adjusting saml binding settings
This commit is contained in:
vmarkop
parent
c4fde72296
commit
10049fa431
|
|
@ -113,9 +113,11 @@ class Setting(db.Model):
|
||||||
'saml_enabled': True,
|
'saml_enabled': True,
|
||||||
'saml_debug': True,
|
'saml_debug': True,
|
||||||
'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml',
|
'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml',
|
||||||
'saml_metadata_cache_lifetime': '1',
|
'saml_metadata_cache_lifetime': '15',
|
||||||
'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
'saml_idp_slo_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
'saml_idp_slo_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'saml_sp_acs_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
||||||
|
'saml_sp_sls_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth',
|
'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth',
|
||||||
'saml_nameid_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
|
'saml_nameid_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
|
||||||
'saml_sp_requested_attributes': '[ \
|
'saml_sp_requested_attributes': '[ \
|
||||||
|
|
@ -130,6 +132,7 @@ class Setting(db.Model):
|
||||||
'saml_attribute_username': 'urn:oid:0.9.2342.19200300.100.1.1',
|
'saml_attribute_username': 'urn:oid:0.9.2342.19200300.100.1.1',
|
||||||
'saml_attribute_admin': 'https://example.edu/pdns-admin',
|
'saml_attribute_admin': 'https://example.edu/pdns-admin',
|
||||||
'saml_attribute_account': 'https://example.edu/pdns-account',
|
'saml_attribute_account': 'https://example.edu/pdns-account',
|
||||||
|
'saml_attribute_name': None,
|
||||||
'saml_attribute_group': None,
|
'saml_attribute_group': None,
|
||||||
'saml_group_admin_name': None,
|
'saml_group_admin_name': None,
|
||||||
'saml_group_to_account_mapping': None,
|
'saml_group_to_account_mapping': None,
|
||||||
|
|
@ -148,10 +151,10 @@ class Setting(db.Model):
|
||||||
'saml_want_assertions_signed': True,
|
'saml_want_assertions_signed': True,
|
||||||
'saml_sign_metadata': False,
|
'saml_sign_metadata': False,
|
||||||
'saml_want_message_signed': False,
|
'saml_want_message_signed': False,
|
||||||
'saml_nameid_encrypted': 'False',
|
'saml_nameid_encrypted': False,
|
||||||
'saml_want_nameid_encrypted': 'False',
|
'saml_want_nameid_encrypted': False,
|
||||||
'saml_metadata_cache_duration': 'PT5M',
|
'saml_metadata_cache_duration': 'PT5M',
|
||||||
'saml_metadata_valid_until': '999999999999999999',
|
'saml_metadata_valid_until': '2021-12-31T00:00:00Z',
|
||||||
'saml_autoprovisioning': True,
|
'saml_autoprovisioning': True,
|
||||||
'saml_urn_prefix': 'urn:mace:uoa.gr',
|
'saml_urn_prefix': 'urn:mace:uoa.gr',
|
||||||
'saml_autoprovisioning_attribute': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
|
'saml_autoprovisioning_attribute': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
|
||||||
|
|
|
||||||
|
|
@ -1646,8 +1646,6 @@ def setting_authentication():
|
||||||
else Setting().defaults['saml_metadata_cache_lifetime']))
|
else Setting().defaults['saml_metadata_cache_lifetime']))
|
||||||
Setting().set('saml_idp_sso_binding',
|
Setting().set('saml_idp_sso_binding',
|
||||||
request.form.get('saml_idp_sso_binding'))
|
request.form.get('saml_idp_sso_binding'))
|
||||||
Setting().set('saml_idp_slo_binding',
|
|
||||||
request.form.get('saml_idp_slo_binding'))
|
|
||||||
Setting().set('saml_idp_entity_id',
|
Setting().set('saml_idp_entity_id',
|
||||||
request.form.get('saml_idp_entity_id'))
|
request.form.get('saml_idp_entity_id'))
|
||||||
Setting().set('saml_nameid_format',
|
Setting().set('saml_nameid_format',
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,12 @@ from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
