adjusting saml binding settings

This commit is contained in:
vmarkop 2021-12-14 11:28:49 +02:00
parent c4fde72296
commit 10049fa431
4 changed files with 26 additions and 33 deletions

View file

@ -113,9 +113,11 @@ class Setting(db.Model):
'saml_enabled': True, 'saml_enabled': True,
'saml_debug': True, 'saml_debug': True,
'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml', 'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml',
'saml_metadata_cache_lifetime': '1', 'saml_metadata_cache_lifetime': '15',
'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'saml_idp_slo_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'saml_idp_slo_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'saml_sp_acs_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'saml_sp_sls_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth', 'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth',
'saml_nameid_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', 'saml_nameid_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'saml_sp_requested_attributes': '[ \ 'saml_sp_requested_attributes': '[ \
@ -130,6 +132,7 @@ class Setting(db.Model):
'saml_attribute_username': 'urn:oid:0.9.2342.19200300.100.1.1', 'saml_attribute_username': 'urn:oid:0.9.2342.19200300.100.1.1',
'saml_attribute_admin': 'https://example.edu/pdns-admin', 'saml_attribute_admin': 'https://example.edu/pdns-admin',
'saml_attribute_account': 'https://example.edu/pdns-account', 'saml_attribute_account': 'https://example.edu/pdns-account',
'saml_attribute_name': None,
'saml_attribute_group': None, 'saml_attribute_group': None,
'saml_group_admin_name': None, 'saml_group_admin_name': None,
'saml_group_to_account_mapping': None, 'saml_group_to_account_mapping': None,
@ -148,10 +151,10 @@ class Setting(db.Model):
'saml_want_assertions_signed': True, 'saml_want_assertions_signed': True,
'saml_sign_metadata': False, 'saml_sign_metadata': False,
'saml_want_message_signed': False, 'saml_want_message_signed': False,
'saml_nameid_encrypted': 'False', 'saml_nameid_encrypted': False,
'saml_want_nameid_encrypted': 'False', 'saml_want_nameid_encrypted': False,
'saml_metadata_cache_duration': 'PT5M', 'saml_metadata_cache_duration': 'PT5M',
'saml_metadata_valid_until': '999999999999999999', 'saml_metadata_valid_until': '2021-12-31T00:00:00Z',
'saml_autoprovisioning': True, 'saml_autoprovisioning': True,
'saml_urn_prefix': 'urn:mace:uoa.gr', 'saml_urn_prefix': 'urn:mace:uoa.gr',
'saml_autoprovisioning_attribute': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', 'saml_autoprovisioning_attribute': 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',

View file

@ -1646,8 +1646,6 @@ def setting_authentication():
else Setting().defaults['saml_metadata_cache_lifetime'])) else Setting().defaults['saml_metadata_cache_lifetime']))
Setting().set('saml_idp_sso_binding', Setting().set('saml_idp_sso_binding',
request.form.get('saml_idp_sso_binding')) request.form.get('saml_idp_sso_binding'))
Setting().set('saml_idp_slo_binding',
request.form.get('saml_idp_slo_binding'))
Setting().set('saml_idp_entity_id', Setting().set('saml_idp_entity_id',
request.form.get('saml_idp_entity_id')) request.form.get('saml_idp_entity_id'))
Setting().set('saml_nameid_format', Setting().set('saml_nameid_format',

