def get_provider_config(req): final_cfg = {} base_cfg = None try: providers = settings.SAML_PROVIDERS except AttributeError: raise SAMLSettingsError('SAML_PROVIDERS is not defined in settings') try: provider = req['get_data']['provider'] except KeyError: provider = list(providers[0].keys())[0] req['get_data']['provider'] = provider for index, provider_obj in enumerate(providers): if list(provider_obj.keys())[0] == provider: base_cfg = settings.SAML_PROVIDERS[index][provider] break if not base_cfg: raise SAMLSettingsError("Provider %s was not found in settings" % provider) final_cfg = base_cfg try: final_cfg['sp']['x509cert'] = OneLogin_Saml2_Utils.format_cert(final_cfg['sp']['x509cert']) final_cfg['sp']['privateKey'] = OneLogin_Saml2_Utils.format_private_key(final_cfg['sp']['privateKey']) final_cfg['idp']['x509cert'] = OneLogin_Saml2_Utils.format_cert(final_cfg['idp']['x509cert']) except KeyError: pass return final_cfg
def testGetIdPData(self): """ Tests the getIdPData method of the OneLogin_Saml2_Settings """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) idp_data = settings.get_idp_data() self.assertNotEqual(len(idp_data), 0) self.assertIn('entityId', idp_data) self.assertIn('singleSignOnService', idp_data) self.assertIn('singleLogoutService', idp_data) self.assertIn('x509cert', idp_data) self.assertEqual('http://idp.example.com/', idp_data['entityId']) self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url']) self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url']) x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo' formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert) self.assertEqual(formated_x509_cert, idp_data['x509cert']) settings2 = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings8.json')) idp_data2 = settings2.get_idp_data() self.assertNotEqual(len(idp_data2), 0) self.assertIn('x509certMulti', idp_data2) self.assertIn('signing', idp_data2['x509certMulti']) self.assertIn('encryption', idp_data2['x509certMulti']) x509cert2 = 'MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m' formated_x509_cert2 = OneLogin_Saml2_Utils.format_cert(x509cert2) self.assertEqual(formated_x509_cert2, idp_data2['x509certMulti']['signing'][0]) self.assertEqual(formated_x509_cert, idp_data2['x509certMulti']['signing'][1]) self.assertEqual(formated_x509_cert, idp_data2['x509certMulti']['encryption'][0])
def get_provider_config(req): final_cfg = {} base_cfg = None try: provider = req['get_data']['provider'] except KeyError: raise SAMLError("No provider specified in request") for index, provider_obj in enumerate(settings.SAML_PROVIDERS): if list(provider_obj.keys())[0] == provider: base_cfg = settings.SAML_PROVIDERS[index][provider] break if not base_cfg: raise SAMLSettingsError("Provider %s was not found in settings" % provider) final_cfg = base_cfg final_cfg['sp']['x509cert'] = OneLogin_Saml2_Utils.format_cert( final_cfg['sp']['x509cert']) final_cfg['sp']['privateKey'] = OneLogin_Saml2_Utils.format_private_key( final_cfg['sp']['privateKey']) final_cfg['idp']['x509cert'] = OneLogin_Saml2_Utils.format_cert( final_cfg['idp']['x509cert']) return final_cfg
def format_idp_cert_multi(self): """ Formats the Multple IdP certs. """ if 'x509certMulti' in self.__idp: if 'signing' in self.__idp['x509certMulti']: for idx in range(len(self.__idp['x509certMulti']['signing'])): self.__idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['signing'][idx]) if 'encryption' in self.__idp['x509certMulti']: for idx in range(len(self.__idp['x509certMulti']['encryption'])): self.__idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['encryption'][idx])
def add_x509_key_descriptors(metadata, cert=None): """ Adds the x509 descriptors (sign/encriptation) to the metadata The same cert will be used for sign/encrypt :param metadata: SAML Metadata XML :type metadata: string :param cert: x509 cert :type cert: string :returns: Metadata with KeyDescriptors :rtype: string """ if cert is None or cert == '': return metadata try: xml = parseString(metadata) except Exception as e: raise Exception('Error parsing metadata. ' + e.message) formated_cert = OneLogin_Saml2_Utils.format_cert(cert, False) x509_certificate = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Certificate') content = xml.createTextNode(formated_cert) x509_certificate.appendChild(content) key_data = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Data') key_data.appendChild(x509_certificate) key_info = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:KeyInfo') key_info.appendChild(key_data) key_descriptor = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'md:KeyDescriptor') entity_descriptor = xml.getElementsByTagName('md:EntityDescriptor')[0] sp_sso_descriptor = entity_descriptor.getElementsByTagName( 'md:SPSSODescriptor')[0] sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild) sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild) signing = xml.getElementsByTagName('md:KeyDescriptor')[0] signing.setAttribute('use', 'signing') encryption = xml.getElementsByTagName('md:KeyDescriptor')[1] encryption.setAttribute('use', 'encryption') signing.appendChild(key_info) encryption.appendChild(key_info.cloneNode(True)) signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS) encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS) return xml.toxml()
