def __init__(self,
settings=None,
custom_base_path=None,
sp_validation_only=False):
"""
Initializes the settings:
- Sets the paths of the different folders
- Loads settings info from settings file or array/object provided
:param settings: SAML Toolkit Settings
:type settings: dict
:param custom_base_path: Path where are stored the settings file and the cert folder
:type custom_base_path: string
:param sp_validation_only: Avoid the IdP validation
:type sp_validation_only: boolean
"""
self.__sp_validation_only = sp_validation_only
self.__paths = {}
self.__strict = True
self.__debug = False
self.__sp = {}
self.__idp = {}
self.__security = {}
self.__contacts = {}
self.__organization = {}
self.__errors = []
self.__load_paths(base_path=custom_base_path)
self.__update_paths(settings)
if settings is None:
try:
valid = self.__load_settings_from_file()
except Exception as e:
raise e
if not valid:
raise OneLogin_Saml2_Error(
'Invalid dict settings at the file: %s',
OneLogin_Saml2_Error.SETTINGS_INVALID,
','.join(self.__errors))
elif isinstance(settings, dict):
if not self.__load_settings_from_dict(settings):
raise OneLogin_Saml2_Error(
'Invalid dict settings: %s',
OneLogin_Saml2_Error.SETTINGS_INVALID,
','.join(self.__errors))
else:
raise OneLogin_Saml2_Error(
'Unsupported settings object',
OneLogin_Saml2_Error.UNSUPPORTED_SETTINGS_OBJECT)
self.format_idp_cert()
if 'x509certMulti' in self.__idp:
self.format_idp_cert_multi()
self.format_sp_cert()
if 'x509certNew' in self.__sp:
self.format_sp_cert_new()
self.format_sp_key()
def logout(self,
return_to=None,
name_id=None,
session_index=None,
nq=None,
name_id_format=None):
"""
Initiates the SLO process.
:param return_to: Optional argument. The target URL the user should be redirected to after logout.
:type return_to: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
:param nq: IDP Name Qualifier
:type: string
:param name_id_format: The NameID Format that will be set in the LogoutRequest.
:type: string
:returns: Redirection URL
"""
slo_url = self.get_slo_url()
if slo_url is None:
raise OneLogin_Saml2_Error(
'The IdP does not support Single Log Out',
OneLogin_Saml2_Error.SAML_SINGLE_LOGOUT_NOT_SUPPORTED)
if name_id is None and self.__nameid is not None:
name_id = self.__nameid
if name_id_format is None and self.__nameid_format is not None:
name_id_format = self.__nameid_format
logout_request = OneLogin_Saml2_Logout_Request(
self.__settings,
name_id=name_id,
session_index=session_index,
nq=nq,
name_id_format=name_id_format)
self.__last_request = logout_request.get_xml()
self.__last_request_id = logout_request.id
parameters = {'SAMLRequest': logout_request.get_request()}
if return_to is not None:
parameters['RelayState'] = return_to
else:
parameters[
'RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(
self.__request_data)
security = self.__settings.get_security_data()
if security.get('logoutRequestSigned', False):
self.add_request_signature(parameters,
security['signatureAlgorithm'])
return self.redirect_to(slo_url, parameters)
def process_response(self, request_id=None):
"""
Process the SAML Response sent by the IdP.
:param request_id: Is an optional argument. Is the ID of the AuthNRequest sent by this SP to the IdP.
