mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-12-04 19:15:30 +00:00
Support for SAML metadata Requested Attributes
Enhancements: - More robust check when creating self-signed certificates - Added support for SAML Requested Attributes through "SAML_SP_REQUESTED_ATTRIBUTES" parameter
This commit is contained in:
parent
5567886aa3
commit
3688cec91a
@ -44,6 +44,30 @@ SAML_ENABLED = False
|
||||
# ### Example: urn:oid:0.9.2342.19200300.100.1.1
|
||||
# #SAML_NAMEID_FORMAT = 'urn:oid:0.9.2342.19200300.100.1.1'
|
||||
|
||||
# Following parameter defines RequestedAttributes section in SAML metadata
|
||||
# since certain iDPs require explicit attribute request. If not provided section
|
||||
# will not be available in metadata.
|
||||
#
|
||||
# Possible attributes:
|
||||
# name (mandatory), nameFormat, isRequired, friendlyName
|
||||
#
|
||||
# NOTE: This parameter requires to be entered in valid JSON format as displayed below
|
||||
# and multiple attributes can given
|
||||
#
|
||||
# Following example:
|
||||
#
|
||||
# SAML_SP_REQUESTED_ATTRIBUTES = '[ \
|
||||
# {"name": "urn:oid:0.9.2342.19200300.100.1.3", "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "isRequired": true, "friendlyName": "email"}, \
|
||||
# {"name": "mail", "isRequired": false, "friendlyName": "test-field"} \
|
||||
# ]'
|
||||
#
|
||||
# produces following metadata section:
|
||||
# <md:AttributeConsumingService index="1">
|
||||
# <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/>
|
||||
# <md:RequestedAttribute Name="mail" FriendlyName="test-field"/>
|
||||
# </md:AttributeConsumingService>
|
||||
|
||||
|
||||
# ## Attribute to use for Email address
|
||||
# ### Default: email
|
||||
# ### Example: urn:oid:0.9.2342.19200300.100.1.3
|
||||
|
@ -1,6 +1,7 @@
|
||||
from datetime import datetime, timedelta
|
||||
from threading import Thread
|
||||
from flask import current_app
|
||||
import json
|
||||
import os
|
||||
|
||||
from ..lib.certutil import KEY_FILE, CERT_FILE, create_self_signed_cert
|
||||
@ -117,14 +118,27 @@ class SAML(object):
|
||||
|
||||
else:
|
||||
|
||||
create_self_signed_cert()
|
||||
|
||||
if os.path.isfile(CERT_FILE):
|
||||
if (os.path.isfile(CERT_FILE)) and (os.path.isfile(KEY_FILE)):
|
||||
cert = open(CERT_FILE, "r").readlines()
|
||||
settings['sp']['x509cert'] = "".join(cert)
|
||||
if os.path.isfile(KEY_FILE):
|
||||
key = open(KEY_FILE, "r").readlines()
|
||||
settings['sp']['privateKey'] = "".join(key)
|
||||
else:
|
||||
create_self_signed_cert()
|
||||
cert = open(CERT_FILE, "r").readlines()
|
||||
key = open(KEY_FILE, "r").readlines()
|
||||
|
||||
settings['sp']['x509cert'] = "".join(cert)
|
||||
settings['sp']['privateKey'] = "".join(key)
|
||||
|
||||
|
||||
if 'SAML_SP_REQUESTED_ATTRIBUTES' in current_app.config:
|
||||
saml_req_attr = json.loads(current_app.config['SAML_SP_REQUESTED_ATTRIBUTES'])
|
||||
settings['sp']['attributeConsumingService'] = {
|
||||
"serviceName": "PowerDNSAdmin",
|
||||
"serviceDescription": "PowerDNS-Admin - PowerDNS administration utility",
|
||||
"requestedAttributes": saml_req_attr
|
||||
}
|
||||
else:
|
||||
settings['sp']['attributeConsumingService'] = {}
|
||||
|
||||
|
||||
settings['sp']['assertionConsumerService'] = {}
|
||||
@ -132,7 +146,6 @@ class SAML(object):
|
||||
'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
||||
settings['sp']['assertionConsumerService'][
|
||||
'url'] = own_url + '/saml/authorized'
|
||||
settings['sp']['attributeConsumingService'] = {}
|
||||
settings['sp']['singleLogoutService'] = {}
|
||||
settings['sp']['singleLogoutService'][
|
||||
'binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
|
||||
|
Loading…
Reference in New Issue
Block a user