| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ResponseLocation [Optional]
Optionally specifies a different location to which response messages sent as part of
the protocol or profile should be sent. The allowable syntax of this URI depends on
the protocol binding.
The ResponseLocation attribute is used to enable different endpoints to be specified for
receiving request and response messages associated with a protocol or profile, not as a
means of load-balancing or redundancy (multiple elements of this type can be included
for this purpose). When a role contains an element of this type pertaining to a protocol
or profile for which only a single type of message (request or response) is applicable,
then the ResponseLocation attribute is unused. [E41]If the ResponseLocation attribute is
omitted, any response messages associated with a protocol or profile may be assumed to
be handled at the URI indicated by the Location attribute.
ArtifactResolutionService, SingleSignOnService and NameIDMappingService MUST omit the
ResponseLocation attribute. This is enforced here, but metadata with such service
declarations and such attributes should not have been part of the metadata store in the
first place.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
| |
making sure that ResponseLocation behaves properly when present and that
Location is used in its place when missing
|
| |
|
|
|
|
|
|
| |
The debug logs becomes part of the xml metadata.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Set the default attribute NameFormat to NAME_FORMAT_UNSPECIFIED
|
| | |
|
| | |
|
| |
| |
| |
| | |
section 2.7.3.1 of the spec
|
|\ \
| | |
| | | |
Update to key generation to 2048 bits in example/create_key.sh
|
| | |
| | |
| | |
| | | |
Increase key size to prevent:
ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3542)
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \ \
| | | |
| | | | |
Document more configuration options and entity category settings
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | | |
|
|/ / / |
|
|\ \ \
| |/ /
|/| | |
Replace assert statements
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/ / |
|
|\ \
| | |
| | | |
Allow request signing in artifact2message
|
|/ / |
|
|\ \
| | |
| | | |
Fix wrong identifiers for ecdsa algos
|
|/ / |
|
|\ \
| | |
| | | |
Fix automatic inversion of attribute map files
|
| | |
| | |
| | |
| | |
| | | |
In order for automatic inversion of attribute maps to work, we need to accept
definitions of attribute maps with only one of `to` or `fro`.
|
| |/
| |
| |
| |
| | |
We have three copies of the code that looks for attribute map definitions in a
python module: let's factor them out.
|
|\ \
| |/
|/| |
Remove spurious `exception` logging
|
|/
|
|
|
|
| |
These two `logger.exception` calls are both incorrect, because neither are in
an `except` block - which means that they will log a stacktrace for whatever
the most recent exception was (which may be wholly unrelated).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce new configuration option `entity_attributes` that defines a list of
dictionaries each of which represents an <Attribute> element. Each dicrionary has fields
for the NameFormat, the Name, the FriendName and a list of strings that are used to
create <AttributeValue> elements, each with the string as the text node.
"entity_attributes": [
{
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"name": "urn:oasis:names:tc:SAML:profiles:subject-id:req",
# "friendly_name" is not set
"values": ["any"],
},
]
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
This reverts commit b8539198eb02149510a831e2c93c88ef8c438042.
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `name_id_format` configuration option is used to define
1. the value of the `<NameIDFormat>` metadata element
2. and the value of the `<NameIDPolicy>` `Format` attribute in an `AuthnRequest`
The configuration option to set what the value of `<NameIDFormat>` element is in the
metadata should be different from the configuration option to specify what should be
requested in an `AuthnRequest` through the `<NameIDPolicy Format="...">` attribute.
Introduce a new option (`name_id_policy_format`), or use the same name but scoped in a
specific section for metadata and AuthnRequest.
On the side of this, pysaml2 defaults to _transient_ as the `<NameIDPolicy
Format="...">` attribute value. To omit requesting a value for the `<NameIDPolicy
Format="">` attribute the value `"None"` (a string) must be set in the configuration.
This is unintuitive. It is better to be explicit and set transient to request a
transient NameID, than not setting a value and requesting transient by default. If no
value is set, no specific `<NameIDPolicy Format="...">` should be requested.
- Refactor the name_id_format usage
- Add name_id_policy_format configuration option
- Remove the "None" convention value
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| |
| |
| | |
johanlundberg/lundberg_entity_category_and_attribute_mapping
SwedenConnect attribute mapping and SWAMID entity category, part 2
|
|/ |
|
|\
| |
| | |
Update documentation for additional_cert_files and cert_file
|
|/
|
| |
Mention `additional_cert_files` and the fact that `cert_file` only accepts a single cert and not a chain
|
|\
| |
| |
| |
| | |
johanlundberg/lundberg_entity_category_and_attribute_mapping
Add SwedenConnect attribute mapping and SWAMID entity category
|
| | |
|