-
-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AuthnRequest HTTP-POST binding with enveloped signatures #78
base: master
Are you sure you want to change the base?
Conversation
service. Before this we only do HTTP redirects to the IdP's sso URL with everything in a querystring (as per SAML HTTP-Redirect bindng). A lot of the work concerns creating an HTML form as well as enveloped signatures.
Also added an example self signed certificate with pub/private key to be used for testing.
This is what the enveloped AuthnRequest looks like. This should validate when put into a file named authn_signed_assertion.xml via the following command: xmlsec1 --verify --id-attr:ID AuthnRequest --trusted-pem tests/certs/example.com/example.crt tests/sample_output/authn_signed_assertion.xml
|
Yay finally. Managed to pass all the checks. |
This is actually not full support for it since we still need to generate a form. This is just up here as a place holder. |
@tachang are you insterested in maintain a branch of python-saml that implements HTTP-POST binding for AuthnRequest, LogoutRequest and LogoutResponse? I have no problem to be hosting that branch, and maybe when mature, we could create a release based on that branch and modify the toolkit name, releasing it at pypi. This branch should also support Assertion Consumer Service HTTP-Redirect binding. #71 |
+1 I'd like to see this feature land. I would advise against maintaining this in a separate branch. Are the core changes required bad/scary in some way? |
@pitbulk Hi Sixto I actually didn't notice this message until now! Right now not really making any changes until I have more time. I just pushed this PR incase someone else would be interested in it. We are actually not using it right now but might if a customer requests it in which case I'd totally push to open source the changes. |
@sbc100 The changes are not too scary unless you need the feature. I opened this PR just to get a discussion going. I managed to get the code maybe 60-70% there. The big part was just getting some tests written as to what was actually needed. |
Obviously I didn't even rebase which is nice for PRs. |
70d70fc
to
30cbe7c
Compare
Any update on when this work might become part of the core product? |
Adding support for:
Only the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding gets the enveloped signature