def saml_client(metadata): metadata_url = flask.url_for('saml_metadata', _external=True) acs_url = flask.url_for('saml_acs', _external=True) config = saml2.config.Config() config.load({ 'entityid': metadata_url, 'metadata': { 'inline': [metadata] }, 'service': { 'sp': { 'endpoints': { 'assertion_consumer_service': [ (acs_url, saml2.BINDING_HTTP_POST), ], }, # Without this, the saml2 library "helpfully" keeps track of # the requests we've issued and rejects ones it doesn't know # about. The client object is not persistent here, though. 'allow_unsolicited': True, }, }, }) client = saml2.client.Saml2Client(config=config) return client
def get_saml2_config(): config = saml2.config.Config() saml_settings = { 'metadata': { 'remote': [{ 'url': current_app.config['SAML2_METADATA_URL'], }] }, 'entityid': absolute_url(), 'service': { 'sp': { 'endpoints': { 'assertion_consumer_service': [ (absolute_url('/auth/saml'), saml2.BINDING_HTTP_POST) ] }, 'allow_unsolicited': True, 'authn_requests_signed': False, 'want_assertions_signed': True, 'want_response_signed': False } } } if current_app.config['SAML2_ENTITY_ID']: saml_settings['entityid'] = current_app.config['SAML2_ENTITY_ID'] if current_app.config['SAML2_CONFIG'].get('metadata'): saml_settings['metadata'] = current_app.config['SAML2_CONFIG']['metadata'] merge(saml_settings, current_app.config['SAML2_CONFIG']) # allow settings override config.load(saml_settings) config.allow_unknown_attributes = True return config
def _get_client(metadata, allow_unknown_attributes=True): acs_url = flask.url_for('login_acs', _external=True) metadata_url = flask.url_for('metadata', _external=True) settings = { 'entityid': metadata_url, 'metadata': { 'inline': [metadata], }, 'service': { 'sp': { 'endpoints': { 'assertion_consumer_service': [ (acs_url, saml2.BINDING_HTTP_POST), ], }, # Don't verify that the incoming requests originate from us via # the built-in cache for authn request ids in pysaml2 'allow_unsolicited': True, # Don't sign authn requests, since signed requests only make # sense in a situation where you control both the SP and IdP 'authn_requests_signed': False, 'logout_requests_signed': True, 'want_assertions_signed': True, 'want_response_signed': False, }, }, } config = saml2.config.Config() config.load(settings) config.allow_unknown_attributes = allow_unknown_attributes client = saml2.client.Saml2Client(config=config) return client
def get_saml2_config(): config = saml2.config.Config() default_config = { 'entityid': absolute_url(), 'service': { 'sp': { 'endpoints': { 'assertion_consumer_service': [(absolute_url('/auth/saml'), saml2.BINDING_HTTP_POST)] } } } } config.load(deepmerge(default_config, current_app.config['SAML2_CONFIG'])) return config
def get_saml2_config(): config = saml2.config.Config() default_config = { 'entityid': absolute_url(), 'service': { 'sp': { 'endpoints': { 'assertion_consumer_service': [ (absolute_url('/auth/saml'), saml2.BINDING_HTTP_POST) ] } } } } config.load(deepmerge(default_config, current_app.config['SAML2_CONFIG'])) return config
from synapse.api.errors import RedirectException from tests.test_utils import simple_async_mock from tests.unittest import HomeserverTestCase, override_config # Check if we have the dependencies to run the tests. try: import saml2.config from saml2.sigver import SigverError has_saml2 = True # pysaml2 can be installed and imported, but might not be able to find xmlsec1. config = saml2.config.SPConfig() try: config.load({"metadata": {}}) has_xmlsec1 = True except SigverError: has_xmlsec1 = False except ImportError: has_saml2 = False has_xmlsec1 = False # These are a few constants that are used as config parameters in the tests. BASE_URL = "https://synapse/" @attr.s class FakeAuthnResponse: ava = attr.ib(type=dict) assertions = attr.ib(type=list, factory=list)
def create_client(): config = saml2.config.SPConfig() config.load(CONFIG['saml_settings']) saml_client = saml2.client.Saml2Client(config) return saml_client