summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Release version 6.5.2v6.5.2Ivan Kanakarakis2021-05-182-1/+21
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Add shibmd_scopes metadata extractorIvan Kanakarakis2021-05-183-16/+107
| | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #801 from ErwinJunge/response-issuer-noneIvan Kanakarakis2021-05-182-28/+61
|\ | | | | Issuer in a Response is optional
| * Format codeIvan Kanakarakis2021-05-182-39/+44
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Derive the issuer value then return itIvan Kanakarakis2021-05-181-4/+6
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * Response issuer can be NoneErwin Junge2021-05-052-1/+27
| |
* | Set expected_binding for SLO from preferred_binding as configuredIvan Kanakarakis2021-05-181-0/+5
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Fix sign flags on logoutIvan Kanakarakis2021-05-171-2/+4
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Merge pull request #804 from saifelse/patch-1Ivan Kanakarakis2021-05-171-2/+2
|\ \ | | | | | | Update Travis CI badge from travis-ci.org to travis-ci.com
| * | Update Travis CI badge from travis-ci.org -> travis-ci.comSaif Hakim2021-05-131-2/+2
| |/ | | | | | | travis-ci.org is shutting down in several weeks, with all accounts migrating to travis-ci.com. This repository was already migrated to travis-ci.com, so update the badge to reflect that.
* | Merge pull request #797 from dirkmueller/masterIvan Kanakarakis2021-05-151-2/+3
|\ \ | |/ |/| Always use base64.encodebytes; base64.encodestring has been dropped
| * Always use base64.encodebytes; base64.encodestring has been droppedDirk Mueller2021-04-261-2/+3
|/ | | | Signed-off-by: Dirk Mueller <dirk@dmllr.de>
* Merge pull request #783 from peppelinux/issue_instantIvan Kanakarakis2021-04-201-1/+1
|\ | | | | Fix IssueInstant validation
| * fix: invalid IssueInstantpeppelinux2021-03-201-1/+1
| |
* | Merge pull request #794 from johanlundberg/lundberg_fix_missing_friendly_nameIvan Kanakarakis2021-04-183-3/+155
|\ \ | | | | | | Fix crash when applying policy on RequestedAttribute without a friendlyName
| * | Try to get the friendlyName of the required RequestedAttribute else derive ↵Ivan Kanakarakis2021-04-182-14/+27
| | | | | | | | | | | | | | | | | | it using the canonical Name Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | Bandaid for crash when friendlyName is not set in metadataJohan Lundberg2021-04-163-4/+143
|/ /
* | Sign logout requests according to logout_requests_signed config optionIvan Kanakarakis2021-04-092-1/+6
|/ | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* Merge pull request #762 from omizrahi99/masterIvan Kanakarakis2021-03-081-2/+2
|\ | | | | Minor bug fix to metadata function in example IdP
| * make metadata path the same as entityidori152021-01-141-1/+1
| |
| * fixed example/idp.py to properly return metadataori152021-01-141-1/+1
| |
* | Merge pull request #772 from peppelinux/unhandled_audience_restrIvan Kanakarakis2021-03-081-2/+2
|\ \ | | | | | | Correctly handle AudienceRestriction elements with no value
| * | Response with unvalued AudienceRestriction (Condition) Handlingpeppelinux2021-01-241-2/+2
| | |
* | | Merge pull request #766 from peppelinux/invalid_assertionIvan Kanakarakis2021-03-071-1/+5
|\ \ \ | | | | | | | | Raise InvalidAssertion exception when assertion requirements are not met
| * | | InvalidASsertion Exceptionpeppelinux2021-01-241-1/+5
| |/ /
* | | Merge pull request #763 from peppelinux/invalid_destination_urlIvan Kanakarakis2021-03-071-2/+9
|\ \ \ | | | | | | | | Invalid Destination URL Exception Handling
| * | | Invalid Destination URL Exception Handlingpeppelinux2021-01-241-2/+9
| |/ /
* | | tests: Do not hardcode the namespace prefix for encrypted assertionsIvan Kanakarakis2021-03-071-5/+9
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Merge pull request #779 from peppelinux/metadata_exp_handlerIvan Kanakarakis2021-03-073-3/+19
|\ \ \ | | | | | | | | Raise SAMLError on failure to parse a metadata file
| * | | Raise SAMLError when metadata file cannot be parsedIvan Kanakarakis2021-03-073-6/+17
| | | | | | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | | Remove whitespace changesIvan Kanakarakis2021-03-071-1/+2
| | | | | | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | | Metadata Parse error Exception handlingpeppelinux2021-03-062-4/+8
| | | |
* | | | Merge pull request #757 from peppelinux/authn_3tuple_acsIvan Kanakarakis2021-03-071-1/+6
|\ \ \ \ | |/ / / |/| | | Handle all types of ACS endpoint specifications
| * | | Fixes https://github.com/IdentityPython/pysaml2/issues/599peppelinux2020-12-261-1/+6
| | | | | | | | | | | | | | | | The SP authnReq now works with a 3-tuple (URL+binding+index) ACS service conf
* | | | Merge pull request #776 from JanZerebecki/xmlschema-versionIvan Kanakarakis2021-01-291-1/+1
|\ \ \ \ | |_|/ / |/| | | Set minimum version needed for xmlschema
| * | | specify minimum version needed for xmlschemaJan Zerebecki2021-01-291-1/+1
|/ / / | | | | | | | | | | | | Sandbox mode was adding in 1.2.0 of python-xmlschema and refined in 1.2.1. Its use was added in 3b707723dcf1bf60677b424aac398c0c3557641d.
* | | Release version 6.5.1v6.5.1Ivan Kanakarakis2021-01-212-1/+6
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Fix the parser to take into account both the xs and xsd namespace prefixesIvan Kanakarakis2021-01-211-0/+6
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Release version 6.5.0v6.5.0Ivan Kanakarakis2021-01-202-4/+27
| | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Merge pull request from GHSA-f4g9-h89h-jgv9Ivan Kanakarakis2021-01-2057-17/+5933
|\ \ \ | | | | | | | | Validate XML documents before verifying the signature
| * | | Fix CVE-2021-21238 - SAML XML Signature wrappingIvan Kanakarakis2021-01-157-0/+318
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML document against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to `xmlsec1` and `xmlsec1` will not validate every signature in the given document, but only the first it finds in the given scope. Credits for the report: - Victor Schönfelder Garcia (isits AG International School of IT Security) - Juraj Somorovsky (Paderborn University) - Vladislav Mladenov (Ruhr University Bochum) Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | | Add xsd schemasIvan Kanakarakis2021-01-1546-0/+5516
| | | | | | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | | Fix the parser to not break on ePTID AttributeValuesIvan Kanakarakis2021-01-151-3/+18
| | | | | | | | | | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
| * | | Strengthen XSW testsIvan Kanakarakis2021-01-116-14/+81
| | |/ | |/| | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | | Merge pull request from GHSA-5p3x-r448-pc62Ivan Kanakarakis2021-01-205-0/+227
|\ \ \ | |/ / |/| | Restrict the key data that xmlsec1 accepts to only x509 certs
| * | Fix CVE-2021-21239 - Restrict the key data that xmlsec1 accepts to only x509 ↵Ivan Kanakarakis2021-01-185-0/+227
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | certs All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature. Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Set the dates in test XML documents to be earlier than 2036 to allow 32bit ↵Ivan Kanakarakis2021-01-079-14/+14
| | | | | | | | | | | | systems to pass the tests Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Load the encryption template using package resourcesIvan Kanakarakis2021-01-075-2/+4
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Cleanup and reorder sigver importsIvan Kanakarakis2021-01-071-14/+9
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
* | Test with complete response and assertion objectsIvan Kanakarakis2021-01-073-200/+288
| | | | | | | | Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
View Lorry Controller Status