def add_x509_key_descriptors(metadata, cert=None, add_encryption=True): """ Adds the x509 descriptors (sign/encryption) to the metadata The same cert will be used for sign/encrypt :param metadata: SAML Metadata XML :type metadata: string :param cert: x509 cert :type cert: string :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added. :type add_encryption: boolean :returns: Metadata with KeyDescriptors :rtype: string """ if cert is None or cert == '': return metadata try: xml = parseString(metadata.encode('utf-8'), forbid_dtd=True) except Exception as e: raise Exception('Error parsing metadata. ' + e.message) formated_cert = OneLogin_Saml2_Utils.format_cert(cert, False) x509_certificate = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Certificate') content = xml.createTextNode(formated_cert) x509_certificate.appendChild(content) key_data = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Data') key_data.appendChild(x509_certificate) key_info = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:KeyInfo') key_info.appendChild(key_data) key_descriptor = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'md:KeyDescriptor') entity_descriptor = xml.getElementsByTagName('md:EntityDescriptor')[0] sp_sso_descriptor = entity_descriptor.getElementsByTagName('md:SPSSODescriptor')[0] sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild) if add_encryption: sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild) signing = xml.getElementsByTagName('md:KeyDescriptor')[0] signing.setAttribute('use', 'signing') signing.appendChild(key_info) signing.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS) if add_encryption: encryption = xml.getElementsByTagName('md:KeyDescriptor')[1] encryption.setAttribute('use', 'encryption') encryption.appendChild(key_info.cloneNode(True)) encryption.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS) return xml.toxml()
def __add_x509_key_descriptors(root, cert, signing): key_descriptor = OneLogin_Saml2_XML.make_child(root, '{%s}KeyDescriptor' % OneLogin_Saml2_Constants.NS_MD) root.remove(key_descriptor) root.insert(0, key_descriptor) key_info = OneLogin_Saml2_XML.make_child(key_descriptor, '{%s}KeyInfo' % OneLogin_Saml2_Constants.NS_DS) key_data = OneLogin_Saml2_XML.make_child(key_info, '{%s}X509Data' % OneLogin_Saml2_Constants.NS_DS) x509_certificate = OneLogin_Saml2_XML.make_child(key_data, '{%s}X509Certificate' % OneLogin_Saml2_Constants.NS_DS) x509_certificate.text = OneLogin_Saml2_Utils.format_cert(cert, False) key_descriptor.set('use', ('encryption', 'signing')[signing])
def testFormatCert(self): """ Tests the format_cert method of the OneLogin_Saml2_Utils """ settings_info = self.loadSettingsJSON() cert = settings_info['idp']['x509cert'] self.assertNotIn('-----BEGIN CERTIFICATE-----', cert) self.assertNotIn('-----END CERTIFICATE-----', cert) self.assertEqual(len(cert), 860) formated_cert1 = OneLogin_Saml2_Utils.format_cert(cert) self.assertIn('-----BEGIN CERTIFICATE-----', formated_cert1) self.assertIn('-----END CERTIFICATE-----', formated_cert1) formated_cert2 = OneLogin_Saml2_Utils.format_cert(cert, True) self.assertEqual(formated_cert1, formated_cert2) formated_cert3 = OneLogin_Saml2_Utils.format_cert(cert, False) self.assertNotIn('-----BEGIN CERTIFICATE-----', formated_cert3) self.assertNotIn('-----END CERTIFICATE-----', formated_cert3) self.assertEqual(len(formated_cert3), 860)
def testGenerateNameIdWithoutSPNameQualifier(self): """ Tests the generateNameId method of the OneLogin_Saml2_Utils """ name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde' name_id_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified' name_id = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format) expected_name_id = '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>' self.assertEqual(name_id, expected_name_id) settings_info = self.loadSettingsJSON() x509cert = settings_info['idp']['x509cert'] key = OneLogin_Saml2_Utils.format_cert(x509cert) name_id_enc = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format, key) expected_name_id_enc = '<saml:EncryptedID><xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>' self.assertIn(expected_name_id_enc, name_id_enc)
