From d57a37e9c127bd8b83902ee2ad628e63049d4b71 Mon Sep 17 00:00:00 2001
From: vmarkop <billy.mark.b.m.10@gmail.com>
Date: Thu, 9 Dec 2021 17:36:19 +0200
Subject: [PATCH] Refactored and recategorized SAML Settings

---
 powerdnsadmin/models/setting.py               |  10 +-
 powerdnsadmin/routes/admin.py                 |  19 +-
 powerdnsadmin/services/saml.py                |  26 +-
 .../admin_setting_authentication.html         | 225 +++++++++---------
 4 files changed, 145 insertions(+), 135 deletions(-)

diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py
index 3264570..f8378a5 100644
--- a/powerdnsadmin/models/setting.py
+++ b/powerdnsadmin/models/setting.py
@@ -114,7 +114,8 @@ class Setting(db.Model):
         'saml_debug': True,
         'saml_metadata_url': 'https://md.aai.grnet.gr/aggregates/grnet-metadata.xml',
         'saml_metadata_cache_lifetime': '1',
-        'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        'saml_idp_sso_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+        'saml_idp_slo_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
         'saml_idp_entity_id': 'https://idp.uoa.gr/idp/shibboleth',
         'saml_nameid_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
         'saml_sp_requested_attributes': '[ \
@@ -137,15 +138,18 @@ class Setting(db.Model):
         'saml_sp_contact_mail': 'pda@uoa.gr',
         'saml_cert_file': '/etc/pki/powerdns-admin/cert.crt',
         'saml_cert_key': '/etc/pki/powerdns-admin/key.pem',
-        'saml_sign_request': False,
+        'saml_sign_authn_request': False,
+        'saml_sign_logout_request_response': False,
         'saml_logout': True,
         'saml_logout_url': 'https://google.com',
-        'saml_assertion_encrypted': False,
+        'saml_want_assertions_encrypted': False,
         'saml_digest_algorithm': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
         'saml_signature_algorithm': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
         'saml_want_assertions_signed': True,
         'saml_sign_metadata': False,
         'saml_want_message_signed': False,
+        'saml_nameid_encrypted': 'False',
+        'saml_want_nameid_encrypted': 'False',
         'saml_metadata_cache_duration': 'PT5M',
         'saml_metadata_valid_until': '999999999999999999',
         'saml_autoprovisioning': True,
diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py
index 88d260d..86f068c 100644
--- a/powerdnsadmin/routes/admin.py
+++ b/powerdnsadmin/routes/admin.py
@@ -1646,6 +1646,8 @@ def setting_authentication():
                                 else Setting().defaults['saml_metadata_cache_lifetime']))
                 Setting().set('saml_idp_sso_binding',
                               request.form.get('saml_idp_sso_binding'))
+                Setting().set('saml_idp_slo_binding',
+                              request.form.get('saml_idp_slo_binding'))
                 Setting().set('saml_idp_entity_id',
                               request.form.get('saml_idp_entity_id'))
                 Setting().set('saml_nameid_format',
@@ -1689,8 +1691,11 @@ def setting_authentication():
                 Setting().set('saml_cert_key',
                               request.form.get('saml_cert_key'))
                 Setting().set(
-                    'saml_sign_request',
-                    True if request.form.get('saml_sign_request') else False)
+                    'saml_sign_authn_request',
+                    True if request.form.get('saml_sign_authn_request') else False)
+                Setting().set(
+                    'saml_sign_logout_request_response',
+                    True if request.form.get('saml_sign_logout_request_response') else False)
                 Setting().set(
                     'saml_logout',
                     True if request.form.get('saml_logout') else False)
@@ -1698,11 +1703,17 @@ def setting_authentication():
                     Setting().set('saml_logout_url',
                               request.form.get('saml_logout_url'))
                 Setting().set(
-                    'saml_assertion_encrypted',
-                    True if request.form.get('saml_assertion_encrypted') else False)
+                    'saml_want_assertions_encrypted',
+                    True if request.form.get('saml_want_assertions_encrypted') else False)
                 Setting().set(
                     'saml_want_assertions_signed',
                     True if request.form.get('saml_want_assertions_signed') else False)
+                Setting().set(
+                    'saml_want_nameid_encrypted',
+                    True if request.form.get('saml_want_nameid_encrypted') else False)
+                Setting().set(
+                    'saml_nameid_encrypted',
+                    True if request.form.get('saml_nameid_encrypted') else False)
                 Setting().set('saml_digest_algorithm',
                               request.form.get('saml_digest_algorithm'))
                 Setting().set('saml_signature_algorithm',
diff --git a/powerdnsadmin/services/saml.py b/powerdnsadmin/services/saml.py
index d64f2ea..3c8e658 100644
--- a/powerdnsadmin/services/saml.py
+++ b/powerdnsadmin/services/saml.py
@@ -44,17 +44,17 @@ class SAML(object):
 
     def get_idp_data(self):
 
-        # lifetime = timedelta(
-        #     minutes=int(Setting().get('saml_metadata_cache_lifetime')))     # should be seconds instead of minutes?
