| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Allow for multiple AttributeStatement tags per Assertion
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was necessary to implement a real-world SSO integration,
which required handlinge multiple AttributeStatement elements
within a single assertion in a SAML response.
Orginally this change was implemented in a private fork
by Thomas Knott for pysaml 2.2.0, and has been ported
by Sheila Allen for use in pysaml 4.6.0 to hopefully
merge upstream.
There was a similar PR for the same need by pcrownov:
https://github.com/IdentityPython/pysaml2/pull/205/files
|
| |
|
|
|
|
|
| |
Mock utcnow call used by time_util module to return the same date as the
IssueInstant date of the response.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Improve docstring for NameID and argtree.add_path
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Raise ValueError for invalid attribute type
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Without this patch, the AttributeValueBase set_text method checks for a
valid xsi:type before setting the text value, but when it gets to the
catchall case, instead of raising an exception it simply creates an
unassigned ValueError instance and does nothing with it. This is clearly
not intentional, and it is a problem because it means it is possible to
set an invalid xsi:type for an AttributeValue. This patch corrects the
error by raising the ValueError exception rather than letting it
disappear into the ether.
|
| |\ \
| | |
| | | |
Specify the minimum build-tool version
|
| | |/
| |
| |
| |
| |
| | |
The version=file:VERSION line in setup.cfg actually requires
setuptools>=40.0.0, so this adds a pyproject.toml file describing the
minimum build dependencies of the project.
|
| |\ \
| |/
|/|
| |
| | |
Do not require a SAML authentication response to contain a NameID element - it is not required by the SAML 2.0 specification.
Invoke add_information_about_person only when resp.assertion.subject.name_id is available.
|
| | |
| |
| |
| |
| | |
Added a test to test the parsing of an authentication response that does
not contain a <NameID> element.
|
| |/
|
|
|
|
|
|
|
|
| |
The basic pySAML2 service provider class upon which SPs are built should
not require that a SAML authentication request response from an IdP
contains a SAML NameID element since it is not required by the SAML 2.0
specification. This change enables the parse_authn_request_response
method for the basic pySAML2 service provider class to successfully
parse a SAML authentication request response that does not contain a
SAML NameID element.
|
| |
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Allow configuration and specification of id attribute name
|
| | |
| |
| |
| |
| |
| |
| | |
Okta integration requires decryption id_attr to be set to 'Id'.
Add SAML2 response generated from okta into test directory, and
test that this is successfully decrypted using a properly
configured SecurityContext
|
| | |
| |
| |
| |
| |
| |
| | |
The id attribute name is used by xmlsec1 to find the correct attribute in the
given element that contains the id of the node that will be signed.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Retrieve SLO endpoint by the appropriate service type
This is triggered when the self.config object has not been created through the SPConfig class, or the IdPConfig class, or the config_factory() function, but directly through the Config class. This results in the config object not having a context as it empty by default.
When that happens and endpoint() is called without being passed a context parameter, then getattr() will fail to return the correct attribute.
The solution is to pass the context parameter when calling the endpoint() method. This is achieved by passing the entity_type attribute.
Moreover, _parse_response() used to call endpoint() only for BINDING_HTTP_REDIRECT and BINDING_HTTP_POST. Thus, return_addrs would be left empty for BINDING_SOAP.
The second part of the solution is adding BINDING_SOAP to the bindings that will be checked to fill in return_addrs.
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Initialize session_info before assignment
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\ \
| | |
| | | |
Correctly pull the SAMLRequest from Redirect LogoutRequests
|
| | |/ |
|
| |\ \
| |/
|/| |
Include SCRIPT_NAME when checking if current URL is a logout endpoint
|
| |/ |
|
| |\
| |
| | |
Fix a typo in Saml2Client.do_logout
|
| |/
|
|
| |
Use "not_on_or_after" instead of "not_on_of_after" for the expiry entry in the state.
|
| |\
| |
| | |
Introduce cryptography module
|
| | |
| |
| |
| |
| |
| |
| | |
aes.py is deprecated and will be completely removed in a following release.
Users should switch to saml2.cryptography.symmetric instead.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace AESCipher with the default symmetric method.
Use the default key generation method to generate a key for the server.
Warn about the use of aes attribute of authn.UsernamePasswordMako class.
Hide cryptography details behind the saml2.cryptography module.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
This module provides cryptographic elements needed by saml2. There are separate
modules for symmetric and asymmetric cryptography, as well as pki related
operations.
The default symmetric cryptography method used is Fernet by the cryptography
library. Reference: https://cryptography.io/en/latest/fernet/
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Fix AES IV reuse - drop support for CTR and ECB - address CVE-2017-1000246
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Quoting @obi1kenobi:
> Initialization vector reuse like this is a security concern, since it leaks
> information about the encrypted data to attackers, regardless of the
> encryption mode used.
> Instead of relying on a fixed, randomly-generated IV, it would be better to
> randomly-generate a new IV for every encryption operation.
Breaks AESCipher ECB support
Reported as CVE-2017-1000246
Fixes #417
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Fix warnings and minor cleanup
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |/
|
|
|
|
|
|
|
|
| |
commit afdf5b4a8cca33dbe746095d9442b958c5fa9a24 broke the RSA type that was
provided by Cryptodome.PublicKey.
This breakage did not seem to break tests or existing setups - I believe it is
safe to remove the code altogether.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| |
| |
| |
| | |
Specify minimal version for cryptography package
Reference:
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.sign
|
| |/
|
|
| |
Otherwise if pysaml is installed with an older release of cryptography package it would fail with
AttributeError: '_RSAPrivateKey' object has no attribute 'sign'
|
| |
|
|
|
|
|
|
|
| |
In accordance to Section _8.3 Name Identifier Format Identifiers_ of the
SAML2-core specification.
Only new definitions are added. Usage is not supported yet.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The nameid format
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
is invalid and not specified by any spec.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |\
| |
| | |
Tidy metadata and project files
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
