forceauthn and allowcreate support

[peppelinux]

ForceAuthn and AllowCreate support in djangosaml2, enable this features in authnRequest.
This also introduce kwargs, usefull to generalize other arguments in pySAML2 calls.

now when we configure force_authn and name_id_format_allow_create in pySAML2 sp configuration, the authn requests will manage them.

Example:

SAML_CONFIG = {
    'debug' : True,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin',
                                        '/usr/bin/xmlsec1']),
    'entityid': '%s/metadata/' % BASE_URL,

    'attribute_map_dir': os.path.join(os.path.join(os.path.join(BASE_DIR,
                                                                'saml2_sp'),
                                      'saml2_config'),
                                      'attribute-maps'),

    'service': {
        'sp': {
            'name': '%s/metadata/' % BASE_URL,

            'name_id_format': [NAMEID_FORMAT_PERSISTENT,
                                          NAMEID_FORMAT_TRANSIENT],

            'endpoints': {
                'assertion_consumer_service': [
                    ('%s/acs/' % BASE_URL, saml2.BINDING_HTTP_POST),
                    ],
                "single_logout_service": [
                    ("%s/ls/post/" % BASE_URL, saml2.BINDING_HTTP_POST),
                    ("%s/ls/" % BASE_URL, saml2.BINDING_HTTP_REDIRECT),
                ],
                }, # end endpoints

            # Mandates that the identity provider MUST authenticate the
            # presenter directly rather than rely on a previous security context.
            "force_authn": False, # SPID
            'name_id_format_allow_create': False,

[sheilatron]

Could you provide links to the pysaml2 docs about what features this enables, and also enhance the djangosaml2 docs with this info?

Thanks!

[peppelinux]

@sheilatron

This way we can put in SAML_CONFIG['service']['sp']:

'force_authn': True
# and/or
'name_id_format_allow_create`: True

to have a SAML request with ForceAuthn and AllowCreate....

<ns0:AuthnRequest AssertionConsumerServiceURL="http://sp1.testunical.it:8000/saml2/acs/" Destination="http://idp1.testunical.it:9000/idp/sso/post" ForceAuthn="true" ID="id-J6EMSBhanmouUIjKr" IssueInstant="2019-05-23T20:38:32Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">

[...]

<ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

Those parameters are SAML standards. pySAML2 documentation here:

• https://pysaml2.readthedocs.io/en/latest/howto/config.html#force-authn
• ... but nothing about allow_create ...

I made these patches with the help of python debugger.

[peppelinux]

@sheilatron here @c00kiemon5ter merged this documentation. It's available into the source project but not yet compiled into readthedocs

IdentityPython/pysaml2#632

[peppelinux]

@knaperek would you be interested also to this PR?
I use it in prodocution when force authn is the only way to handle faulty SLO implementation idp side.

then allow create for a better SAML2 compliance

[knaperek]

Sure, please rebase and I'll merge it. Thanks.

[peppelinux]

rebased, good to see you back on this project

[peppelinux]

allow create available into official pysaml2 documentation too:
https://github.com/IdentityPython/pysaml2/blob/master/docs/howto/config.rst#name_id_format_allow_create

from this commit
IdentityPython/pysaml2@a96c2f6#diff-66edb09e937a4de1d15f8066572c425a