+        lifetime = timedelta(
+            minutes=int(Setting().get('saml_metadata_cache_lifetime')))     # should be seconds instead of minutes?
         # Since SAML is now user-configurable, idp_data may change before the lifetime has ended,
         # so metadata should not be cached at all, or outdated settings may be used. 
         try:
             self.retrieve_idp_data()
         except:
             return None
-        # if self.idp_timestamp + lifetime < datetime.now():
-        background_thread = Thread(target=self.retrieve_idp_data())
-        background_thread.start()
+        if self.idp_timestamp + lifetime < datetime.now():
+            background_thread = Thread(target=self.retrieve_idp_data())
+            background_thread.start()
 
         return self.idp_data
 
@@ -158,12 +158,12 @@ class SAML(object):
 
         settings['sp']['assertionConsumerService'] = {}
         settings['sp']['assertionConsumerService'][
-            'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+            'binding'] = Setting().get('saml_idp_sso_binding')
         settings['sp']['assertionConsumerService'][
             'url'] = own_url + '/saml/authorized'
         settings['sp']['singleLogoutService'] = {}
         settings['sp']['singleLogoutService'][
-            'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+            'binding'] = Setting().get('saml_idp_slo_binding')
         settings['sp']['singleLogoutService']['url'] = own_url + '/saml/sls'
         settings['idp'] = metadata['idp']
         settings['strict'] = True
@@ -176,17 +176,17 @@ class SAML(object):
         settings['security']['requestedAuthnContext'] = True
         settings['security'][
             'signatureAlgorithm'] = Setting().get('saml_signature_algorithm')
-        settings['security']['wantAssertionsEncrypted'] = Setting().get('saml_assertion_encrypted')
+        settings['security']['wantAssertionsEncrypted'] = Setting().get('saml_want_assertions_encrypted')
         settings['security']['wantAttributeStatement'] = True
         settings['security']['wantNameId'] = True
-        settings['security']['authnRequestsSigned'] = Setting().get('saml_sign_request')
-        settings['security']['logoutRequestSigned'] = Setting().get('saml_sign_request')
-        settings['security']['logoutResponseSigned'] = Setting().get('saml_sign_request')
-        settings['security']['nameIdEncrypted'] = False
+        settings['security']['authnRequestsSigned'] = Setting().get('saml_sign_authn_request')
+        settings['security']['logoutRequestSigned'] = Setting().get('saml_sign_logout_request_response')
+        settings['security']['logoutResponseSigned'] = Setting().get('saml_sign_logout_request_response')
+        settings['security']['nameIdEncrypted'] = Setting().get('saml_nameid_encrypted')
         settings['security']['signMetadata'] = Setting().get('saml_sign_metadata')
         settings['security']['wantAssertionsSigned'] = Setting().get('saml_want_assertions_signed')
         settings['security']['wantMessagesSigned'] = Setting().get('saml_want_message_signed')
-        settings['security']['wantNameIdEncrypted'] = False
+        settings['security']['wantNameIdEncrypted'] = Setting().get('saml_want_nameid_encrypted')
         settings['contactPerson'] = {}
         settings['contactPerson']['support'] = {}
         settings['contactPerson']['support']['emailAddress'] = Setting().get('saml_sp_contact_mail')
diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html
index 8a650c9..044c588 100644
--- a/powerdnsadmin/templates/admin_setting_authentication.html
+++ b/powerdnsadmin/templates/admin_setting_authentication.html
@@ -691,39 +691,63 @@
                                                     <label for="saml_enabled">Enable SAML</label>
                                                 </div>
                                             </fieldset>
-                                            <fieldset>
-                                                <legend>METADATA</legend>
-                                                <div class="form-group">
-                                                    <label for="saml_metadata_url">Metadata URL</label>
-                                                    <input type="text" class="form-control" name="saml_metadata_url" id="saml_metadata_url" placeholder="SAML Metadata URL" data-error="Please input SAML Metadata URL" value="{{ SETTING.get('saml_metadata_url') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="saml_metadata_cache_lifetime">Metadata Cache Lifetime</label>
-                                                    <input type="text" class="form-control" name="saml_metadata_cache_lifetime" id="saml_metadata_cache_lifetime" placeholder="SAML Metadata Cache Lifetime" data-error="Please input SAML Metadata Cache Lifetime" value="{{ SETTING.get('saml_metadata_cache_lifetime') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                            </fieldset>
                                             <fieldset>
