[Authn request/response] Added configurable signing and digest algorithm to SP and IDP #597
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## master #597 +/- ##
=======================================
Coverage 65.28% 65.29%
=======================================
Files 102 102
Lines 25493 25503 +10
=======================================
+ Hits 16643 16651 +8
- Misses 8850 8852 +2
Continue to review full report at Codecov.
|
This was referenced Mar 21, 2019
Closed
This was referenced Apr 8, 2019
Closed
peppelinux
added a commit
to peppelinux/pysaml2
that referenced
this pull request
Apr 8, 2019
…ts](../../pulls) for the same update/change?
* [x] Have you added an explanation of what problem you are trying to solve with this PR?
It is needed for returning attributes like
````
<saml:Attribute Name="dateOfBirth">
<saml:AttributeValue xsi:type="xs:date">2015-12-06</saml:AttributeValue>
</saml:Attribute>
````
Otherwise I get an ValueError Exception like
````
Type and value do not match: date:<class 'str'>:2015-12-06
````
because `type(value) is not valid_type == True`
I didn't write any unit test, just tested in my context.
Two important things:
1. This PR is on top of IdentityPython#597 but it doesn't have any dependencies on it. The only file I changed is saml.py, let me know if this PR will be merged in next releases and if you need separate branch for every features. In the future I will this way.
2. I think that the following code https://github.com/IdentityPython/pysaml2/pull/602/files#diff-6c156669cad61eda35e679329251dce9R197 could be also improved according to IdentityPython#518
6 tasks
|
Would love to see this merged 👍 |
|
Glad to hear this ;) |
|
I'm no longer working on the project that needed this, but I'm sure whoever is maintaining that code now would really appreciate this being merged! |
|
With my setup I'm currently unable to authenticate against ADFS without patching in either this PR or IdentityPython/djangosaml2#142. I would also very much like to see this merged so I don't need to maintain a fork for our system. |
Closed
Oksamies
approved these changes
Oct 20, 2020
ioparaskev
reviewed
Nov 3, 2020
src/saml2/client_base.py
Outdated
| @@ -181,6 +181,9 @@ def __init__(self, config=None, identity_cache=None, state_cache=None, | |||
|
|
|||
| setattr(self, attr, val) | |||
|
|
|||
| for algorithm in ('signing_algorithm', 'digest_algorithm'): | |||
| setattr(self, algorithm, self.config.getattr(algorithm, "sp")) | |||
There was a problem hiding this comment.
I would prefer the more explicit
self.signing_algorithm = self.config.getattr(signing_algorithm, "sp")
self.digest_algorithm = self.config.getattr(digest_algorithm, "sp")but I see that some lines above is the setattr(self, attr, val) so maybe it's just me 🤷♂️
ioparaskev
reviewed
Nov 3, 2020
src/saml2/server.py
Outdated
| @@ -595,6 +595,9 @@ def gather_authn_response_args(self, sp_entity_id, name_id_policy, userid, | |||
| except KeyError: | |||
| args['best_effort'] = False | |||
|
|
|||
| for algorithm in ('signing_algorithm', 'digest_algorithm'): | |||
| setattr(self, algorithm, self.config.getattr(algorithm, "idp")) | |||
There was a problem hiding this comment.
again I would prefer the more explicit
self.signing_algorithm = self.config.getattr(signing_algorithm, "idp")
self.digest_algorithm = self.config.getattr(digest_algorithm, "idp")
peppelinux
commented
Nov 7, 2020
src/saml2/entity.py
Outdated
| sign_alg = self.signing_algorithm | ||
|
|
||
| if digest_alg is None and self.digest_algorithm: | ||
| digest_alg = self.digest_algorithm |
There was a problem hiding this comment.
I'm doing a general refactor,
# sign adn digest algs
sign_alg = sign_alg or self.signing_algorithm
digest_alg = digest_alg or self.digest_algorithm
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added support for configurable signing and digest algorithms, following this PR, thank you @joetsoi!
What's new?
Why this?
The problem is that some federation contexts don't permit the sha1 digest anymore, I really need of
saml2.xmldsig.SIG_RSA_SHA256to get pySAML2 in a production environment.To get it working we have to put in the config file the same options already proposed by @joetsoi:
Tests
Environment tests was made with djangosaml2 and djangosaml2idp.
Authn request and response, and Logout Response was succesfully tested.
A request from SP:
The Response from IDP:
Tests
Regarding test and code linting read this
Conclusions
I hope to see this merged, optionally in a separate branch, and continue working on this to get all the others services to get supported by these configuration paramenters. Thank you for your time.