:type request_id: string
:raises: OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
"""
self._errors = []
self._error_reason = None
if 'post_data' in self._request_data and 'SAMLResponse' in self._request_data[
'post_data']:
# AuthnResponse -- HTTP_POST Binding
response = self.response_class(
self._settings,
self._request_data['post_data']['SAMLResponse'])
self._last_response = response.get_xml_document()
if response.is_valid(self._request_data, request_id):
self.store_valid_response(response)
else:
self._errors.append('invalid_response')
self._error_reason = response.get_error()
else:
self._errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML Response not found, Only supported HTTP_POST Binding',
OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND)
def __load_settings_from_file(self):
"""
Loads settings info from the settings json file
:returns: True if the settings info is valid
:rtype: boolean
"""
filename = self.get_base_path() + 'settings.json'
if not exists(filename):
raise OneLogin_Saml2_Error(
'Settings file not found: %s',
OneLogin_Saml2_Error.SETTINGS_FILE_NOT_FOUND, filename)
# In the php toolkit instead of being a json file it is a php file and
# it is directly included
with open(filename, 'r') as json_data:
settings = json.loads(json_data.read())
advanced_filename = self.get_base_path() + 'advanced_settings.json'
if exists(advanced_filename):
with open(advanced_filename, 'r') as json_data:
settings.update(json.loads(json_data.read())) # Merge settings
return self.__load_settings_from_dict(settings)
def __validate_signature(self, data, saml_type, raise_exceptions=False):
"""
Validate Signature
:param data: The Request data
:type data: dict
:param cert: The certificate to check signature
:type cert: str
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
"""
try:
signature = data.get('Signature', None)
if signature is None:
if self.__settings.is_strict(
) and self.__settings.get_security_data().get(
'wantMessagesSigned', False):
raise OneLogin_Saml2_ValidationError(
'The %s is not signed. Rejected.' % saml_type,
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE)
return True
x509cert = self.get_settings().get_idp_cert()
if not x509cert:
error_msg = "In order to validate the sign on the %s, the x509cert of the IdP is required" % saml_type
self.__errors.append(error_msg)
raise OneLogin_Saml2_Error(error_msg,
OneLogin_Saml2_Error.CERT_NOT_FOUND)
sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
if isinstance(sign_alg, bytes):
sign_alg = sign_alg.decode('utf8')
lowercase_urlencoding = False
if 'lowercase_urlencoding' in self.__request_data.keys():
lowercase_urlencoding = self.__request_data[
'lowercase_urlencoding']
signed_query = self.__build_sign_query(
data[saml_type], data.get('RelayState', None), sign_alg,
saml_type, lowercase_urlencoding)
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query, OneLogin_Saml2_Utils.b64decode(signature),
x509cert, sign_alg, self.__settings.is_debug_active()):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. %s rejected.' % saml_type,
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
return True
except Exception as e:
self.__error_reason = str(e)
if raise_exceptions:
raise e
return False
def __decrypt_assertion(self, xml):
"""
Decrypts the Assertion
:raises: Exception if no private key available
:param xml: Encrypted Assertion
:type xml: Element
:returns: Decrypted Assertion
:rtype: Element
"""
key = self.__settings.get_sp_key()
debug = self.__settings.is_debug_active()
if not key:
raise OneLogin_Saml2_Error(
'No private key available to decrypt the assertion, check settings',
OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
)
encrypted_assertion_nodes = OneLogin_Saml2_XML.query(xml, '/samlp:Response/saml:EncryptedAssertion')
if encrypted_assertion_nodes:
encrypted_data_nodes = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData')
if encrypted_data_nodes:
keyinfo = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo')
if not keyinfo:
raise OneLogin_Saml2_ValidationError(
'No KeyInfo present, invalid Assertion',
OneLogin_Saml2_ValidationError.KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA
)
keyinfo = keyinfo[0]
children = keyinfo.getchildren()
if not children:
raise OneLogin_Saml2_ValidationError(
'KeyInfo has no children nodes, invalid Assertion',
OneLogin_Saml2_ValidationError.CHILDREN_NODE_NOT_FOUND_IN_KEYINFO
)
for child in children:
if 'RetrievalMethod' in child.tag:
if child.attrib['Type'] != 'http://www.w3.org/2001/04/xmlenc#EncryptedKey':
raise OneLogin_Saml2_ValidationError(
'Unsupported Retrieval Method found',
OneLogin_Saml2_ValidationError.UNSUPPORTED_RETRIEVAL_METHOD
)
uri = child.attrib['URI']
if not uri.startswith('#'):
break
uri = uri.split('#')[1]
encrypted_key = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], './xenc:EncryptedKey[@Id="' + uri + '"]')
if encrypted_key:
keyinfo.append(encrypted_key[0])
encrypted_data = encrypted_data_nodes[0]
decrypted = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key, debug)
xml.replace(encrypted_assertion_nodes[0], decrypted)
return xml
def process_response(self, request_id=None, request_issue_instant=None):
"""
Process the SAML Response sent by the IdP.
