Merge pull request #1203 from pixelrebel/saml-fixes

Small fixes to SAML service
This commit is contained in:
Vasileios Markopoulos 2022-06-15 15:56:28 +03:00 committed by GitHub
commit 9d7d701cd9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 4 deletions

View File

@ -120,6 +120,16 @@ SAML_ENABLED = False
# ### be created and the user added to them. # ### be created and the user added to them.
# SAML_ATTRIBUTE_ACCOUNT = 'https://example.edu/pdns-account' # SAML_ATTRIBUTE_ACCOUNT = 'https://example.edu/pdns-account'
# ## Attribute name that aggregates group names
# ### Default: Don't collect IdP groups from SAML group attributes
# ### In Okta, you can assign administrators by group using "Group Attribute Statements."
# ### In this case, the SAML_ATTRIBUTE_GROUP will be the attribute name for a collection of
# ### groups passed in the SAML assertion. From there, you can specify a SAML_GROUP_ADMIN_NAME.
# ### If the user is a member of this group, and that group name is included in the collection,
# ### the user will be set as an administrator.
# #SAML_ATTRIBUTE_GROUP = 'https://example.edu/pdns-groups'
# #SAML_GROUP_ADMIN_NAME = 'PowerDNSAdmin-Administrators'
# SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>' # SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
# SAML_SP_CONTACT_NAME = '<contact name>' # SAML_SP_CONTACT_NAME = '<contact name>'
# SAML_SP_CONTACT_MAIL = '<contact mail>' # SAML_SP_CONTACT_MAIL = '<contact mail>'
@ -133,8 +143,8 @@ SAML_ENABLED = False
# CAUTION: For production use, usage of self-signed certificates it's highly discouraged. # CAUTION: For production use, usage of self-signed certificates it's highly discouraged.
# Use certificates from trusted CA instead # Use certificates from trusted CA instead
# ########################################################################################### # ###########################################################################################
# SAML_CERT_FILE = '/etc/pki/powerdns-admin/cert.crt' # SAML_CERT = '/etc/pki/powerdns-admin/cert.crt'
# SAML_CERT_KEY = '/etc/pki/powerdns-admin/key.pem' # SAML_KEY = '/etc/pki/powerdns-admin/key.pem'
# Configures if SAML tokens should be encrypted. # Configures if SAML tokens should be encrypted.
# SAML_SIGN_REQUEST = False # SAML_SIGN_REQUEST = False
@ -148,6 +158,10 @@ SAML_ENABLED = False
# #SAML_ASSERTION_ENCRYPTED = True # #SAML_ASSERTION_ENCRYPTED = True
# Some IdPs, like Okta, do not return Attribute Statements by default
# Set the following to False if you are using Okta and not manually configuring Attribute Statements
# #SAML_WANT_ATTRIBUTE_STATEMENT = True
# Remote authentication settings # Remote authentication settings
# Whether to enable remote user authentication or not # Whether to enable remote user authentication or not

View File

@ -72,8 +72,9 @@ class SAML(object):
def prepare_flask_request(self, request): def prepare_flask_request(self, request):
# If server is behind proxys or balancers use the HTTP_X_FORWARDED fields # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
url_data = urlparse(request.url) url_data = urlparse(request.url)
proto = request.headers.get('HTTP_X_FORWARDED_PROTO', request.scheme)
return { return {
'https': 'on' if request.scheme == 'https' else 'off', 'https': 'on' if proto == 'https' else 'off',
'http_host': request.host, 'http_host': request.host,
'server_port': url_data.port, 'server_port': url_data.port,
'script_name': request.path, 'script_name': request.path,
@ -163,7 +164,8 @@ class SAML(object):
'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' 'signatureAlgorithm'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
settings['security']['wantAssertionsEncrypted'] = current_app.config.get( settings['security']['wantAssertionsEncrypted'] = current_app.config.get(
'SAML_ASSERTION_ENCRYPTED', True) 'SAML_ASSERTION_ENCRYPTED', True)
settings['security']['wantAttributeStatement'] = True settings['security']['wantAttributeStatement'] = current_app.config.get(
'SAML_WANT_ATTRIBUTE_STATEMENT', True)
settings['security']['wantNameId'] = True settings['security']['wantNameId'] = True
settings['security']['authnRequestsSigned'] = current_app.config[ settings['security']['authnRequestsSigned'] = current_app.config[
'SAML_SIGN_REQUEST'] 'SAML_SIGN_REQUEST']