                                                 <legend>IDP</legend>
-                                                <div class="form-group">
-                                                    <label for="saml_idp_sso_binding">IDP SSO Binding</label>
-                                                    <input type="text" class="form-control" name="saml_idp_sso_binding" id="saml_idp_sso_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" data-error="Please input SAML IDP SSO Binding" value="{{ SETTING.get('saml_idp_sso_binding') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
                                                 <div class="form-group">
                                                     <label for="saml_idp_entity_id">IDP Entity ID</label>
                                                     <input type="text" class="form-control" name="saml_idp_entity_id" id="saml_idp_entity_id" placeholder="e.g. https://idp.example.edu/idp" data-error="Please input SAML IDP Entity ID" value="{{ SETTING.get('saml_idp_entity_id') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
                                                 <div class="form-group">
-                                                    <label for="saml_nameid_format">NameID Format</label>
-                                                    <input type="text" class="form-control" name="saml_nameid_format" id="saml_nameid_format" placeholder="e.g. urn:oid:0.9.2342.19200300.100.1.1" data-error="Please input NameID Format" value="{{ SETTING.get('saml_nameid_format') }}">
+                                                    <label for="saml_metadata_url">IDP Metadata URL</label>
+                                                    <input type="text" class="form-control" name="saml_metadata_url" id="saml_metadata_url" placeholder="SAML Metadata URL" data-error="Please input SAML Metadata URL" value="{{ SETTING.get('saml_metadata_url') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_metadata_cache_lifetime">IDP Metadata Cache Lifetime</label>
+                                                    <input type="text" class="form-control" name="saml_metadata_cache_lifetime" id="saml_metadata_cache_lifetime" placeholder="SAML Metadata Cache Lifetime" data-error="Please input SAML Metadata Cache Lifetime" value="{{ SETTING.get('saml_metadata_cache_lifetime') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_idp_sso_binding">IDP SSO Binding</label>
+                                                    <input type="text" class="form-control" name="saml_idp_sso_binding" id="saml_idp_sso_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" data-error="Please input SAML IDP SSO Binding" value="{{ SETTING.get('saml_idp_sso_binding') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_idp_slo_binding">IDP SLO Binding</label>
+                                                    <input type="text" class="form-control" name="saml_idp_slo_binding" id="saml_idp_slo_binding" placeholder="e.g. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT" data-error="Please input SAML IDP SLO Binding" value="{{ SETTING.get('saml_idp_slo_binding') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
                                             </fieldset>
                                             <fieldset>
-                                                <legend>ATTRIBUTES</legend>
+                                                <legend>SP</legend>
+                                                <div class="form-group">
+                                                    <label for="saml_sp_entity_id">SP Entity ID</label>
+                                                    <input type="text" class="form-control" name="saml_sp_entity_id" id="saml_sp_entity_id" placeholder="http://<SAML SP Entity ID>" data-error="Please input SAML SP Entity ID" value="{{ SETTING.get('saml_sp_entity_id') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_nameid_format">SP NameID Format</label>
+                                                    <input type="text" class="form-control" name="saml_nameid_format" id="saml_nameid_format" placeholder="e.g. urn:oid:0.9.2342.19200300.100.1.1" data-error="Please input NameID Format" value="{{ SETTING.get('saml_nameid_format') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_metadata_cache_duration">SP Metadata Cache Duration</label>
+                                                    <input type="text" class="form-control" name="saml_metadata_cache_duration" id="saml_metadata_cache_duration" placeholder="Cache duration in seconds" data-error="Please input Metadata Cache Duration" value="{{ SETTING.get('saml_metadata_cache_duration') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_metadata_valid_until">SP Metadata Valid Until</label>