:param request_issue_instant: Is an optional argument. Is Issue instant Date
of the AuthNRequest sent by this SP to the IdP.
:type: request_issue_instant: string
:param request_id: Is an optional argument. Is the ID of the AuthNRequest sent by this SP to the IdP.
:type request_id: string
:raises: OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
"""
self.__errors = []
self.__error_reason = None
if 'post_data' in self.__request_data and 'SAMLResponse' in self.__request_data[
'post_data']:
# AuthnResponse -- HTTP_POST Binding
response = OneLogin_Saml2_Response(
self.__settings,
self.__request_data['post_data']['SAMLResponse'])
self.__last_response = response.get_xml_document()
if response.is_valid(self.__request_data,
request_id=request_id,
request_issue_instant=request_issue_instant):
self.__attributes = response.get_attributes()
self.__nameid = response.get_nameid()
self.__nameid_format = response.get_nameid_format()
self.__nameid_nq = response.get_nameid_nq()
self.__nameid_spnq = response.get_nameid_spnq()
self.__session_index = response.get_session_index()
self.__session_expiration = response.get_session_not_on_or_after(
)
self.__last_message_id = response.get_id()
self.__last_assertion_id = response.get_assertion_id()
self.__last_authn_contexts = response.get_authn_contexts()
self.__authenticated = True
self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after(
)
else:
self.__errors.append('invalid_response')
self.__error_reason = response.get_error()
else:
self.__errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML Response not found, Only supported HTTP_POST Binding',
OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND)
def get_nameid_data(request, key=None):
"""
Gets the NameID Data of the the Logout Request
:param request: Logout Request Message
:type request: string|DOMDocument
:param key: The SP key
:type key: string
:return: Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
:rtype: dict
"""
elem = OneLogin_Saml2_XML.to_etree(request)
name_id = None
encrypted_entries = OneLogin_Saml2_XML.query(
elem, '/samlp:LogoutRequest/saml:EncryptedID')
if len(encrypted_entries) == 1:
if key is None:
raise OneLogin_Saml2_Error(
'Private Key is required in order to decrypt the NameID, check settings',
OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND)
encrypted_data_nodes = OneLogin_Saml2_XML.query(
elem,
'/samlp:LogoutRequest/saml:EncryptedID/xenc:EncryptedData')
if len(encrypted_data_nodes) == 1:
encrypted_data = encrypted_data_nodes[0]
name_id = OneLogin_Saml2_Utils.decrypt_element(
encrypted_data, key)
else:
entries = OneLogin_Saml2_XML.query(
elem, '/samlp:LogoutRequest/saml:NameID')
if len(entries) == 1:
name_id = entries[0]
if name_id is None:
raise OneLogin_Saml2_ValidationError(
'NameID not found in the Logout Request',
OneLogin_Saml2_ValidationError.NO_NAMEID)
name_id_data = {'Value': OneLogin_Saml2_XML.element_text(name_id)}
for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
if attr in name_id.attrib:
name_id_data[attr] = name_id.attrib[attr]
return name_id_data
def __build_signature(self,
data,
saml_type,
sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
"""
Builds the Signature
:param data: The Request data
:type data: dict
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
:param sign_algorithm: Signature algorithm method
:type sign_algorithm: string
"""
assert saml_type in ('SAMLRequest', 'SAMLResponse')
key = self.get_settings().get_sp_key()
if not key:
raise OneLogin_Saml2_Error(
"Trying to sign the %s but can't load the SP private key." %
saml_type, OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND)
msg = self.__build_sign_query(data[saml_type],
data.get('RelayState', None),
sign_algorithm, saml_type)
sign_algorithm_transform_map = {
OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.Transform.RSA_SHA1,
OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.Transform.RSA_SHA256,
OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
}
sign_algorithm_transform = sign_algorithm_transform_map.get(
sign_algorithm, xmlsec.Transform.RSA_SHA1)
signature = OneLogin_Saml2_Utils.sign_binary(
msg, key, sign_algorithm_transform,
self.__settings.is_debug_active())
data['Signature'] = OneLogin_Saml2_Utils.b64encode(signature)
data['SigAlg'] = sign_algorithm
def process_slo(self,
keep_local_session=False,
request_id=None,
delete_session_cb=None):
"""
Process the SAML Logout Response / Logout Request sent by the IdP.
