Only validate certificate and set client certificate tp authn request.

Made it possible for the IdP to only validate the certificate without
verifying the signature.
This is needed when the proxy sends the SP certificate to the IdP.

Made it possible to send the certificate that should be used during the
creating of the authn request.

1 files changed, 6 insertions, 0 deletions

diff --git a/src/saml2/md.py b/src/saml2/md.py
index 81b2ef24..9b7bee7f 100644
--- a/src/saml2/md.py
+++ b/src/saml2/md.py
@@ -1041,6 +1041,8 @@ class IDPSSODescriptorType_(SSODescriptorType_):
     c_cardinality['attribute'] = {"min": 0}
     c_attributes['WantAuthnRequestsSigned'] = ('want_authn_requests_signed',
                                                'boolean', False)
+    c_attributes['WantAuthnRequestsOnlyWithValidCert'] = ('want_authn_requests_only_with_valid_cert',
+                                               'boolean', False)
     c_child_order.extend(['single_sign_on_service', 'name_id_mapping_service',
                           'assertion_id_request_service', 'attribute_profile',
                           'attribute'])
@@ -1069,6 +1071,7 @@ class IDPSSODescriptorType_(SSODescriptorType_):
                  text=None,
                  extension_elements=None,
                  extension_attributes=None,
+                 want_authn_requests_only_with_valid_cert=None,
     ):
         SSODescriptorType_.__init__(self,
                                     artifact_resolution_service=artifact_resolution_service,
@@ -1095,6 +1098,7 @@ class IDPSSODescriptorType_(SSODescriptorType_):
         self.attribute_profile = attribute_profile or []
         self.attribute = attribute or []
         self.want_authn_requests_signed = want_authn_requests_signed
+        self.want_authn_requests_only_with_valid_cert = want_authn_requests_only_with_valid_cert
 
 
 def idpsso_descriptor_type__from_string(xml_string):
@@ -2012,3 +2016,5 @@ ELEMENT_BY_TAG = {
 def factory(tag, **kwargs):
     return ELEMENT_BY_TAG[tag](**kwargs)
 
+
+