def testGenerateNameIdWithoutSPNameQualifier(self): """ Tests the generateNameId method of the OneLogin_Saml2_Utils """ name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde' name_id_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name_id = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format) expected_name_id = '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>' self.assertEqual(expected_name_id, name_id) settings_info = self.loadSettingsJSON() x509cert = settings_info['idp']['x509cert'] key = OneLogin_Saml2_Utils.format_cert(x509cert) name_id_enc = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format, key) expected_name_id_enc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Type="http://www.w3.org/2001/04/xmlenc#Element">\n<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>\n<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">\n<xenc:EncryptedKey>\n<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>\n<xenc:CipherData>\n<xenc:CipherValue>' self.assertIn(expected_name_id_enc, name_id_enc)
def testGetIdPData(self): """ Tests the getIdPData method of the OneLogin_Saml2_Settings """ settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) idp_data = settings.get_idp_data() self.assertNotEqual(len(idp_data), 0) self.assertIn('entityId', idp_data) self.assertIn('singleSignOnService', idp_data) self.assertIn('singleLogoutService', idp_data) self.assertIn('x509cert', idp_data) self.assertEqual('http://idp.example.com/', idp_data['entityId']) self.assertEqual('http://idp.example.com/SSOService.php', idp_data['singleSignOnService']['url']) self.assertEqual('http://idp.example.com/SingleLogoutService.php', idp_data['singleLogoutService']['url']) x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo' formated_x509_cert = OneLogin_Saml2_Utils.format_cert(x509cert) self.assertEqual(formated_x509_cert, idp_data['x509cert'])
def format_sp_cert_new(self): """ Formats the SP cert. """ self.__sp['x509certNew'] = OneLogin_Saml2_Utils.format_cert( self.__sp['x509certNew'])
def format_idp_cert(self): """ Formats the IdP cert. """ self.__idp['x509cert'] = OneLogin_Saml2_Utils.format_cert( self.__idp['x509cert'])
def parse( idp_metadata, required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT, required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT, index=0): """ Parses the Identity Provider metadata and return a dict with extracted data. If there are multiple <IDPSSODescriptor> tags, parse only the first. Parses only those SSO endpoints with the same binding as given by the `required_sso_binding` parameter. Parses only those SLO endpoints with the same binding as given by the `required_slo_binding` parameter. If the metadata specifies multiple SSO endpoints with the required binding, extract only the first (the same holds true for SLO endpoints). :param idp_metadata: XML of the Identity Provider Metadata. :type idp_metadata: string :param required_sso_binding: Parse only POST or REDIRECT SSO endpoints. :type required_sso_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT or OneLogin_Saml2_Constants.BINDING_HTTP_POST :param required_slo_binding: Parse only POST or REDIRECT SLO endpoints. :type required_slo_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT or OneLogin_Saml2_Constants.BINDING_HTTP_POST :param index: If the metadata contains more than 1 certificate, use index to get the right certificate. :type index: number :returns: settings dict with extracted data :rtype: dict """ data = {} dom = OneLogin_Saml2_XML.to_etree(idp_metadata) entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:EntityDescriptor') idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None if len(entity_descriptor_nodes) > 0: for entity_descriptor_node in entity_descriptor_nodes: idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor') if len(idp_descriptor_nodes) > 0: idp_descriptor_node = idp_descriptor_nodes[0] idp_entity_id = entity_descriptor_node.get('entityID', None) want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None) name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat') if len(name_id_format_nodes) > 0: idp_name_id_format = name_id_format_nodes[0].text sso_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:SingleSignOnService[@Binding='%s']" % required_sso_binding ) if len(sso_nodes) > 0: idp_sso_url = sso_nodes[0].get('Location', None) slo_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:SingleLogoutService[@Binding='%s']" % required_slo_binding ) if len(slo_nodes) > 0: idp_slo_url = slo_nodes[0].get('Location', None) # Attempt to extract the cert/public key to be used for # verifying signatures (as opposed to extracing a key to be # used for encryption), by specifying `use=signing` in the # XPath expression. If that does not yield a cert, retry # using a more relaxed XPath expression (the `use` attribute # is optional according to the saml-metadata-2.0-os spec). cert_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate" ) if not cert_nodes: cert_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate" ) if len(cert_nodes) > 0: idp_x509_cert = OneLogin_Saml2_Utils.format_cert(cert_nodes[index].text, False) data['idp'] = {} if idp_entity_id is not None: data['idp']['entityId'] = idp_entity_id if idp_sso_url is not None: data['idp']['singleSignOnService'] = {} data['idp']['singleSignOnService']['url'] = idp_sso_url data['idp']['singleSignOnService']['binding'] = required_sso_binding if idp_slo_url is not None: data['idp']['singleLogoutService'] = {} data['idp']['singleLogoutService']['url'] = idp_slo_url data['idp']['singleLogoutService']['binding'] = required_slo_binding if idp_x509_cert is not None: data['idp']['x509cert'] = idp_x509_cert if want_authn_requests_signed is not None: data['security'] = {} data['security']['authnRequestsSigned'] = want_authn_requests_signed if idp_name_id_format: data['sp'] = {} data['sp']['NameIDFormat'] = idp_name_id_format break return data
