release Release license release Go Report Card codecov

What is it

This project is a server implementation for the Security Assertion Markup Language (SAML) standard written for Go.

Basic Overview

The most important packages of the library:

/pkg
    /provider definitions and implementation of a SAML provider (Identity provider)
        /serviceprovider definitions and implementation of a SAML user (Service provider)
        /xml definitions of SAML xml messages
        /checker helper to abstract the SAML standard in the processes
        /signature implementation to handle and create SAML signature

Features

Supported SAML features:

Feature Identity provider
POST-binding yes
Redirect-binding yes
Artifact-binding no
Request signing yes
Response signing yes
Metadata signing yes
Response encryption no
Assertion Query/Request no
Attribute Query yes
NameID Mapping no

Resources

For your convenience you can find the relevant standards linked below.

Supported Go Versions

For security reasons, we only support and recommend the use of one of the latest three Go versions (:white_check_mark:) .
Versions that also build are marked with ⚠️.

Version Supported
<1.19
1.19 ⚠️
1.20
1.21

Why another library

As of 2021 there are only few SAML libraries, written in Go, which handle server and client implementations. As maintainer of github.com/zitadel/zitadel we are strongly committed to the general field of IAM (Identity and Access Management) and as such, we need solid frameworks to implement services.

The existing libraries that we evaluated were not implementing the standard strictly. For that reason we developed this project to be compliant to the standard, while still having the possibility to handle outliers.

For signing and signature verification other already existing implementations like github.com/russellhaering/goxmldsig(for POST-binding) and github.com/amdonov/xmlsig(for redirect-binding).

Other SAML libraries

https://github.com/crewjam/saml

Supports both IDP and SP side, whereas the IDP side is by their own definition only rudimentary.

https://github.com/russellhaering/gosaml2

Implementation of SP side with no IDP side, works with a lot of identity providers, also has an implementation of the XML signing which is used in this library.

https://github.com/RobotsAndPencils/go-saml

Only SP side, developed for several specific integrations with different IDPs, not an implementation for general SAML.

https://github.com/amdonov/lite-idp

Basic implementation of IDP side more as a standalone service, not that good to integrate into existing product.

License

The full functionality of this library is and stays open source and free to use for everyone. Visit our website and get in touch.

See the exact licensing terms here

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.