diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2020-09-12 23:46:29 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-12 23:46:29 +0300 |
commit | ecc690ef8b4b4a4f7564f042ab97e4e6c66bf7be (patch) | |
tree | 8f0b873f185ec5cea3f63bded3df23eaa574ea03 | |
parent | 9f0de5891b1ca6830dfde44b1a13ee4e7585fe8c (diff) | |
parent | 351bb6a7f09edee5eac9e2e895493d123642c6b4 (diff) | |
download | pysaml2-ecc690ef8b4b4a4f7564f042ab97e4e6c66bf7be.tar.gz |
Merge pull request #715 from peppelinux/nameid_format_example
Document more configuration options and entity category settings
-rw-r--r-- | docs/howto/config.rst | 126 |
1 files changed, 113 insertions, 13 deletions
diff --git a/docs/howto/config.rst b/docs/howto/config.rst index a46927a4..c4279974 100644 --- a/docs/howto/config.rst +++ b/docs/howto/config.rst @@ -159,16 +159,6 @@ Since *to* in most cases is the inverse of the *fro* file, the software allows you only to specify one of them, and it will automatically create the other. -cert_file -^^^^^^^^^ - -Example:: - - cert_file: "cert.pem" - -This is the public part of the service private/public key pair. -*cert_file* must be a PEM formatted file with a single certificate. - contact_person ^^^^^^^^^^^^^^ @@ -228,6 +218,30 @@ Example:: of the service. This is currently used both to encrypt/sign assertions and as the client key in an HTTPS session. +cert_file +^^^^^^^^^ + +Example:: + + cert_file: "cert.pem" + +This is the public part of the service private/public key pair. +*cert_file* must be a PEM formatted file with a single certificate. + + +encryption_keypairs +^^^^^^^^^^^^^^^^^^^ + +Indicates which certificates will be used for encryption capabilities:: + + # Encryption + 'encryption_keypairs': [ + { + 'key_file': BASE_DIR + '/certificates/private.key', + 'cert_file': BASE_DIR + '/certificates/public.cert', + }, + ], + metadata ^^^^^^^^ @@ -258,6 +272,11 @@ For example:: "cert": "ukfederation-mdq.pem", "freshness_period": "P0Y0M0DT2H0M0S", }, + { + "url": "https://mdq.thaturl.org/", + "disable_ssl_certificate_validation": True, + "check_validity": False, + }, ], }, @@ -269,6 +288,12 @@ metadata signing certificates should be used. These public keys must be acquired by some secure out-of-band method before being placed on the local file system. +When the parameter *check_validity* is set to False metadata that have expired +will be accepted as valid. + +When the paramenter *disable_ssl_certificate_validation* is set to True the +validity of ssl certificate will be skipped. + When using MDQ, the `freshness_period` option can be set to define a period for which the metadata fetched from the the MDQ server are considered fresh. After that period has passed the metadata are not valid anymore and must be fetched @@ -382,6 +407,13 @@ difference you are prepared to accept. .. note:: This will indiscriminately affect all time comparisons. Hence your server may accept a statement that in fact is too old. +allow_unknown_attributes +"""""""""""""""""""""""" + +Indicates that attributes that are not recognized (they are not configured in +attribute-mapping), will not be discarded. +Default to False. + xmlsec_binary ^^^^^^^^^^^^^ @@ -435,6 +467,11 @@ sign_response Specifies if the IdP should sign the authentication response or not. Can be True or False. Default is False. +want_authn_requests_only_with_valid_cert +"""""""""""""""""""""""""""""""""""""""" + +When verifying a signed AuthnRequest ignore the signature and verify the +certificate. policy """""" @@ -599,7 +636,7 @@ metadata of an entity. Example:: "service": { - "idp": { + "sp": { "name_id_format": [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", @@ -622,7 +659,6 @@ Example:: } } - hide_assertion_consumer_service """"""""""""""""""""""""""""""" @@ -881,6 +917,19 @@ Example:: }, }, +only_use_keys_in_metadata +""""""""""""""""""""""""" + +If set to False, the certificate contained in a SAML message will be used for +signature verification. +Default True. + +validate_certificate +"""""""""""""""""""" + +Indicates that the certificate used in sign SAML messages must be valid. +Default to False. + logout_requests_signed """""""""""""""""""""" @@ -1045,4 +1094,55 @@ Other considerations Entity Categories ----------------- -Entity categories and their attributes are defined in src/saml2/entity_category/<registrar of entcat>.py + +Entity categories and their attributes are defined in +src/saml2/entity_category/<registrar-of-entity-category>.py. +We can configure Entity Categories in pysaml2 in two ways: + +1. Using the configuration options *entity_category_support* or + *entity_category*, to generate the appropriate EntityAttribute metadata + elements. +2. Using the configuration option *entity_categories* as part of the policy + configuration, to make the entity category work as a filter on the + attributes that will be released. + +If the entity categories are configured as metadata, as follow:: + + 'debug' : True, + 'xmlsec_binary': get_xmlsec_binary([/usr/bin/xmlsec1']), + 'entityid': '%s/metadata' % BASE_URL, + + # or entity_category: [ ... ] + 'entity_category_support': [ + edugain.COCO, # "http://www.geant.net/uri/dataprotection-code-of-conduct/v1" + refeds.RESEARCH_AND_SCHOLARSHIP, + ], + + 'attribute_map_dir': 'data/attribute-maps', + 'description': 'SAML2 IDP', + + 'service': { + 'idp': { + ... + +In the metadata we'll then have:: + + <md:Extensions> + <mdattr:EntityAttributes> + <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> + <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue> + <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue> + </saml:Attribute> + </mdattr:EntityAttributes> + +If the entity categories are configurated in the policy section, they will act +as filters on the released attributes. + +Example:: + + "policy": { + "default": { + "lifetime": {"minutes": 15}, + # if the SP is not conform to entity_categories + # the attributes will not be released + "entity_categories": ["refeds",], |