View file

@ -8,7 +8,12 @@ from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
from ..lib.utils import urlparse from ..lib.utils import urlparse
from ..models.setting import Setting from ..models.setting import Setting
# The python3-saml library currently supports only the Redirect binding for IDP endpoints.
# For SP, the Assertion Consumer Service endpoint supports HTTP-POST binding,
# while the Single Logout Service endpoint uses HTTP-Redirect.
# Therefore, to protect users from using unsupported features, settings
# 'saml_idp_slo_binding', 'saml_sp_acs_binding' and 'saml_sp_sls_binding'
# are not exposed on the front end SAML interface.
class SAML(object): class SAML(object):
def __init__(self): def __init__(self):
if Setting().get('saml_enabled'): if Setting().get('saml_enabled'):
@ -25,8 +30,7 @@ class SAML(object):
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote( self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
Setting().get('saml_metadata_url'), Setting().get('saml_metadata_url'),
entity_id=Setting().get('saml_idp_entity_id'), entity_id=Setting().get('saml_idp_entity_id'),
required_sso_binding=Setting().get('saml_idp_sso_binding'), required_sso_binding=Setting().get('saml_idp_sso_binding'))
required_slo_binding=Setting().get('saml_idp_slo_binding'))
except: except:
self.idp_data = None self.idp_data = None
else: else:
@ -154,12 +158,12 @@ class SAML(object):
settings['sp']['assertionConsumerService'] = {} settings['sp']['assertionConsumerService'] = {}
settings['sp']['assertionConsumerService'][ settings['sp']['assertionConsumerService'][
'binding'] = Setting().get('saml_idp_sso_binding') 'binding'] = Setting().get('saml_sp_acs_binding')#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
settings['sp']['assertionConsumerService'][ settings['sp']['assertionConsumerService'][
'url'] = own_url + '/saml/authorized' 'url'] = own_url + '/saml/authorized'
settings['sp']['singleLogoutService'] = {} settings['sp']['singleLogoutService'] = {}
settings['sp']['singleLogoutService'][ settings['sp']['singleLogoutService'][
'binding'] = Setting().get('saml_idp_slo_binding') 'binding'] = Setting().get('saml_sp_sls_binding')#'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
settings['sp']['singleLogoutService']['url'] = own_url + '/saml/sls' settings['sp']['singleLogoutService']['url'] = own_url + '/saml/sls'
if metadata is not None and 'idp' in metadata: if metadata is not None and 'idp' in metadata:
settings['idp'] = metadata['idp'] settings['idp'] = metadata['idp']
@ -168,8 +172,8 @@ class SAML(object):
settings['security'] = {} settings['security'] = {}
settings['security'][ settings['security'][
'digestAlgorithm'] = Setting().get('saml_digest_algorithm') 'digestAlgorithm'] = Setting().get('saml_digest_algorithm')
settings['security']['metadataCacheDuration'] = None settings['security']['metadataCacheDuration'] = Setting().get('saml_metadata_cache_duration') if Setting().get('saml_metadata_cache_duration') else None
settings['security']['metadataValidUntil'] = None settings['security']['metadataValidUntil'] = Setting().get('saml_metadata_valid_until') if Setting().get('saml_metadata_valid_until') else None
settings['security']['requestedAuthnContext'] = True settings['security']['requestedAuthnContext'] = True
settings['security'][ settings['security'][
'signatureAlgorithm'] = Setting().get('saml_signature_algorithm') 'signatureAlgorithm'] = Setting().get('saml_signature_algorithm')