+                                                    <input type="text" class="form-control" name="saml_metadata_valid_until" id="saml_metadata_valid_until" placeholder="Time-moment when metadata stops being valid" data-error="Please input Metadata Expiration Date" value="{{ SETTING.get('saml_metadata_valid_until') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_sign_metadata" name="saml_sign_metadata" class="checkbox" {% if SETTING.get('saml_sign_metadata') %}checked{% endif %}>
+                                                    <label for="saml_sign_metadata">Sign SP Metadata </label>
+                                                </div>
+                                            </fieldset>
+                                            <fieldset>
+                                                <legend>SP ATTRIBUTES</legend>
                                                 <div class="form-group">
                                                     <label for="saml_sp_requested_attributes">Requested Attributes</label>
                                                     <input type="text" class="form-control" name="saml_sp_requested_attributes" id="saml_sp_requested_attributes" placeholder="must be valid JSON" data-error="Plesae input Requested Attributes" value="{{ SETTING.get('saml_sp_requested_attributes') }}">
@@ -749,21 +773,6 @@
                                                     <input type="text" class="form-control" name="saml_attribute_username" id="saml_attribute_username" placeholder="e.g. urn:oid:0.9.2342.19200300.100.1.1" data-error="Please input SAML Username Attribute" value="{{ SETTING.get('saml_attribute_username') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
-                                                <div class="form-group">
-                                                    <label for="saml_attribute_admin">Admin</label>
-                                                    <input type="text" class="form-control" name="saml_attribute_admin" id="saml_attribute_admin" placeholder="e.g. https://example.edu/pdns-admin" data-error="Please input SAML Admin Attribute" value="{{ SETTING.get('saml_attribute_admin') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="saml_attribute_account">Account</label>
-                                                    <input type="text" class="form-control" name="saml_attribute_account" id="saml_attribute_account" placeholder="e.g. https://example.edu/pdns-account" data-error="Please input SAML Account Attribute" value="{{ SETTING.get('saml_attribute_account') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="saml_sp_entity_id">SP Entity ID</label>
-                                                    <input type="text" class="form-control" name="saml_sp_entity_id" id="saml_sp_entity_id" placeholder="http://<SAML SP Entity ID>" data-error="Please input SAML SP Entity ID" value="{{ SETTING.get('saml_sp_entity_id') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
                                                 <div class="form-group">
                                                     <label for="saml_sp_contact_name">SP Contact Name</label>
                                                     <input type="text" class="form-control" name="saml_sp_contact_name" id="saml_sp_contact_name" placeholder="<contact name>" data-error="Please input SAML SP contact name" value="{{ SETTING.get('saml_sp_contact_name') }}">
@@ -776,7 +785,7 @@
                                                 </div>
                                             </fieldset>
                                             <fieldset>
-                                                <legend>CERTIFICATE</legend>
+                                                <legend>SIGNING & ENCRYPTION</legend>
                                                 <div class="form-group">
                                                     <label for="saml_cert_file">Cert File</label>
                                                     <input type="text" class="form-control" name="saml_cert_file" id="saml_cert_file" placeholder="e.g. opt/web/PowerDNS-Admin/cert.crt" data-error="Please input SAML cert file path" value="{{ SETTING.get('saml_cert_file') }}">
@@ -788,8 +797,42 @@
                                                     <span class="help-block with-errors"></span>
                                                 </div>
                                                 <div class="form-group">
-                                                    <input type="checkbox" id="saml_sign_request" name="saml_sign_request" class="checkbox" {% if SETTING.get('saml_sign_request') %}checked{% endif %}>
-                                                    <label for="saml_sign_request">Sign Request</label>
+                                                    <input type="checkbox" id="saml_sign_authn_request" name="saml_sign_authn_request" class="checkbox" {% if SETTING.get('saml_sign_authn_request') %}checked{% endif %}>
+                                                    <label for="saml_sign_authn_request">Sign Authentication Request</label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_sign_logout_request_response" name="saml_sign_logout_request_response" class="checkbox" {% if SETTING.get('saml_sign_logout_request_response') %}checked{% endif %}>
