| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
| |
- Do not raise KeyError if entity-id is wrong
- Keep only the generator form; as more perfomant and generic
- Generalize internal searchers
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
| |
umbrellaID is the federated identity system for the users of the
(European) large neutron and photon facilities.
This commit adds the mapping for the EAAHash and EEAKey,
which are used for identifying users in the umbrellaID AAI.
|
|
|
|
|
|
|
| |
The return values are list of text values. By default return, all possible values. Users
need to specify their own preference and choose whether they need one or more values.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Add Documentation for name_id_format_allow_create and metadata folder
|
| | |
|
|\ \
| | |
| | | |
Better pick binding by index
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Added a file for holding tests around authentication requests
and added a first test to test that the IdP code can pick the
correct location from SAML metadata using the
AssertionConsumerServiceIndex from an authentication request.
|
| | |
| | |
| | |
| | |
| | | |
Added a second HTTP-POST binding to the SAML metadata for test SP
so that it can be used for various tests.
|
| | |
| | |
| | |
| | |
| | | |
Formatted some of the SP SAML metadata used for tests so that
it can be read by a human.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix logic in the pick_binding method for the class Entity that prevented
the method from properly returning binding and location tuples for
authentication requests with AssertionConsumerServiceIndex instead
of AssertionConsumerServiceURL. The logic error was assuming that
a getattr() call on a request without an AssertionConsumerServiceURL
would throw an AttributeError. It does not and instead returns None, so
the resulting path through the code would cause the "first" binding
and location tuple found in the SAML metadata to be returned instead
of the tuple corresponding to the AssertionConsumerServiceIndex.
|
|\ \
| | |
| | | |
Various typo fixes
|
|/ / |
|
|\ \
| | |
| | | |
Fix PKCS_9 url:oid prefix in attributemaps
|
| | |
| | |
| | |
| | | |
According to https://tools.ietf.org/html/rfc2985 the urn for emailAddress has to be `1.2.840.113549.1.9.1`.
In saml_uri.py this is not implemented correctly. The current version uses `PKCS_9+'1'` which equals to `1.2.840.113549.1.9.1.1`. This can be fixed by deleting the trailing '1.' from line 8. This should not cause any side-effects, because the variable `PKCS_9` in combination with `+'1'`.
|
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes #609
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \ \
| | | |
| | | | |
Fix simple typo: allowes -> allows
|
| |/ / |
|
|\ \ \
| |/ /
|/| | |
Fix simple typo: activites -> activities
|
|/ / |
|
|\ \
| | |
| | | |
Fix IdP example list
|
|/ / |
|
|/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following d257d3054f36b4f3dfaba8b7394a2e8bab0aaf2e the ForceAuthn attribute is
an xsd:boolean value which can be any of "false", "true", "0" or "1". We must
set force_authn when the value is "true" or "1".
We set the value into kwargs, which is then mirrored onto _args, which is
merged with args, which is finally given to the saml2.samlp.AuthnRequest class
to construct the object.
Previously, we set the value into args directly, which would be overwritten by
the call to _filter_args.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
|
|
| |
No need to generate an exception and stack trace.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Allow NameQualifier and SPNameQualifier attributes to be set for ePTID
|
| |
| |
| |
| |
| |
| |
| | |
Use "text" instead of "value" as the key that denotes the text-value of the
NameID node.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The attribute value for eduPersonTargetedID (ePTID) is a NameID
element. The SAML specification allows the NameID element to include
the two optional attributes 'NameQualifier' and 'SPNameQualifier'. This
patch enables specifying a dictionary as the internal or local attribute
value instead of a string. When the local attribute value is a
dictionary with keys 'value', 'NameQualifier', and 'SPNameQualifier'
then the resulting XML NameID element will include the 'NameQualifier'
and 'SPNameQualifier' attributes with values taken from the values
of the dictionary. The value for the NameID element is taken from the
value associated with tthe 'value' key.
|
|\ \
| | |
| | | |
Add py37 as a test target
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/ /
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Fix parsing of assertions with Holder-of-Key profile
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Instead of explicitly declaring `KeyInfo` as child of `SubjectConfirmationData`, use `extension_elements` to extract `KeyInfo` element(s).