|
||||||
from ..lib.utils import urlparse
|
from ..lib.utils import urlparse
|
||||||
from ..models.setting import Setting
|
from ..models.setting import Setting
|
||||||
|
|
||||||
|
# The python3-saml library currently supports only the Redirect binding for IDP endpoints.
|
||||||
|
# For SP, the Assertion Consumer Service endpoint supports HTTP-POST binding,
|
||||||
|
# while the Single Logout Service endpoint uses HTTP-Redirect.
|
||||||
|
# Therefore, to protect users from using unsupported features, settings
|
||||||
|
# 'saml_idp_slo_binding', 'saml_sp_acs_binding' and 'saml_sp_sls_binding'
|
||||||
|
# are not exposed on the front end SAML interface.
|
||||||
class SAML(object):
|
class SAML(object):
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
if Setting().get('saml_enabled'):
|
if Setting().get('saml_enabled'):
|
||||||
|
|
@ -25,8 +30,7 @@ class SAML(object):
|
||||||
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
||||||
Setting().get('saml_metadata_url'),
|
Setting().get('saml_metadata_url'),
|
||||||
entity_id=Setting().get('saml_idp_entity_id'),
|
entity_id=Setting().get('saml_idp_entity_id'),
|
||||||
required_sso_binding=Setting().get('saml_idp_sso_binding'),
|
required_sso_binding=Setting().get('saml_idp_sso_binding'))
|
||||||
required_slo_binding=Setting().get('saml_idp_slo_binding'))
|
|
||||||
except:
|
except:
|
||||||
self.idp_data = None
|
self.idp_data = None
|
||||||
else:
|
else:
|
||||||
|
|
@ -154,12 +158,12 @@ class SAML(object):
|
||||||
|
|
||||||
settings['sp']['assertionConsumerService'] = {}
|
settings['sp']['assertionConsumerService'] = {}
|
||||||
settings['sp']['assertionConsumerService'][
|
settings['sp']['assertionConsumerService'][
|
||||||
'binding'] = Setting().get('saml_idp_sso_binding')
|
'binding'] = Setting().get('saml_sp_acs_binding')#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
||||||
settings['sp']['assertionConsumerService'][
|
settings['sp']['assertionConsumerService'][
|
||||||
'url'] = own_url + '/saml/authorized'
|
'url'] = own_url + '/saml/authorized'
|
||||||
settings['sp']['singleLogoutService'] = {}
|
settings['sp']['singleLogoutService'] = {}
|
||||||
settings['sp']['singleLogoutService'][
|
settings['sp']['singleLogoutService'][
|
||||||
'binding'] = Setting().get('saml_idp_slo_binding')
|
'binding'] = Setting().get('saml_sp_sls_binding')#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
|
||||||
settings['sp']['singleLogoutService']['url'] = own_url + '/saml/sls'
|
settings['sp']['singleLogoutService']['url'] = own_url + '/saml/sls'
|
||||||
if metadata is not None and 'idp' in metadata:
|
if metadata is not None and 'idp' in metadata:
|
||||||
settings['idp'] = metadata['idp']
|
settings['idp'] = metadata['idp']
|
||||||
|
|
@ -168,8 +172,8 @@ class SAML(object):
|
||||||
settings['security'] = {}
|
settings['security'] = {}
|
||||||
settings['security'][
|
settings['security'][
|
||||||
'digestAlgorithm'] = Setting().get('saml_digest_algorithm')
|
'digestAlgorithm'] = Setting().get('saml_digest_algorithm')
|
||||||
settings['security']['metadataCacheDuration'] = None
|
settings['security']['metadataCacheDuration'] = Setting().get('saml_metadata_cache_duration') if Setting().get('saml_metadata_cache_duration') else None
|
||||||
settings['security']['metadataValidUntil'] = None
|
settings['security']['metadataValidUntil'] = Setting().get('saml_metadata_valid_until') if Setting().get('saml_metadata_valid_until') else None
|
||||||
settings['security']['requestedAuthnContext'] = True
|
settings['security']['requestedAuthnContext'] = True
|
||||||
settings['security'][
|
settings['security'][
|
||||||
'signatureAlgorithm'] = Setting().get('saml_signature_algorithm')
|
'signatureAlgorithm'] = Setting().get('saml_signature_algorithm')
|
||||||
|
|
|
||||||
|
|
@ -713,11 +713,6 @@
|
||||||
<input type="text" class="form-control" name="saml_idp_sso_binding" id="saml_idp_sso_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" data-error="Please input SAML IDP SSO Binding" value="{{ SETTING.get('saml_idp_sso_binding') }}">
