diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index f8378a5..f844e59 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -113,9 +113,11 @@ class Setting(db.Model): 'saml_enabled': True, 'saml_debug': True, 'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml', - 'saml_metadata_cache_lifetime': '1', - 'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'saml_metadata_cache_lifetime': '15', + 'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'saml_idp_slo_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'saml_sp_acs_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'saml_sp_sls_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth', 'saml_nameid_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', 'saml_sp_requested_attributes': '[ \ @@ -130,6 +132,7 @@ class Setting(db.Model): 'saml_attribute_username': 'urn:oid:0.9.2342.19200300.100.1.1', 'saml_attribute_admin': 'https://example.edu/pdns-admin', 'saml_attribute_account': 'https://example.edu/pdns-account', + 'saml_attribute_name': None, 'saml_attribute_group': None, 'saml_group_admin_name': None, 'saml_group_to_account_mapping': None, @@ -148,10 +151,10 @@ class Setting(db.Model): 'saml_want_assertions_signed': True, 'saml_sign_metadata': False, 'saml_want_message_signed': False, - 'saml_nameid_encrypted': 'False', - 'saml_want_nameid_encrypted': 'False', + 'saml_nameid_encrypted': False, + 'saml_want_nameid_encrypted': False, 'saml_metadata_cache_duration': 'PT5M', - 'saml_metadata_valid_until': '999999999999999999', + 'saml_metadata_valid_until': '2021-12-31T00:00:00Z', 'saml_autoprovisioning': True, 'saml_urn_prefix': 'urn:mace:uoa.gr', 'saml_autoprovisioning_attribute': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 70fa563..a461671 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1646,8 +1646,6 @@ def setting_authentication(): else Setting().defaults['saml_metadata_cache_lifetime'])) Setting().set('saml_idp_sso_binding', request.form.get('saml_idp_sso_binding')) - Setting().set('saml_idp_slo_binding', - request.form.get('saml_idp_slo_binding')) Setting().set('saml_idp_entity_id', request.form.get('saml_idp_entity_id')) Setting().set('saml_nameid_format', diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py index 22d8f1d..4ada154 100644 --- a/powerdnsadmin/services/saml.py +++ b/powerdnsadmin/services/saml.py @@ -8,7 +8,12 @@ from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert from ..lib.utils import urlparse from ..models.setting import Setting - +# The python3-saml library currently supports only the Redirect binding for IDP endpoints. +# For SP, the Assertion Consumer Service endpoint supports HTTP-POST binding, +# while the Single Logout Service endpoint uses HTTP-Redirect. +# Therefore, to protect users from using unsupported features, settings +# 'saml_idp_slo_binding', 'saml_sp_acs_binding' and 'saml_sp_sls_binding' +# are not exposed on the front end SAML interface. class SAML(object): def __init__(self): if Setting().get('saml_enabled'): @@ -25,8 +30,7 @@ class SAML(object): self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote( Setting().get('saml_metadata_url'), entity_id=Setting().get('saml_idp_entity_id'), - required_sso_binding=Setting().get('saml_idp_sso_binding'), - required_slo_binding=Setting().get('saml_idp_slo_binding')) + required_sso_binding=Setting().get('saml_idp_sso_binding')) except: self.idp_data = None else: @@ -154,12 +158,12 @@ class SAML(object): settings['sp']['assertionConsumerService'] = {} settings['sp']['assertionConsumerService'][ - 'binding'] = Setting().get('saml_idp_sso_binding') + 'binding'] = Setting().get('saml_sp_acs_binding')#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' settings['sp']['assertionConsumerService'][ 'url'] = own_url + '/saml/authorized' settings['sp']['singleLogoutService'] = {} settings['sp']['singleLogoutService'][ - 'binding'] = Setting().get('saml_idp_slo_binding') + 'binding'] = Setting().get('saml_sp_sls_binding')#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' settings['sp']['singleLogoutService']['url'] = own_url + '/saml/sls' if metadata is not None and 'idp' in metadata: settings['idp'] = metadata['idp'] @@ -168,8 +172,8 @@ class SAML(object): settings['security'] = {} settings['security'][ 'digestAlgorithm'] = Setting().get('saml_digest_algorithm') - settings['security']['metadataCacheDuration'] = None - settings['security']['metadataValidUntil'] = None + settings['security']['metadataCacheDuration'] = Setting().get('saml_metadata_cache_duration') if Setting().get('saml_metadata_cache_duration') else None + settings['security']['metadataValidUntil'] = Setting().get('saml_metadata_valid_until') if Setting().get('saml_metadata_valid_until') else None settings['security']['requestedAuthnContext'] = True settings['security'][ 'signatureAlgorithm'] = Setting().get('saml_signature_algorithm') diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index 210a50b..ea581ee 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -713,11 +713,6 @@ -
- - - -
SP @@ -733,12 +728,12 @@
- +
- +
@@ -914,9 +909,6 @@
  • IDP SSO BINDING
    • -
  • - IDP SLO BINDING -
  • SP Entity ID
    • @@ -960,10 +952,7 @@ IDP Metadata Cache Lifetime - Cache Lifetime in minutes before fresh metadata are requested from the IDP Metadata URL
  • - IDP SSO Binding - SAML SSO binding format to use -
    • -
  • - IDP SLO Binding - SAML SLO binding format to use + IDP SSO Binding - SAML SSO binding format required for the IDP to use
  • NameID Format - NameID format to request @@ -980,10 +969,12 @@ SP NameID Format - NameID format to request
  • - SP Metadata Cache Duration - Set the cache duration of generated metadata. + SP Metadata Cache Duration - Set the cache duration of generated metadata.
    + Use PT5M to set cache duration to 5 minutes.
  • - SP Metadata Valid Until - Set the expiration moment (in seconds) for generated metadata. + SP Metadata Valid Until - Set the expiration date, in XML DateTime String format, for generated metadata.
    + XML DateTime String Format: "YYYY-MM-DDThh:mm:ssZ", Z can be Z for timezone 0 or "+-hh:mm" for other timezones.
  • Sign SP Metadata - Choose whether metadata produced is signed. @@ -1552,7 +1543,6 @@ if (is_enabled){ $('#saml_metadata_url').prop('required', true); $('#saml_idp_sso_binding').prop('required', true); - $('#saml_idp_slo_binding').prop('required', true); $('#saml_idp_entity_id').prop('required', true); $('#saml_nameid_format').prop('required', true); $('#saml_sp_requested_attributes').prop('required', true); @@ -1572,7 +1562,6 @@ } else { $('#saml_metadata_url').prop('required', false); $('#saml_idp_sso_binding').prop('required', false); - $('#saml_idp_slo_binding').prop('required', false); $('#saml_idp_entity_id').prop('required', false); $('#saml_nameid_format').prop('required', false); $('#saml_sp_requested_attributes').prop('required', false); @@ -1591,7 +1580,6 @@ {% if SETTING.get('saml_enabled') %} $('#saml_metadata_url').prop('required', true); $('#saml_idp_sso_binding').prop('required', true); - $('#saml_idp_slo_binding').prop('required', true); $('#saml_idp_entity_id').prop('required', true); $('#saml_nameid_format').prop('required', true); $('#saml_sp_requested_attributes').prop('required', true);