def _render_saml_settings_dict(self):
"""
Given the configuration present in app.config, render a settings dict
suitable for passing to OneLogin_Saml2_Auth() in initialization.
"""
debug = app.config['SAML_DEBUG']
if debug is None:
debug = app.debug
root_url = app.config['SAML_CONFIDANT_URL_ROOT']
if not root_url:
raise ValueError("Must provide SAML_CONFIDANT_URL_ROOT")
root_url = root_url.rstrip('/')
# TODO: also support unspecified?
name_id_fmt = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
# Service Provider section
sp_data = {
'entityId': root_url + '/v1/saml/metadata',
'assertionConsumerService': {
'url': root_url + '/v1/saml/consume',
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
},
'singleLogoutService': {
'url': root_url + '/v1/saml/logout',
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT'
},
'NameIDFormat': name_id_fmt,
}
sp_has_key = False
if app.config['SAML_SP_KEY_FILE']:
sp_has_key = True
sp_data['privateKey'] = self._load_rsa_for_saml(
app.config['SAML_SP_KEY_FILE'],
password=app.config.get('SAML_SP_KEY_FILE_PASSWORD'))
if app.config['SAML_SP_KEY']:
sp_has_key = True
sp_data['privateKey'] = app.config['SAML_SP_KEY']
if app.config['SAML_SP_CERT_FILE']:
sp_data['x509cert'] = self._load_x509_for_saml(
app.config['SAML_SP_CERT_FILE'])
if app.config['SAML_SP_CERT']:
sp_data['x509cert'] = app.config['SAML_SP_CERT']
# security defaults: sign everything if SP key was provided
security_data = {
'nameIdEncrypted': False,
'authnRequestsSigned': sp_has_key,
'logoutRequestsSigned': sp_has_key,
'logoutResponsesSigned':
app.config['SAML_SECURITY_SLO_RESP_SIGNED'],
'signMetadata': sp_has_key,
'wantMessagesSigned': app.config['SAML_SECURITY_MESSAGES_SIGNED'],
'wantAssertionsSigned':
app.config['SAML_SECURITY_ASSERTIONS_SIGNED'],
'wantNameIdEncrypted': False,
'wantAttributeStatement':
app.config['SAML_WANT_ATTRIBUTE_STATEMENT'],
"signatureAlgorithm": app.config['SAML_SECURITY_SIG_ALGO'],
}
# Identity provider section
idp_data = {
'entityId': app.config['SAML_IDP_ENTITY_ID'],
'singleSignOnService': {
'url': app.config['SAML_IDP_SIGNON_URL'],
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
},
}
if app.config['SAML_IDP_LOGOUT_URL']:
idp_data['singleLogoutService'] = {
'url': app.config['SAML_IDP_LOGOUT_URL'],
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
}
if app.config['SAML_IDP_CERT_FILE']:
idp_data['x509cert'] = self._load_x509_for_saml(
app.config['SAML_IDP_CERT_FILE'])
if app.config['SAML_IDP_CERT']:
idp_data['x509cert'] = app.config['SAML_IDP_CERT']
# put it all together into the settings
data = {
'strict': True, # must not be changed for security
'debug': debug,
'sp': sp_data,
'idp': idp_data,
'security': security_data,
}
# if SAML_RAW_JSON_SETTINGS is set, merge the settings in, doing one
# level of deep merging.
if app.config['SAML_RAW_JSON_SETTINGS']:
logging.debug('overriding SAML settings from JSON')
dict_deep_update(data, app.config['SAML_RAW_JSON_SETTINGS'])
logging.debug('Rendered SAML settings: {!r}'.format(data))
return data
def _render_saml_settings_dict(self):
"""
Given the configuration present in app.config, render a settings dict
suitable for passing to OneLogin_Saml2_Auth() in initialization.
"""
debug = app.config['SAML_DEBUG']
if debug is None:
debug = app.debug
root_url = app.config['SAML_CONFIDANT_URL_ROOT']
if not root_url:
raise ValueError("Must provide SAML_CONFIDANT_URL_ROOT")
root_url = root_url.rstrip('/')
# TODO: also support unspecified?
name_id_fmt = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
# Service Provider section
sp_data = {
'entityId': root_url + '/v1/saml/metadata',
'assertionConsumerService': {
'url': root_url + '/v1/saml/consume',
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
},
'singleLogoutService': {
'url': root_url + '/v1/saml/logout',
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT'
},
'NameIDFormat': name_id_fmt,
}
sp_has_key = False
if app.config['SAML_SP_KEY_FILE']:
sp_has_key = True
sp_data['privateKey'] = self._load_rsa_for_saml(
app.config['SAML_SP_KEY_FILE'],
password=app.config.get('SAML_SP_KEY_FILE_PASSWORD'))
if app.config['SAML_SP_KEY']:
sp_has_key = True
sp_data['privateKey'] = app.config['SAML_SP_KEY']
if app.config['SAML_SP_CERT_FILE']:
sp_data['x509cert'] = self._load_x509_for_saml(
app.config['SAML_SP_CERT_FILE'])
if app.config['SAML_SP_CERT']:
sp_data['x509cert'] = app.config['SAML_SP_CERT']
# security defaults: sign everything if SP key was provided
security_data = {
'nameIdEncrypted': False,
'authnRequestsSigned': sp_has_key,
'logoutRequestsSigned': sp_has_key,
'logoutResponsesSigned':
app.config['SAML_SECURITY_SLO_RESP_SIGNED'],
'signMetadata': sp_has_key,
'wantMessagesSigned':
app.config['SAML_SECURITY_MESSAGES_SIGNED'],
'wantAssertionsSigned':
app.config['SAML_SECURITY_ASSERTIONS_SIGNED'],
'wantNameIdEncrypted': False,
"signatureAlgorithm": app.config['SAML_SECURITY_SIG_ALGO'],
}
# Identity provider section
idp_data = {
'entityId': app.config['SAML_IDP_ENTITY_ID'],
'singleSignOnService': {
'url': app.config['SAML_IDP_SIGNON_URL'],
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
},
}
if app.config['SAML_IDP_LOGOUT_URL']:
idp_data['singleLogoutService'] = {
'url': app.config['SAML_IDP_LOGOUT_URL'],
'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
}
if app.config['SAML_IDP_CERT_FILE']:
idp_data['x509cert'] = self._load_x509_for_saml(
app.config['SAML_IDP_CERT_FILE'])
if app.config['SAML_IDP_CERT']:
idp_data['x509cert'] = app.config['SAML_IDP_CERT']
# put it all together into the settings
data = {
'strict': True, # must not be changed for security
'debug': debug,
'sp': sp_data,
'idp': idp_data,
'security': security_data,
}
# if SAML_RAW_JSON_SETTINGS is set, merge the settings in, doing one
# level of deep merging.
if app.config['SAML_RAW_JSON_SETTINGS']:
logging.debug('overriding SAML settings from JSON')
dict_deep_update(data, app.config['SAML_RAW_JSON_SETTINGS'])
logging.debug('Rendered SAML settings: {!r}'.format(data))
return data