View file

@ -713,11 +713,6 @@
<input type="text" class="form-control" name="saml_idp_sso_binding" id="saml_idp_sso_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" data-error="Please input SAML IDP SSO Binding" value="{{ SETTING.get('saml_idp_sso_binding') }}"> <input type="text" class="form-control" name="saml_idp_sso_binding" id="saml_idp_sso_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" data-error="Please input SAML IDP SSO Binding" value="{{ SETTING.get('saml_idp_sso_binding') }}">
<span class="help-block with-errors"></span> <span class="help-block with-errors"></span>
</div> </div>
<div class="form-group">
<label for="saml_idp_slo_binding">IDP SLO Binding</label>
<input type="text" class="form-control" name="saml_idp_slo_binding" id="saml_idp_slo_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT" data-error="Please input SAML IDP SLO Binding" value="{{ SETTING.get('saml_idp_slo_binding') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset> </fieldset>
<fieldset> <fieldset>
<legend>SP</legend> <legend>SP</legend>
@ -733,12 +728,12 @@
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="saml_metadata_cache_duration">SP Metadata Cache Duration</label> <label for="saml_metadata_cache_duration">SP Metadata Cache Duration</label>
<input type="text" class="form-control" name="saml_metadata_cache_duration" id="saml_metadata_cache_duration" placeholder="Cache duration in seconds" data-error="Please input Metadata Cache Duration" value="{{ SETTING.get('saml_metadata_cache_duration') }}"> <input type="text" class="form-control" name="saml_metadata_cache_duration" id="saml_metadata_cache_duration" placeholder="eg PT5M" data-error="Please input Metadata Cache Duration" value="{{ SETTING.get('saml_metadata_cache_duration') }}">
<span class="help-block with-errors"></span> <span class="help-block with-errors"></span>
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="saml_metadata_valid_until">SP Metadata Valid Until</label> <label for="saml_metadata_valid_until">SP Metadata Valid Until</label>
<input type="text" class="form-control" name="saml_metadata_valid_until" id="saml_metadata_valid_until" placeholder="Time-moment when metadata stops being valid" data-error="Please input Metadata Expiration Date" value="{{ SETTING.get('saml_metadata_valid_until') }}"> <input type="text" class="form-control" name="saml_metadata_valid_until" id="saml_metadata_valid_until" placeholder="YYYY-MM-DDThh:mm:ssZ" data-error="Please input Metadata Expiration Date" value="{{ SETTING.get('saml_metadata_valid_until') }}">
<span class="help-block with-errors"></span> <span class="help-block with-errors"></span>
</div> </div>
<div class="form-group"> <div class="form-group">
@ -914,9 +909,6 @@
<li> <li>
<b>IDP SSO BINDING</b> <b>IDP SSO BINDING</b>
</li> </li>
<li>
<b>IDP SLO BINDING</b>
</li>
<li> <li>
<b>SP Entity ID</b> <b>SP Entity ID</b>
</li> </li>
@ -960,10 +952,7 @@
<b>IDP Metadata Cache Lifetime</b> - Cache Lifetime in minutes before fresh metadata are requested from the IDP Metadata URL <b>IDP Metadata Cache Lifetime</b> - Cache Lifetime in minutes before fresh metadata are requested from the IDP Metadata URL
</li> </li>
<li> <li>
<b>IDP SSO Binding</b> - SAML SSO binding format to use <b>IDP SSO Binding</b> - SAML SSO binding format required for the IDP to use
</li>
<li>
<b>IDP SLO Binding</b> - SAML SLO binding format to use
</li> </li>
<li> <li>
<b>NameID Format</b> - NameID format to request <b>NameID Format</b> - NameID format to request
@ -980,10 +969,12 @@
<b>SP NameID Format</b> - NameID format to request <b>SP NameID Format</b> - NameID format to request
</li> </li>
<li> <li>
<b>SP Metadata Cache Duration</b> - Set the cache duration of generated metadata. <b>SP Metadata Cache Duration</b> - Set the cache duration of generated metadata.<br>
Use PT5M to set cache duration to 5 minutes.
</li> </li>
<li> <li>
<b>SP Metadata Valid Until</b> - Set the expiration moment (in seconds) for generated metadata. <b>SP Metadata Valid Until</b> - Set the expiration date, in XML DateTime String format, for generated metadata.<br>
XML DateTime String Format: "YYYY-MM-DDThh:mm:ssZ", Z can be Z for timezone 0 or "+-hh:mm" for other timezones.
</li> </li>
<li> <li>
<b>Sign SP Metadata</b> - Choose whether metadata produced is signed. <b>Sign SP Metadata</b> - Choose whether metadata produced is signed.
@ -1552,7 +1543,6 @@
if (is_enabled){ if (is_enabled){
$('#saml_metadata_url').prop('required', true); $('#saml_metadata_url').prop('required', true);
$('#saml_idp_sso_binding').prop('required', true); $('#saml_idp_sso_binding').prop('required', true);
$('#saml_idp_slo_binding').prop('required', true);
$('#saml_idp_entity_id').prop('required', true); $('#saml_idp_entity_id').prop('required', true);
$('#saml_nameid_format').prop('required', true); $('#saml_nameid_format').prop('required', true);
$('#saml_sp_requested_attributes').prop('required', true); $('#saml_sp_requested_attributes').prop('required', true);
@ -1572,7 +1562,6 @@
} else { } else {
$('#saml_metadata_url').prop('required', false); $('#saml_metadata_url').prop('required', false);
$('#saml_idp_sso_binding').prop('required', false); $('#saml_idp_sso_binding').prop('required', false);
$('#saml_idp_slo_binding').prop('required', false);
$('#saml_idp_entity_id').prop('required', false); $('#saml_idp_entity_id').prop('required', false);
$('#saml_nameid_format').prop('required', false); $('#saml_nameid_format').prop('required', false);
$('#saml_sp_requested_attributes').prop('required', false); $('#saml_sp_requested_attributes').prop('required', false);
@ -1591,7 +1580,6 @@
{% if SETTING.get('saml_enabled') %} {% if SETTING.get('saml_enabled') %}
$('#saml_metadata_url').prop('required', true); $('#saml_metadata_url').prop('required', true);
$('#saml_idp_sso_binding').prop('required', true); $('#saml_idp_sso_binding').prop('required', true);
$('#saml_idp_slo_binding').prop('required', true);
$('#saml_idp_entity_id').prop('required', true); $('#saml_idp_entity_id').prop('required', true);
$('#saml_nameid_format').prop('required', true); $('#saml_nameid_format').prop('required', true);
$('#saml_sp_requested_attributes').prop('required', true); $('#saml_sp_requested_attributes').prop('required', true);