+                                                    <label for="saml_sign_logout_request_response">Sign Logout Request & Response</label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_want_assertions_encrypted" name="saml_want_assertions_encrypted" class="checkbox" {% if SETTING.get('saml_want_assertions_encrypted') %}checked{% endif %}>
+                                                    <label for="saml_want_assertions_encrypted">Want Assertions Encrypted</label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_want_assertions_signed" name="saml_want_assertions_signed" class="checkbox" {% if SETTING.get('saml_want_assertions_signed') %}checked{% endif %}>
+                                                    <label for="saml_want_assertions_encrypted">Want Assertions Signed</label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_want_message_signed" name="saml_want_message_signed" class="checkbox" {% if SETTING.get('saml_want_message_signed') %}checked{% endif %}>
+                                                    <label for="saml_want_message_signed">Want Message Signed </label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_nameid_encrypted" name="saml_nameid_encrypted" class="checkbox" {% if SETTING.get('saml_nameid_encrypted') %}checked{% endif %}>
+                                                    <label for="saml_nameid_encrypted">NameID Encrypted </label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <input type="checkbox" id="saml_want_nameid_encrypted" name="saml_want_nameid_encrypted" class="checkbox" {% if SETTING.get('saml_want_nameid_encrypted') %}checked{% endif %}>
+                                                    <label for="saml_want_message_signed">Want NameID Encrypted </label>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_digest_algorithm">Digest Algorithm</label>
+                                                    <input type="text" class="form-control" name="saml_digest_algorithm" id="saml_digest_algorithm" placeholder="must be a valid algorithm" data-error="Please input SAML digest algorithm" value="{{ SETTING.get('saml_digest_algorithm') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_signature_algorithm">Signature Algorithm</label>
+                                                    <input type="text" class="form-control" name="saml_signature_algorithm" id="saml_signature_algorithm" placeholder="must be a valid algorithm" data-error="Please input SAML signature algorithm" value="{{ SETTING.get('saml_signature_algorithm') }}">
+                                                    <span class="help-block with-errors"></span>
                                                 </div>
                                             </fieldset>
                                             <fieldset>
@@ -804,50 +847,18 @@
                                                     <span class="help-block with-errors"></span>
                                                 </div>
                                             </fieldset>
-                                            <fieldset>
-                                                <legend>ENCRYPTION</legend>
-                                                <div class="form-group">
-                                                    <input type="checkbox" id="saml_assertion_encrypted" name="saml_assertion_encrypted" class="checkbox" {% if SETTING.get('saml_assertion_encrypted') %}checked{% endif %}>
-                                                    <label for="saml_assertion_encrypted">Encrypted Assertion</label>
-                                                </div>
-                                                <div class="form-group">
-                                                    <input type="checkbox" id="saml_want_assertions_signed" name="saml_want_assertions_signed" class="checkbox" {% if SETTING.get('saml_want_assertions_signed') %}checked{% endif %}>
-                                                    <label for="saml_want_assertions_encrypted">Want Assertions Signed </label>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="saml_digest_algorithm">Digest Algorithm</label>
-                                                    <input type="text" class="form-control" name="saml_digest_algorithm" id="saml_digest_algorithm" placeholder="must be a valid algorithm" data-error="Please input SAML digest algorithm" value="{{ SETTING.get('saml_digest_algorithm') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="saml_signature_algorithm">Signature Algorithm</label>
-                                                    <input type="text" class="form-control" name="saml_signature_algorithm" id="saml_signature_algorithm" placeholder="must be a valid algorithm" data-error="Please input SAML signature algorithm" value="{{ SETTING.get('saml_signature_algorithm') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <input type="checkbox" id="saml_want_message_signed" name="saml_want_message_signed" class="checkbox" {% if SETTING.get('saml_want_message_signed') %}checked{% endif %}>