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Problem:
Holder-of-Key assertions are used to achieve higher levels of federation security, compared to bearer assertions, by having Relying Party challenge subscriber to prove possession of the key specified in the assertion that represents subscriber in addition to verifying the assertion itself signed by Identity Provider. More information about it can be found in https://pages.nist.gov/800-63-3/sp800-63c.html
This library fails to parase SAML respones containing assertions with Holder-of-Key profile, for example:
```
<ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<ns1:SubjectConfirmationData InResponseTo="id-KHlas49TtW2VdC8WN" NotOnOrAfter="2019-05-14T20:36:13Z" Recipient="https://sp:443/.auth/saml/login">
<ns2:KeyInfo>
<ns2:X509Data>
<ns2:X509Certificate>MIICITCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNVBAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwFWnp6enoxDTALBgNVBAMMBHRlc3QwIBcNMTkwNDEyMTk1MDM0WhgPMzAxODA4MTMxOTUwMzRaMFgxCzAJBgNVBAYTAnp6MQswCQYDVQQIDAJ6ejENMAsGA1UEBwwEenp6ejEOMAwGA1UECgwFWnp6enoxDjAMBgNVBAsMBVp6enp6MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHcj80WU/XBsd9FlyQmfjPUdfmedhCFDd6TEQmZNNqP/UG+VkGa+BXjRIHMfic/WxPTbGhCjv68ci0UDNomUXagFexLGNpkwa7+CRVtoc/1xgq+ySE6M4nhcCutScoxNvWNn5eSQ66i3U0sTv91MgsXxqEdTaiZg0BIufEc3dueQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGUV5B+USHvaRa8kgCNJSuNpo6ARlv0ekrk8bbdNRBiEUdCMyoGJFfuM9K0zybX6Vr25wai3nvaog294Vx/jWjX2g5SDbjItH6VGy6C9GCGf1A07VxFRCfJn5tA9HuJjPKiE+g/BmrV5N4CealzFxPHWYkNOzoRU8qI7OqUai1kL</ns2:X509Certificate>
</ns2:X509Data>
</ns2:KeyInfo>
</ns1:SubjectConfirmationData>
</ns1:SubjectConfirmation>
```
fails to be parsed with the following error:
```
ERROR saml2.response:response.py:836 get subject
Traceback (most recent call last):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 828, in _assertion
self.get_subject()
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 753, in get_subject
if not self._holder_of_key_confirmed(_data):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/response.py", line 730, in _holder_of_key_confirmed
[samlp, saml, xenc, ds]):
File "/home/abublich/repos/abliqo-pysaml2/venv/local/lib/python2.7/site-packages/pysaml2-4.7.0-py2.7.egg/saml2/__init__.py", line 1004, in extension_elements_to_elements
for extension_element in extension_elements:
TypeError: 'SubjectConfirmationData' object is not iterable
```
The root cause is two-fold:
1. The type SubjectConfirmationDataType_ does not declare KeyInfo as child element.
2. The bug in function _holder_of_key_confirmed: it should check KeyInfo child element of SubjectConfirmationData instead of SubjectConfirmationData itself.
Solution:
Fixed the root cause and added new unit tests that verify successful parsing of Holder-of-Key assertions.
|
|\ \
| |/
|/| |
Explicit request of cherrypy version for the example application
|
|/
|
|
|
|
|
| |
Unless you are pulling always from https://pypi.org/simple, it is possible
that you might get an older version of `cherrypy`.
Make sure we request a "relatively recent" version.
`pip install 'CherryPy>14.0.2,<15'` gave `CherryPy-14.2.0` which works
|