:param keep_local_session: When false will destroy the local session, otherwise will destroy it
:type keep_local_session: bool
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:returns: Redirection url
"""
self.__errors = []
self.__error_reason = None
get_data = 'get_data' in self.__request_data and self.__request_data[
'get_data']
if get_data and 'SAMLResponse' in get_data:
logout_response = OneLogin_Saml2_Logout_Response(
self.__settings, get_data['SAMLResponse'])
self.__last_response = logout_response.get_xml()
if not self.validate_response_signature(get_data):
self.__errors.append('invalid_logout_response_signature')
self.__errors.append(
'Signature validation failed. Logout Response rejected')
elif not logout_response.is_valid(self.__request_data, request_id):
self.__errors.append('invalid_logout_response')
self.__error_reason = logout_response.get_error()
elif logout_response.get_status(
) != OneLogin_Saml2_Constants.STATUS_SUCCESS:
self.__errors.append('logout_not_success')
else:
self.__last_message_id = logout_response.id
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(
delete_session_cb)
elif get_data and 'SAMLRequest' in get_data:
logout_request = OneLogin_Saml2_Logout_Request(
self.__settings, get_data['SAMLRequest'])
self.__last_request = logout_request.get_xml()
if not self.validate_request_signature(get_data):
self.__errors.append("invalid_logout_request_signature")
self.__errors.append(
'Signature validation failed. Logout Request rejected')
elif not logout_request.is_valid(self.__request_data):
self.__errors.append('invalid_logout_request')
self.__error_reason = logout_request.get_error()
else:
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(
delete_session_cb)
in_response_to = logout_request.id
self.__last_message_id = logout_request.id
response_builder = OneLogin_Saml2_Logout_Response(
self.__settings)
response_builder.build(in_response_to)
self.__last_response = response_builder.get_xml()
logout_response = response_builder.get_response()
parameters = {'SAMLResponse': logout_response}
if 'RelayState' in self.__request_data['get_data']:
parameters['RelayState'] = self.__request_data['get_data'][
'RelayState']
security = self.__settings.get_security_data()
if security['logoutResponseSigned']:
self.add_response_signature(parameters,
security['signatureAlgorithm'])
return self.redirect_to(self.get_slo_url(), parameters)
else:
self.__errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND)
def _validate_signature(self, data, saml_type, raise_exceptions=False):
"""
Validate Signature
:param data: The Request data
:type data: dict
:param cert: The certificate to check signature
:type cert: str
:param saml_type: The target URL the user should be redirected to
:type saml_type: string SAMLRequest | SAMLResponse
:param raise_exceptions: Whether to return false on failure or raise an exception
:type raise_exceptions: Boolean
"""
try:
signature = data.get('Signature', None)
if signature is None:
if self._settings.is_strict(
) and self._settings.get_security_data().get(
'wantMessagesSigned', False):
raise OneLogin_Saml2_ValidationError(
'The %s is not signed. Rejected.' % saml_type,
OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE)
return True
idp_data = self.get_settings().get_idp_data()
exists_x509cert = self.get_settings().get_idp_cert() is not None
exists_multix509sign = 'x509certMulti' in idp_data and \
'signing' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['signing']
if not (exists_x509cert or exists_multix509sign):
error_msg = 'In order to validate the sign on the %s, the x509cert of the IdP is required' % saml_type
self._errors.append(error_msg)
raise OneLogin_Saml2_Error(error_msg,
OneLogin_Saml2_Error.CERT_NOT_FOUND)
sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
if isinstance(sign_alg, bytes):
sign_alg = sign_alg.decode('utf8')
security = self._settings.get_security_data()
reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm',
False)
if reject_deprecated_alg:
if sign_alg in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
raise OneLogin_Saml2_ValidationError(
'Deprecated signature algorithm found: %s' % sign_alg,
OneLogin_Saml2_ValidationError.