-                                                    <label for="saml_want_message_signed">Want Message Signed </label>
-                                                </div>
-                                                <div class="form-group">
-                                                    <input type="checkbox" id="saml_sign_metadata" name="saml_sign_metadata" class="checkbox" {% if SETTING.get('saml_sign_metadata') %}checked{% endif %}>
-                                                    <label for="saml_sign_metadata">Sign Metadata </label>
-                                                </div>
-                                            </fieldset>
-                                            <fieldset>
-                                                <legend>DURATION</legend>
-                                                <div class="form-group">
-                                                    <label for="saml_metadata_cache_duration">Metadata Cache Duration</label>
-                                                    <input type="text" class="form-control" name="saml_metadata_cache_duration" id="saml_metadata_cache_duration" placeholder="Cache duration in seconds" data-error="Please input Metadata Cache Duration" value="{{ SETTING.get('saml_metadata_cache_duration') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                                <div class="form-group">
-                                                    <label for="saml_metadata_valid_until">Metadata Valid Until</label>
-                                                    <input type="text" class="form-control" name="saml_metadata_valid_until" id="saml_metadata_valid_until" placeholder="Time-moment when metadata stops being valid" data-error="Please input Metadata Expiration Date" value="{{ SETTING.get('saml_metadata_valid_until') }}">
-                                                    <span class="help-block with-errors"></span>
-                                                </div>
-                                            </fieldset>
                                             <fieldset>
                                                 <legend>AUTOPROVISION</legend>
+                                                <div class="form-group">
+                                                    <label for="saml_attribute_admin">Admin SP Attribute</label>
+                                                    <input type="text" class="form-control" name="saml_attribute_admin" id="saml_attribute_admin" placeholder="e.g. https://example.edu/pdns-admin" data-error="Please input SAML Admin Attribute" value="{{ SETTING.get('saml_attribute_admin') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="saml_attribute_account">Account SP Attribute</label>
+                                                    <input type="text" class="form-control" name="saml_attribute_account" id="saml_attribute_account" placeholder="e.g. https://example.edu/pdns-account" data-error="Please input SAML Account Attribute" value="{{ SETTING.get('saml_attribute_account') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
                                                 <div class="form-group">
                                                     <label>Roles Autoprovisioning</label> <br />
                                                     <label>
@@ -896,7 +907,7 @@
                                                         <b>Metadata URL</b> - URL to fetch metadata from
                                                     </li>
                                                     <li>
-                                                        <b>Metadata Cache Lifetime</b> - Cache Lifetime in Seconds before fresh metadata are requested
+                                                        <b>Metadata Cache Lifetime</b> - Cache Lifetime in minutes before fresh metadata are requested
                                                     </li>
                                                 </ul>
                                             </dd>
@@ -1479,26 +1490,17 @@
         var is_enabled = e.currentTarget.checked;
         if (is_enabled){
             $('#saml_metadata_url').prop('required', true);
-            // $('#saml_metadata_cache_lifetime').prop('required', true);
             $('#saml_idp_sso_binding').prop('required', true);
+            $('#saml_idp_slo_binding').prop('required', true);
             $('#saml_idp_entity_id').prop('required', true);
             $('#saml_nameid_format').prop('required', true);
             $('#saml_sp_requested_attributes').prop('required', true);
-            // $('#saml_attribute_email').prop('required', true);
-            // $('#saml_attribute_givenname').prop('required', true);
-            // $('#saml_attribute_surname').prop('required', true);
             $('#saml_attribute_username').prop('required', true);