|
<input type="text" class="form-control" name="saml_idp_sso_binding" id="saml_idp_sso_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" data-error="Please input SAML IDP SSO Binding" value="{{ SETTING.get('saml_idp_sso_binding') }}">
|
||||||
<span class="help-block with-errors"></span>
|
<span class="help-block with-errors"></span>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
|
||||||
<label for="saml_idp_slo_binding">IDP SLO Binding</label>
|
|
||||||
<input type="text" class="form-control" name="saml_idp_slo_binding" id="saml_idp_slo_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT" data-error="Please input SAML IDP SLO Binding" value="{{ SETTING.get('saml_idp_slo_binding') }}">
|
|
||||||
<span class="help-block with-errors"></span>
|
|
||||||
</div>
|
|
||||||
</fieldset>
|
</fieldset>
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<legend>SP</legend>
|
<legend>SP</legend>
|
||||||
|
|
@ -733,12 +728,12 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<label for="saml_metadata_cache_duration">SP Metadata Cache Duration</label>
|
<label for="saml_metadata_cache_duration">SP Metadata Cache Duration</label>
|
||||||
<input type="text" class="form-control" name="saml_metadata_cache_duration" id="saml_metadata_cache_duration" placeholder="Cache duration in seconds" data-error="Please input Metadata Cache Duration" value="{{ SETTING.get('saml_metadata_cache_duration') }}">
|
<input type="text" class="form-control" name="saml_metadata_cache_duration" id="saml_metadata_cache_duration" placeholder="eg PT5M" data-error="Please input Metadata Cache Duration" value="{{ SETTING.get('saml_metadata_cache_duration') }}">
|
||||||
<span class="help-block with-errors"></span>
|
<span class="help-block with-errors"></span>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<label for="saml_metadata_valid_until">SP Metadata Valid Until</label>
|
<label for="saml_metadata_valid_until">SP Metadata Valid Until</label>
|
||||||
<input type="text" class="form-control" name="saml_metadata_valid_until" id="saml_metadata_valid_until" placeholder="Time-moment when metadata stops being valid" data-error="Please input Metadata Expiration Date" value="{{ SETTING.get('saml_metadata_valid_until') }}">
|
<input type="text" class="form-control" name="saml_metadata_valid_until" id="saml_metadata_valid_until" placeholder="YYYY-MM-DDThh:mm:ssZ" data-error="Please input Metadata Expiration Date" value="{{ SETTING.get('saml_metadata_valid_until') }}">
|
||||||
<span class="help-block with-errors"></span>
|
<span class="help-block with-errors"></span>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
|
|
@ -914,9 +909,6 @@
|
||||||
<li>
|
<li>
|
||||||
<b>IDP SSO BINDING</b>
|
<b>IDP SSO BINDING</b>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
|
||||||
<b>IDP SLO BINDING</b>
|
|
||||||
</li>
|
|
||||||
<li>
|
<li>
|
||||||
<b>SP Entity ID</b>
|
<b>SP Entity ID</b>
|
||||||
</li>
|
</li>
|
||||||
|
|
@ -960,10 +952,7 @@
|
||||||
<b>IDP Metadata Cache Lifetime</b> - Cache Lifetime in minutes before fresh metadata are requested from the IDP Metadata URL
|
<b>IDP Metadata Cache Lifetime</b> - Cache Lifetime in minutes before fresh metadata are requested from the IDP Metadata URL
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<b>IDP SSO Binding</b> - SAML SSO binding format to use
|
<b>IDP SSO Binding</b> - SAML SSO binding format required for the IDP to use
|
||||||
</li>
|
|
||||||
<li>
|
|
||||||
<b>IDP SLO Binding</b> - SAML SLO binding format to use
|
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<b>NameID Format</b> - NameID format to request
|
<b>NameID Format</b> - NameID format to request
|
||||||
|
|
@ -980,10 +969,12 @@
|
||||||
<b>SP NameID Format</b> - NameID format to request
|
<b>SP NameID Format</b> - NameID format to request
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<b>SP Metadata Cache Duration</b> - Set the cache duration of generated metadata.
