Migrated SAML settings from app.config to Settings(), SAML exception catching
This commit is contained in:
parent
3255bc26d0
commit
c08f9b1cfd
|
@ -112,10 +112,10 @@ class Setting(db.Model):
|
||||||
'oidc_oauth_account_description_property': '',
|
'oidc_oauth_account_description_property': '',
|
||||||
'saml_enabled': False,
|
'saml_enabled': False,
|
||||||
'saml_debug': True,
|
'saml_debug': True,
|
||||||
'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml',#'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml'
|
'saml_metadata_url': 'https://example.com/metadata.xml',
|
||||||
'saml_metadata_cache_lifetime': '1',
|
'saml_metadata_cache_lifetime': '1',
|
||||||
'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',#
|
'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth',#'https://idp.uoa.gr/idp/shibboleth'
|
'saml_idp_entity_id': 'https://idp.example.com/idp/',
|
||||||
'saml_nameid_format': 'urn:oid:0.9.2342.19200300.100.1.1',
|
'saml_nameid_format': 'urn:oid:0.9.2342.19200300.100.1.1',
|
||||||
'saml_sp_requested_attributes': '[ \
|
'saml_sp_requested_attributes': '[ \
|
||||||
{"name": "urn:oid:0.9.2342.19200300.100.1.3", "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "isRequired": true, "friendlyName": "email"}, \
|
{"name": "urn:oid:0.9.2342.19200300.100.1.3", "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "isRequired": true, "friendlyName": "email"}, \
|
||||||
|
|
|
@ -1020,7 +1020,9 @@ def setting_authentication():
|
||||||
'Must have at least one authentication method enabled.'
|
'Must have at least one authentication method enabled.'
|
||||||
}
|
}
|
||||||
else:
|
else:
|
||||||
Setting().set('saml_enabled', True)
|
Setting().set(
|
||||||
|
'saml_enabled',
|
||||||
|
True if request.form.get('saml_enabled') else False)
|
||||||
Setting().set('saml_metadata_url',
|
Setting().set('saml_metadata_url',
|
||||||
request.form.get('saml_metadata_url'))
|
request.form.get('saml_metadata_url'))
|
||||||
Setting().set('saml_metadata_cache_lifetime',
|
Setting().set('saml_metadata_cache_lifetime',
|
||||||
|
|
|
@ -593,19 +593,27 @@ def logout():
|
||||||
req = saml.prepare_flask_request(request)
|
req = saml.prepare_flask_request(request)
|
||||||
auth = saml.init_saml_auth(req)
|
auth = saml.init_saml_auth(req)
|
||||||
if Setting().get('saml_logout_url'):
|
if Setting().get('saml_logout_url'):
|
||||||
|
try:
|
||||||
|
return redirect(
|
||||||
|
auth.logout(
|
||||||
|
name_id_format=
|
||||||
|
Setting().get('saml_nameid_format'),
|
||||||
|
return_to=Setting().get('saml_logout_url'),
|
||||||
|
session_index=session['samlSessionIndex'],
|
||||||
|
name_id=session['samlNameId']))
|
||||||
|
except:
|
||||||
|
current_app.logger.info(
|
||||||
|
"SAML: Your IDP does not support Single Logout.")
|
||||||
|
try:
|
||||||
return redirect(
|
return redirect(
|
||||||
auth.logout(
|
auth.logout(
|
||||||
name_id_format=
|
name_id_format=
|
||||||
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
Setting().get('saml_nameid_format'),
|
||||||
return_to=Setting().get('saml_logout_url'),
|
|
||||||
session_index=session['samlSessionIndex'],
|
session_index=session['samlSessionIndex'],
|
||||||
name_id=session['samlNameId']))
|
name_id=session['samlNameId']))
|
||||||
return redirect(
|
except:
|
||||||
auth.logout(
|
current_app.logger.info(
|
||||||
name_id_format=
|
"SAML: Your IDP does not support Single Logout.")
|
||||||
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
||||||
session_index=session['samlSessionIndex'],
|
|
||||||
name_id=session['samlNameId']))
|
|
||||||
|
|
||||||
redirect_uri = url_for('index.login')
|
redirect_uri = url_for('index.login')
|
||||||
oidc_logout = Setting().get('oidc_oauth_logout_url')
|
oidc_logout = Setting().get('oidc_oauth_logout_url')
|
||||||
|
@ -897,8 +905,16 @@ def dyndns_update():
|
||||||
def saml_login():
|
def saml_login():
|
||||||
if not Setting().get('saml_enabled'):
|
if not Setting().get('saml_enabled'):
|
||||||
abort(400)
|
abort(400)
|
||||||
|
global saml
|
||||||
req = saml.prepare_flask_request(request)
|
req = saml.prepare_flask_request(request)
|
||||||
auth = saml.init_saml_auth(req)
|
try:
|
||||||
|
auth = saml.init_saml_auth(req)
|
||||||
|
except:
|
||||||
|
current_app.logger.info(
|
||||||
|
"SAML: IDP Metadata were not successfully initialized. Reinitializing...")