-            // $('#saml_attribute_admin').prop('required', true);
-            // $('#saml_attribute_account').prop('required', true);
             $('#saml_sp_entity_id').prop('required', true);
-            // $('#saml_sp_contact_name').prop('required', true);
-            // $('#saml_sp_contact_mail').prop('required', true);
             $('#saml_cert_file').prop('required', true);
             $('#saml_cert_key').prop('required', true);
             $('#saml_digest_algorithm').prop('required', true);
             $('#saml_signature_algorithm').prop('required', true);
-            // $('#saml_metadata_cache_duration').prop('required', true);
-            // $('#saml_metadata_valid_until').prop('required', true);
             if ($('#saml_logout').is(":checked")) {
                 $('#saml_logout_url').prop('required', true);
             }
@@ -1508,27 +1510,18 @@
             }
         } else {
             $('#saml_metadata_url').prop('required', false);
-            // $('#saml_metadata_cache_lifetime').prop('required', false);
             $('#saml_idp_sso_binding').prop('required', false);
+            $('#saml_idp_slo_binding').prop('required', false);
             $('#saml_idp_entity_id').prop('required', false);
             $('#saml_nameid_format').prop('required', false);
             $('#saml_sp_requested_attributes').prop('required', false);
-            // $('#saml_attribute_email').prop('required', false);
-            // $('#saml_attribute_givenname').prop('required', false);
-            // $('#saml_attribute_surname').prop('required', false);
             $('#saml_attribute_username').prop('required', false);
-            // $('#saml_attribute_admin').prop('required', false);
-            // $('#saml_attribute_account').prop('required', false);
             $('#saml_sp_entity_id').prop('required', false);
-            // $('#saml_sp_contact_name').prop('required', false);
-            // $('#saml_sp_contact_mail').prop('required', false);
             $('#saml_cert_file').prop('required', false);
             $('#saml_cert_key').prop('required', false);
             $('#saml_logout_url').prop('required', false);
             $('#saml_digest_algorithm').prop('required', false);
             $('#saml_signature_algorithm').prop('required', false);
-            // $('#saml_metadata_cache_duration').prop('required', false);
-            // $('#saml_metadata_valid_until').prop('required', false);
             $('#saml_autoprovisioning_attribute').prop('required', false);
             $('#saml_urn_prefix').prop('required', false);
         }
@@ -1536,26 +1529,16 @@
     // init validation requirement at first time page load
     {% if SETTING.get('saml_enabled') %}
         $('#saml_metadata_url').prop('required', true);
-        // $('#saml_metadata_cache_lifetime').prop('required', true);
         $('#saml_idp_sso_binding').prop('required', true);
+        $('#saml_idp_slo_binding').prop('required', true);
         $('#saml_idp_entity_id').prop('required', true);
         $('#saml_nameid_format').prop('required', true);
         $('#saml_sp_requested_attributes').prop('required', true);
-        // $('#saml_attribute_email').prop('required', true);
-        // $('#saml_attribute_givenname').prop('required', true);
-        // $('#saml_attribute_surname').prop('required', true);
         $('#saml_attribute_username').prop('required', true);
-        // $('#saml_attribute_admin').prop('required', true);
-        // $('#saml_attribute_account').prop('required', true);
         $('#saml_sp_entity_id').prop('required', true);
-        // $('#saml_sp_contact_name').prop('required', true);
-        // $('#saml_sp_contact_mail').prop('required', true);
-        // $('#saml_cert_file').prop('required', true);
         $('#saml_cert_key').prop('required', true);
         $('#saml_digest_algorithm').prop('required', true);
         $('#saml_signature_algorithm').prop('required', true);
-        // $('#saml_metadata_cache_duration').prop('required', true);
-        // $('#saml_metadata_valid_until').prop('required', true);
         if ($('#saml_logout').is(":checked")) {
             $('#saml_logout_url').prop('required', true);
         }
@@ -1609,11 +1592,23 @@
         }
     });
 
-    $('#saml_sign_request').iCheck({
+    $('#saml_sign_authn_request').iCheck({
         checkboxClass : 'icheckbox_square-blue',
         increaseArea : '20%'
     })
-    $('#saml_assertion_encrypted').iCheck({
+    $('#saml_sign_logout_request_response').iCheck({
+        checkboxClass : 'icheckbox_square-blue',
+        increaseArea : '20%'
+    })
+    $('#saml_nameid_encrypted').iCheck({
+        checkboxClass : 'icheckbox_square-blue',
+        increaseArea : '20%'
+    })
+    $('#saml_want_nameid_encrypted').iCheck({
+        checkboxClass : 'icheckbox_square-blue',
+        increaseArea : '20%'
+    })
+    $('#saml_want_assertions_encrypted').iCheck({
         checkboxClass : 'icheckbox_square-blue',
         increaseArea : '20%'
     })