|
<b>SP Metadata Cache Duration</b> - Set the cache duration of generated metadata.<br>
|
||||||
|
Use PT5M to set cache duration to 5 minutes.
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<b>SP Metadata Valid Until</b> - Set the expiration moment (in seconds) for generated metadata.
|
<b>SP Metadata Valid Until</b> - Set the expiration date, in XML DateTime String format, for generated metadata.<br>
|
||||||
|
XML DateTime String Format: "YYYY-MM-DDThh:mm:ssZ", Z can be Z for timezone 0 or "+-hh:mm" for other timezones.
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<b>Sign SP Metadata</b> - Choose whether metadata produced is signed.
|
<b>Sign SP Metadata</b> - Choose whether metadata produced is signed.
|
||||||
|
|
@ -1552,7 +1543,6 @@
|
||||||
if (is_enabled){
|
if (is_enabled){
|
||||||
$('#saml_metadata_url').prop('required', true);
|
$('#saml_metadata_url').prop('required', true);
|
||||||
$('#saml_idp_sso_binding').prop('required', true);
|
$('#saml_idp_sso_binding').prop('required', true);
|
||||||
$('#saml_idp_slo_binding').prop('required', true);
|
|
||||||
$('#saml_idp_entity_id').prop('required', true);
|
$('#saml_idp_entity_id').prop('required', true);
|
||||||
$('#saml_nameid_format').prop('required', true);
|
$('#saml_nameid_format').prop('required', true);
|
||||||
$('#saml_sp_requested_attributes').prop('required', true);
|
$('#saml_sp_requested_attributes').prop('required', true);
|
||||||
|
|
@ -1572,7 +1562,6 @@
|
||||||
} else {
|
} else {
|
||||||
$('#saml_metadata_url').prop('required', false);
|
$('#saml_metadata_url').prop('required', false);
|
||||||
$('#saml_idp_sso_binding').prop('required', false);
|
$('#saml_idp_sso_binding').prop('required', false);
|
||||||
$('#saml_idp_slo_binding').prop('required', false);
|
|
||||||
$('#saml_idp_entity_id').prop('required', false);
|
$('#saml_idp_entity_id').prop('required', false);
|
||||||
$('#saml_nameid_format').prop('required', false);
|
$('#saml_nameid_format').prop('required', false);
|
||||||
$('#saml_sp_requested_attributes').prop('required', false);
|
$('#saml_sp_requested_attributes').prop('required', false);
|
||||||
|
|
@ -1591,7 +1580,6 @@
|
||||||
{% if SETTING.get('saml_enabled') %}
|
{% if SETTING.get('saml_enabled') %}
|
||||||
$('#saml_metadata_url').prop('required', true);
|
$('#saml_metadata_url').prop('required', true);
|
||||||
$('#saml_idp_sso_binding').prop('required', true);
|
$('#saml_idp_sso_binding').prop('required', true);
|
||||||
$('#saml_idp_slo_binding').prop('required', true);
|
|
||||||
$('#saml_idp_entity_id').prop('required', true);
|
$('#saml_idp_entity_id').prop('required', true);
|
||||||
$('#saml_nameid_format').prop('required', true);
|
$('#saml_nameid_format').prop('required', true);
|
||||||
$('#saml_sp_requested_attributes').prop('required', true);
|
$('#saml_sp_requested_attributes').prop('required', true);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue