Support for SAML metadata Requested Attributes

Enhancements: - More robust check when creating self-signed certificates - Added support for SAML Requested Attributes through "SAML_SP_REQUESTED_ATTRIBUTES" parameter
2024-11-08 14:40:27 +00:00 · 2019-12-20 03:24:26 +01:00 · 2019-12-20 03:24:26 +01:00 · 3688cec91a
commit 3688cec91a
parent 5567886aa3
2 changed files with 44 additions and 7 deletions
--- a/configs/development.py
+++ b/configs/development.py
@ -44,6 +44,30 @@ SAML_ENABLED = False
 # ### Example: urn:oid:0.9.2342.19200300.100.1.1
 # #SAML_NAMEID_FORMAT = 'urn:oid:0.9.2342.19200300.100.1.1'

+# Following parameter defines RequestedAttributes section in SAML metadata
+# since certain iDPs require explicit attribute request. If not provided section
+# will not be available in metadata.
+# 
+# Possible attributes:
+# name (mandatory), nameFormat, isRequired, friendlyName
+#  
+# NOTE: This parameter requires to be entered in valid JSON format as displayed below
+# and multiple attributes can given
+# 
+# Following example:
+# 
+# SAML_SP_REQUESTED_ATTRIBUTES = '[ \
+# {"name": "urn:oid:0.9.2342.19200300.100.1.3", "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "isRequired": true, "friendlyName": "email"}, \
+# {"name": "mail", "isRequired": false, "friendlyName": "test-field"} \
+# ]' 
+# 
+# produces following metadata section:
+# <md:AttributeConsumingService index="1">
+# <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
+# <md:RequestedAttribute Name="mail" FriendlyName="test-field"/>
+# </md:AttributeConsumingService>
+
+
 # ## Attribute to use for Email address
 # ### Default: email
 # ### Example: urn:oid:0.9.2342.19200300.100.1.3
--- a/powerdnsadmin/services/saml.py
+++ b/powerdnsadmin/services/saml.py
@ -1,6 +1,7 @@
 from datetime import datetime, timedelta
 from threading import Thread
 from flask import current_app
+import json
 import os

 from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
@ -117,14 +118,27 @@ class SAML(object):

        else:

-             create_self_signed_cert()
-
-             if os.path.isfile(CERT_FILE):
+            if (os.path.isfile(CERT_FILE)) and (os.path.isfile(KEY_FILE)):
                 cert = open(CERT_FILE, "r").readlines()
-                 settings['sp']['x509cert'] = "".join(cert)
-             if os.path.isfile(KEY_FILE):
                 key = open(KEY_FILE, "r").readlines()
-                 settings['sp']['privateKey'] = "".join(key)
+            else:
+                 create_self_signed_cert()
+                 cert = open(CERT_FILE, "r").readlines()
+                 key = open(KEY_FILE, "r").readlines()
+
+            settings['sp']['x509cert'] = "".join(cert)
+            settings['sp']['privateKey'] = "".join(key) 
+
+
+        if 'SAML_SP_REQUESTED_ATTRIBUTES' in current_app.config:
+             saml_req_attr = json.loads(current_app.config['SAML_SP_REQUESTED_ATTRIBUTES'])
+             settings['sp']['attributeConsumingService'] = {
+                "serviceName": "PowerDNSAdmin",
+                "serviceDescription": "PowerDNS-Admin - PowerDNS administration utility",
+                "requestedAttributes": saml_req_attr
+             }
+        else:
+             settings['sp']['attributeConsumingService'] = {}


        settings['sp']['assertionConsumerService'] = {}
@ -132,7 +146,6 @@ class SAML(object):
            'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
        settings['sp']['assertionConsumerService'][
            'url'] = own_url + '/saml/authorized'
-        settings['sp']['attributeConsumingService'] = {}
        settings['sp']['singleLogoutService'] = {}
        settings['sp']['singleLogoutService'][
            'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'