Skip to content

forceauthn and allowcreate support#151

Merged
knaperek merged 1 commit intoIdentityPython:masterfrom
peppelinux:forceauthn_allowcreate
Dec 16, 2019
Merged

forceauthn and allowcreate support#151
knaperek merged 1 commit intoIdentityPython:masterfrom
peppelinux:forceauthn_allowcreate

Conversation

@peppelinux
Copy link
Member

@peppelinux peppelinux commented Apr 19, 2019

ForceAuthn and AllowCreate support in djangosaml2, enable this features in authnRequest.
This also introduce kwargs, usefull to generalize other arguments in pySAML2 calls.

now when we configure force_authn and name_id_format_allow_create in pySAML2 sp configuration, the authn requests will manage them.

Example:

SAML_CONFIG = {
    'debug' : True,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin',
                                        '/usr/bin/xmlsec1']),
    'entityid': '%s/metadata/' % BASE_URL,

    'attribute_map_dir': os.path.join(os.path.join(os.path.join(BASE_DIR,
                                                                'saml2_sp'),
                                      'saml2_config'),
                                      'attribute-maps'),

    'service': {
        'sp': {
            'name': '%s/metadata/' % BASE_URL,

            'name_id_format': [NAMEID_FORMAT_PERSISTENT,
                                          NAMEID_FORMAT_TRANSIENT],

            'endpoints': {
                'assertion_consumer_service': [
                    ('%s/acs/' % BASE_URL, saml2.BINDING_HTTP_POST),
                    ],
                "single_logout_service": [
                    ("%s/ls/post/" % BASE_URL, saml2.BINDING_HTTP_POST),
                    ("%s/ls/" % BASE_URL, saml2.BINDING_HTTP_REDIRECT),
                ],
                }, # end endpoints

            # Mandates that the identity provider MUST authenticate the
            # presenter directly rather than rely on a previous security context.
            "force_authn": False, # SPID
            'name_id_format_allow_create': False,

@sheilatron
Copy link
Contributor

Could you provide links to the pysaml2 docs about what features this enables, and also enhance the djangosaml2 docs with this info?

Thanks!

@peppelinux
Copy link
Member Author

peppelinux commented May 23, 2019

@sheilatron

This way we can put in SAML_CONFIG['service']['sp']:

'force_authn': True
# and/or
'name_id_format_allow_create`: True

to have a SAML request with ForceAuthn and AllowCreate....

<ns0:AuthnRequest AssertionConsumerServiceURL="http://sp1.testunical.it:8000/saml2/acs/" Destination="http://idp1.testunical.it:9000/idp/sso/post" ForceAuthn="true" ID="id-J6EMSBhanmouUIjKr" IssueInstant="2019-05-23T20:38:32Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">

[...]

<ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

Those parameters are SAML standards. pySAML2 documentation here:

I made these patches with the help of python debugger.

@peppelinux
Copy link
Member Author

@sheilatron here @c00kiemon5ter merged this documentation. It's available into the source project but not yet compiled into readthedocs

IdentityPython/pysaml2#632

@peppelinux
Copy link
Member Author

@knaperek would you be interested also to this PR?
I use it in prodocution when force authn is the only way to handle faulty SLO implementation idp side.

then allow create for a better SAML2 compliance

@knaperek
Copy link
Collaborator

Sure, please rebase and I'll merge it. Thanks.

@peppelinux
Copy link
Member Author

rebased, good to see you back on this project

@knaperek knaperek merged commit 464d6ef into IdentityPython:master Dec 16, 2019
@peppelinux
Copy link
Member Author

peppelinux commented Dec 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants