| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Issuer in a Response is optional
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \
| | |
| | | |
Update Travis CI badge from travis-ci.org to travis-ci.com
|
| |/
| |
| |
| | |
travis-ci.org is shutting down in several weeks, with all accounts migrating to travis-ci.com.
This repository was already migrated to travis-ci.com, so update the badge to reflect that.
|
|\ \
| |/
|/| |
Always use base64.encodebytes; base64.encodestring has been dropped
|
|/
|
|
| |
Signed-off-by: Dirk Mueller <dirk@dmllr.de>
|
|\
| |
| | |
Fix IssueInstant validation
|
| | |
|
|\ \
| | |
| | | |
Fix crash when applying policy on RequestedAttribute without a friendlyName
|
| | |
| | |
| | |
| | |
| | |
| | | |
it using the canonical Name
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|/ / |
|
|/
|
|
| |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\
| |
| | |
Minor bug fix to metadata function in example IdP
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Correctly handle AudienceRestriction elements with no value
|
| | | |
|
|\ \ \
| | | |
| | | | |
Raise InvalidAssertion exception when assertion requirements are not met
|
| |/ / |
|
|\ \ \
| | | |
| | | | |
Invalid Destination URL Exception Handling
|
| |/ / |
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \ \
| | | |
| | | | |
Raise SAMLError on failure to parse a metadata file
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | | |
|
|\ \ \ \
| |/ / /
|/| | | |
Handle all types of ACS endpoint specifications
|
| | | |
| | | |
| | | |
| | | | |
The SP authnReq now works with a 3-tuple (URL+binding+index) ACS service conf
|
|\ \ \ \
| |_|/ /
|/| | | |
Set minimum version needed for xmlschema
|
|/ / /
| | |
| | |
| | |
| | | |
Sandbox mode was adding in 1.2.0 of python-xmlschema and refined in
1.2.1. Its use was added in 3b707723dcf1bf60677b424aac398c0c3557641d.
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \ \
| | | |
| | | | |
Validate XML documents before verifying the signature
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to
verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML
document against an XML schema. This allows invalid XML documents to trick the
verification process, by presenting elements with a valid signature inside elements
whose content has been malformed. The verification is offloaded to `xmlsec1` and
`xmlsec1` will not validate every signature in the given document, but only the first it
finds in the given scope.
Credits for the report:
- Victor Schönfelder Garcia (isits AG International School of IT Security)
- Juraj Somorovsky (Paderborn University)
- Vladislav Mladenov (Ruhr University Bochum)
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| | |/
| |/|
| | |
| | | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
|\ \ \
| |/ /
|/| | |
Restrict the key data that xmlsec1 accepts to only x509 certs
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
certs
All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to
verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not ensure that a
signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is
using the xmlsec1 binary to verify the signature of signed SAML documents, but by
default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs
to be configured explicitly to only use only x509 certificates for the verification
process of the SAML document signature.
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| |
| |
| | |
systems to pass the tests
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
|