def parse(idp_metadata, required_sso_binding=OneLogin_Saml2_Constants. BINDING_HTTP_REDIRECT, required_slo_binding=OneLogin_Saml2_Constants. BINDING_HTTP_REDIRECT, index=0): """ Parses the Identity Provider metadata and return a dict with extracted data. If there are multiple <IDPSSODescriptor> tags, parse only the first. Parses only those SSO endpoints with the same binding as given by the `required_sso_binding` parameter. Parses only those SLO endpoints with the same binding as given by the `required_slo_binding` parameter. If the metadata specifies multiple SSO endpoints with the required binding, extract only the first (the same holds true for SLO endpoints). :param idp_metadata: XML of the Identity Provider Metadata. :type idp_metadata: string :param required_sso_binding: Parse only POST or REDIRECT SSO endpoints. :type required_sso_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT or OneLogin_Saml2_Constants.BINDING_HTTP_POST :param required_slo_binding: Parse only POST or REDIRECT SLO endpoints. :type required_slo_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT or OneLogin_Saml2_Constants.BINDING_HTTP_POST :param index: If the metadata contains more than 1 certificate, use index to get the right certificate. :type index: number :returns: settings dict with extracted data :rtype: dict """ data = {} dom = OneLogin_Saml2_XML.to_etree(idp_metadata) entity_descriptor_nodes = OneLogin_Saml2_XML.query( dom, '//md:EntityDescriptor') idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None if len(entity_descriptor_nodes) > 0: for entity_descriptor_node in entity_descriptor_nodes: idp_descriptor_nodes = OneLogin_Saml2_XML.query( entity_descriptor_node, './md:IDPSSODescriptor') if len(idp_descriptor_nodes) > 0: idp_descriptor_node = idp_descriptor_nodes[0] idp_entity_id = entity_descriptor_node.get( 'entityID', None) want_authn_requests_signed = entity_descriptor_node.get( 'WantAuthnRequestsSigned', None) name_id_format_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, './md:NameIDFormat') if len(name_id_format_nodes) > 0: idp_name_id_format = name_id_format_nodes[0].text sso_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:SingleSignOnService[@Binding='%s']" % required_sso_binding) if len(sso_nodes) > 0: idp_sso_url = sso_nodes[0].get('Location', None) slo_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:SingleLogoutService[@Binding='%s']" % required_slo_binding) if len(slo_nodes) > 0: idp_slo_url = slo_nodes[0].get('Location', None) # Attempt to extract the cert/public key to be used for # verifying signatures (as opposed to extracing a key to be # used for encryption), by specifying `use=signing` in the # XPath expression. If that does not yield a cert, retry # using a more relaxed XPath expression (the `use` attribute # is optional according to the saml-metadata-2.0-os spec). cert_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate" ) if not cert_nodes: cert_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, "./md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate" ) if len(cert_nodes) > 0: idp_x509_cert = OneLogin_Saml2_Utils.format_cert( cert_nodes[index].text, False) data['idp'] = {} if idp_entity_id is not None: data['idp']['entityId'] = idp_entity_id if idp_sso_url is not None: data['idp']['singleSignOnService'] = {} data['idp']['singleSignOnService']['url'] = idp_sso_url data['idp']['singleSignOnService'][ 'binding'] = required_sso_binding if idp_slo_url is not None: data['idp']['singleLogoutService'] = {} data['idp']['singleLogoutService']['url'] = idp_slo_url data['idp']['singleLogoutService'][ 'binding'] = required_slo_binding if idp_x509_cert is not None: data['idp']['x509cert'] = idp_x509_cert if want_authn_requests_signed is not None: data['security'] = {} data['security'][ 'authnRequestsSigned'] = want_authn_requests_signed if idp_name_id_format: data['sp'] = {} data['sp']['NameIDFormat'] = idp_name_id_format break return data
def format_sp_cert(self): """ Formats the SP cert. """ self.__sp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__sp['x509cert'])
def format_idp_certs(self): """ Formats the IdP cert. """ self.__idp['x509certs'] = [OneLogin_Saml2_Utils.format_cert(cert) for cert in self.__idp['x509certs']]
def format_idp_cert(self): """ Formats the IdP cert. """ self.__idp["x509cert"] = OneLogin_Saml2_Utils.format_cert(self.__idp["x509cert"])