|
||||||
|
saml = SAML()
|
||||||
|
req = saml.prepare_flask_request(request)
|
||||||
|
auth = saml.init_saml_auth(req)
|
||||||
redirect_url = OneLogin_Saml2_Utils.get_self_url(req) + url_for(
|
redirect_url = OneLogin_Saml2_Utils.get_self_url(req) + url_for(
|
||||||
'index.saml_authorized')
|
'index.saml_authorized')
|
||||||
return redirect(auth.login(return_to=redirect_url))
|
return redirect(auth.login(return_to=redirect_url))
|
||||||
|
|
|
@ -21,42 +21,60 @@ class SAML(object):
|
||||||
self.idp_data = None
|
self.idp_data = None
|
||||||
|
|
||||||
if Setting().get('saml_idp_entity_id'):
|
if Setting().get('saml_idp_entity_id'):
|
||||||
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
try:
|
||||||
Setting().get('saml_metadata_url'),
|
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
||||||
entity_id=Setting().get('saml_idp_entity_id'),
|
Setting().get('saml_metadata_url'),
|
||||||
required_sso_binding=Setting().get('saml_idp_sso_binding'))
|
entity_id=Setting().get('saml_idp_entity_id'),
|
||||||
|
required_sso_binding=Setting().get('saml_idp_sso_binding'))
|
||||||
|
except:
|
||||||
|
self.idp_data = None
|
||||||
else:
|
else:
|
||||||
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
try:
|
||||||
Setting().get('saml_metadata_url'),
|
self.idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
||||||
entity_id=None)
|
Setting().get('saml_metadata_url'),
|
||||||
|
entity_id=None)
|
||||||
|
except:
|
||||||
|
self.idp_data = None
|
||||||
if self.idp_data is None:
|
if self.idp_data is None:
|
||||||
current_app.logger.info(
|
current_app.logger.info(
|
||||||
'SAML: IDP Metadata initial load failed')
|
'SAML: IDP Metadata initial load failed')
|
||||||
exit(-1)
|
Setting().set('saml_enabled', False)
|
||||||
|
print("SAML EN1 ", Setting().get('saml_enabled'))
|
||||||
|
# exit(-1)
|
||||||
|
|
||||||
def get_idp_data(self):
|
def get_idp_data(self):
|
||||||
|
|
||||||
lifetime = timedelta(
|
# lifetime = timedelta(
|
||||||
minutes=int(Setting().get('saml_metadata_cache_lifetime'))) # should be seconds instead of minutes?
|
# minutes=int(Setting().get('saml_metadata_cache_lifetime'))) # should be seconds instead of minutes?
|
||||||
|
# Since SAML is now user-configurable, idp_data may change before the lifetime has ended,
|
||||||
if self.idp_timestamp + lifetime < datetime.now():
|
# so metadata should not be cached at all, or outdated settings may be used.
|
||||||
background_thread = Thread(target=self.retrieve_idp_data())
|
try:
|
||||||
background_thread.start()
|
self.retrieve_idp_data()
|
||||||
|
except:
|
||||||
|
return None
|
||||||
|
# if self.idp_timestamp + lifetime < datetime.now():
|
||||||
|
background_thread = Thread(target=self.retrieve_idp_data())
|
||||||
|
background_thread.start()
|
||||||
|
|
||||||
return self.idp_data
|
return self.idp_data
|
||||||
|
|
||||||
def retrieve_idp_data(self):
|
def retrieve_idp_data(self):
|
||||||
|
|
||||||
if Setting().get('saml_idp_sso_binding'):
|
if Setting().get('saml_idp_sso_binding'):
|
||||||
new_idp_data = self.OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
try:
|
||||||
Setting().get('saml_metadata_url'),
|
new_idp_data = self.OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
||||||
entity_id=Setting().get('saml_idp_entity_id'),
|
Setting().get('saml_metadata_url'),
|
||||||
required_sso_binding=Setting().get('saml_idp_sso_binding')
|
entity_id=Setting().get('saml_idp_entity_id'),
|
||||||
)
|
required_sso_binding=Setting().get('saml_idp_sso_binding'))
|
||||||
|
except:
|
||||||
|
new_idp_data = None
|
||||||
else:
|
else:
|
||||||
new_idp_data = self.OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
try:
|
||||||
Setting().get('saml_metadata_url'),
|
new_idp_data = self.OneLogin_Saml2_IdPMetadataParser.parse_remote(
|
||||||
entity_id=Setting().get('saml_idp_entity_id'))
|
Setting().get('saml_metadata_url'),
|
||||||
|
entity_id=Setting().get('saml_idp_entity_id'))
|
||||||
|
except:
|
||||||
|
new_idp_data = None
|
||||||
if new_idp_data is not None:
|
if new_idp_data is not None:
|
||||||
self.idp_data = new_idp_data
|
self.idp_data = new_idp_data
|
||||||
self.idp_timestamp = datetime.now()
|
self.idp_timestamp = datetime.now()
|
||||||
|
|
|
@ -829,7 +829,7 @@
|
||||||
<label for="saml_want_message_signed">Want Message Signed </label>
|
<label for="saml_want_message_signed">Want Message Signed </label>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<input type="checkbox" id="saml_sign_metadata" name="saml_sign_metadata" class="checkbox" {% if SETTING.get('saml_signed_metadata') %}checked{% endif %}>
|
<input type="checkbox" id="saml_sign_metadata" name="saml_sign_metadata" class="checkbox" {% if SETTING.get('saml_sign_metadata') %}checked{% endif %}>
|
||||||
<label for="saml_sign_metadata">Sign Metadata </label>
|
<label for="saml_sign_metadata">Sign Metadata </label>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
|
|
Loading…
Reference in a new issue