Problems resolved:
- Method create_self_signed_cert() was invoked nowhere. This puts parameter "SAML_SIGN_REQUEST" description in configs/development.py as incorrect
- Method create_self_signed_cert() was returning error while trying to write out certificate and private key. File handler was opened for writing out TEXT instead of BINARY data
Enhancements:
- Two new parameters are introduced SAML_CERT_FILE and SAML_KEY_FILE. User can now explicitly define own certificate and key file anywhere on file-system.
- If parameters mentioned in previous bullet aren't explicitly defined, in PowerDNS-Admin root directory self-signed certificate will be created.
- Certificates will be used or generated in any case, because in saml.py there are explicit parameters defined which require certificate/key in order to work normally. If they aren't, exception will be thrown. Examples of parameters defined in saml.py requiring certificate: wantAssertionsEncrypted, signMetadata, wantAssertionsSigned.
From my perspective, if agreed, this change can be merged, because the basic SAM auth. functionality is now present
and was tested with "samlidp.io" iDP.
However, there are further improvements which I would like to integrate, but as a separate features in separate pull requests
- Function signatures inside SAML class were fixed
- Redirect URL for /saml/login path was modified (saml_authorized -> index.saml_authorized)
Current status is that SAML metadata can be generated under /saml/metadata and communication to SAML iDP is working
Problems remaining:
- SAML Response doesn't contain any attributes (There is no AttributeStatement on the Response). It can be that problem is on iDP side
- Background thread in retrieve_idp_data() cannot be spawned, this part is currently commented out, old code needs to be revisited