DEPRECATED_SIGNATURE_METHOD)
query_string = self._request_data.get('query_string')
if query_string and self._request_data.get(
'validate_signature_from_qs'):
signed_query = self._build_sign_query_from_qs(
query_string, saml_type)
else:
lowercase_urlencoding = self._request_data.get(
'lowercase_urlencoding', False)
signed_query = self._build_sign_query(data[saml_type],
data.get('RelayState'),
sign_alg, saml_type,
lowercase_urlencoding)
if exists_multix509sign:
for cert in idp_data['x509certMulti']['signing']:
if OneLogin_Saml2_Utils.validate_binary_sign(
signed_query,
OneLogin_Saml2_Utils.b64decode(signature), cert,
sign_alg):
return True
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. %s rejected' % saml_type,
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
else:
cert = self.get_settings().get_idp_cert()
if not OneLogin_Saml2_Utils.validate_binary_sign(
signed_query,
OneLogin_Saml2_Utils.b64decode(signature), cert,
sign_alg, self._settings.is_debug_active()):
raise OneLogin_Saml2_ValidationError(
'Signature validation failed. %s rejected' % saml_type,
OneLogin_Saml2_ValidationError.INVALID_SIGNATURE)
return True
except Exception as e:
self._error_reason = str(e)
if raise_exceptions:
raise e
return False
def get_sp_metadata(self):
"""
Gets the SP metadata. The XML representation.
:returns: SP metadata (xml)
:rtype: string
"""
metadata = SpidOneLogin_Saml2_Metadata.builder(
self.__sp, self.__security['authnRequestsSigned'],
self.__security['wantAssertionsSigned'],
self.__security['metadataValidUntil'],
self.__security['metadataCacheDuration'], self.get_contacts(),
self.get_organization())
add_encryption = self.__security[
'wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
cert_new = self.get_sp_cert_new()
metadata = SpidOneLogin_Saml2_Metadata.add_x509_key_descriptors(
metadata, cert_new, add_encryption)
cert = self.get_sp_cert()
metadata = SpidOneLogin_Saml2_Metadata.add_x509_key_descriptors(
metadata, cert, add_encryption)
# Sign metadata
if 'signMetadata' in self.__security and self.__security[
'signMetadata'] is not False:
if self.__security['signMetadata'] is True:
# Use the SP's normal key to sign the metadata:
if not cert:
raise OneLogin_Saml2_Error(
'Cannot sign metadata: missing SP public key certificate.',
OneLogin_Saml2_Error.PUBLIC_CERT_FILE_NOT_FOUND)
cert_metadata = cert
key_metadata = self.get_sp_key()
if not key_metadata:
raise OneLogin_Saml2_Error(
'Cannot sign metadata: missing SP private key.',
OneLogin_Saml2_Error.PRIVATE_KEY_FILE_NOT_FOUND)
else:
# Use a custom key to sign the metadata:
if ('keyFileName' not in self.__security['signMetadata'] or
'certFileName' not in self.__security['signMetadata']):
raise OneLogin_Saml2_Error(
'Invalid Setting: signMetadata value of the sp is not valid',
OneLogin_Saml2_Error.SETTINGS_INVALID_SYNTAX)
key_file_name = self.__security['signMetadata']['keyFileName']
cert_file_name = self.__security['signMetadata'][
'certFileName']
key_metadata_file = self.__paths['cert'] + key_file_name
cert_metadata_file = self.__paths['cert'] + cert_file_name
try:
with open(key_metadata_file, 'r') as f_metadata_key:
key_metadata = f_metadata_key.read()
except IOError:
raise OneLogin_Saml2_Error(
'Private key file not readable: %s',
OneLogin_Saml2_Error.PRIVATE_KEY_FILE_NOT_FOUND,
key_metadata_file)
try:
with open(cert_metadata_file, 'r') as f_metadata_cert:
cert_metadata = f_metadata_cert.read()
except IOError:
raise OneLogin_Saml2_Error(
'Public cert file not readable: %s',
OneLogin_Saml2_Error.PUBLIC_CERT_FILE_NOT_FOUND,
cert_metadata_file)
signature_algorithm = self.__security['signatureAlgorithm']
digest_algorithm = self.__security['digestAlgorithm']
metadata = SpidOneLogin_Saml2_Metadata.sign_metadata(
metadata, key_metadata, cert_metadata, signature_algorithm,
digest_algorithm)
return metadata
