diff --git a/demo-django/demo/settings.py b/demo-django/demo/settings.py index 792ea82f..b2f8524a 100644 --- a/demo-django/demo/settings.py +++ b/demo-django/demo/settings.py @@ -22,7 +22,7 @@ # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True -ALLOWED_HOSTS = [] +ALLOWED_HOSTS = ['*'] # Application definition @@ -53,12 +53,12 @@ # Database # https://docs.djangoproject.com/en/1.6/ref/settings/#databases -# DATABASES = { -# 'default': { -# 'ENGINE': 'django.db.backends.sqlite3', -# 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), -# } -# } +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.sqlite3', + 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), + } +} # Internationalization # https://docs.djangoproject.com/en/1.6/topics/i18n/ diff --git a/demo-django/demo/urls.py b/demo-django/demo/urls.py index 1f329074..b89eab0a 100644 --- a/demo-django/demo/urls.py +++ b/demo-django/demo/urls.py @@ -7,6 +7,6 @@ urlpatterns = [ url(r'^$', index, name='index'), url(r'^attrs/$', attrs, name='attrs'), - url(r'^metadata/$', metadata, name='metadata') + url(r'metadata/$', metadata, name='metadata') ] diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py index 2ae0ebac..6ce1688f 100644 --- a/demo-django/demo/views.py +++ b/demo-django/demo/views.py @@ -7,7 +7,7 @@ from onelogin.saml2.auth import OneLogin_Saml2_Auth from onelogin.saml2.settings import OneLogin_Saml2_Settings from onelogin.saml2.utils import OneLogin_Saml2_Utils - +from onelogin.saml2.constants import OneLogin_Saml2_Constants def init_saml_auth(req): auth = OneLogin_Saml2_Auth(req, custom_base_path=settings.SAML_FOLDER) @@ -57,7 +57,10 @@ def index(request): if 'samlSessionIndex' in request.session: session_index = request.session['samlSessionIndex'] - return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index)) + return HttpResponseRedirect(auth.logout(name_id=name_id, + session_index=session_index, + name_id_format=OneLogin_Saml2_Constants.NAMEID_TRANSIENT, + nq=name_id)) # If LogoutRequest ID need to be stored in order to later validate it, do instead # slo_built_url = auth.logout(name_id=name_id, session_index=session_index) diff --git a/demo-django/saml/advanced_settings.json b/demo-django/saml/advanced_settings.json index 7efb5d1b..e5130449 100644 --- a/demo-django/saml/advanced_settings.json +++ b/demo-django/saml/advanced_settings.json @@ -1,8 +1,8 @@ { "security": { "nameIdEncrypted": false, - "authnRequestsSigned": false, - "logoutRequestSigned": false, + "authnRequestsSigned": true, + "logoutRequestSigned": true, "logoutResponseSigned": false, "signMetadata": false, "wantMessagesSigned": false, @@ -10,8 +10,11 @@ "wantNameId" : true, "wantNameIdEncrypted": false, "wantAssertionsEncrypted": false, - "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", - "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1" + "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", + "digestAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", + "requestedAuthnContext": [ + "https://www.spid.gov.it/SpidL2" + ] }, "contactPerson": { "technical": { @@ -23,11 +26,11 @@ "emailAddress": "support@example.com" } }, - "organization": { + "___organization": { "en-US": { "name": "sp_test", - "displayname": "SP test", - "url": "http://sp.example.com" + "displayname": "SP test (spid.test.it:8000)", + "url": "http://spid.test.it:8000" } } } diff --git a/demo-django/saml/settings.json b/demo-django/saml/settings.json index 391b91c1..e9d07837 100644 --- a/demo-django/saml/settings.json +++ b/demo-django/saml/settings.json @@ -2,29 +2,45 @@ "strict": true, "debug": true, "sp": { - "entityId": "https:///metadata/", + "entityId": "http://spid.test.it", "assertionConsumerService": { - "url": "https:///?acs", + "url": "http://spid.test.it:8000/?acs", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" }, "singleLogoutService": { - "url": "https:///?sls", + "url": "http://spid.test.it:8000/?sls", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, - "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", - "x509cert": "", - "privateKey": "" + "attributeConsumingService": { + "serviceName": "spid.test.it:8000", + "serviceDescription": "description", + "requestedAttributes": [ + { + "name": "name", + "isRequired": true + }, + { + "name": "familyName", + "isRequired": true + }, + { + "name": "email", + "isRequired": true + } + ] + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" }, "idp": { - "entityId": "https://app.onelogin.com/saml/metadata/", + "entityId": "http://idp.test.it:8088", "singleSignOnService": { - "url": "https://app.onelogin.com/trust/saml2/http-post/sso/", + "url": "http://idp.test.it:8088/sso", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "singleLogoutService": { - "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/", + "url": "http://idp.test.it:8088/slo", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, - "x509cert": "" + "x509cert": "MIIC7TCCAdWgAwIBAgIJAJgrJOAeij+5MA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNVBAYTAklUMB4XDTE5MDEwNzEyMTE1NloXDTE5MDIwNjEyMTE1NlowDTELMAkGA1UEBhMCSVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsMRdR+ddXx+fZov/0Xbf/37zHChSDABpJ71SSu67wqfzEhlXmvFZQBsfVvTOgx8bbLgda6NnPiayr/8coHhKYAmb6UFsLz0J+UCpyI3K/KTEXsA/EuSo7y9ZkDxMnj6m0kN7oRNEplvLS+s/ig3a7bYaG5pPvcKr4LY3LRvoXNa1yIcVuiqUPpIps1wIPw6/lhN3jVuMWDVjbUUefHf7a8xrDVkzyC5lufd3t8bNR83FBCz55OGunekfycaEm0eGLCLtg6R6lGNAeApFGX5ihbKh6gQLY4L5zw2afKbgbBKb+TSb2x3b3rimf3cWfucHDhp146Rn8EliPQei4MGXtAgMBAAGjUDBOMB0GA1UdDgQWBBTpOfiBw3E2mArxcCJ2sSHdehY2ZTAfBgNVHSMEGDAWgBTpOfiBw3E2mArxcCJ2sSHdehY2ZTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCeb1JBB2P0eRTVC3FU5U/7jR8wEqPFtRPK51MMmq81Ss3BWcnyvFlcoQiz/JpP7NzmYWu2BeKoy1GUWI34K8ZHp3qqdskRtxGQ6V+FpxQoOOPCvHwJb64UA3FymfW9MXwe4ippevxejL4tEQN5cHqCwTqCXSQqa1vqMFSNYJoGXXxDdi1QYV9F5c++kVSpnBuJwCdDpkuxEEbYHGdGKNJKjsit6KYfgZANGKF11VtcmwP5KwITHYRbUsPKYWHmya/Xr8KW+ZMzSG91z0rFimhm81uEikeuS2RGmXbv5zMUuA8MdLJGF/4ewfiaiahr8l8TRKWZIL+1M2Fmsbq45nAp" } } \ No newline at end of file diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py index d0983703..3a7750d3 100644 --- a/src/onelogin/saml2/authn_request.py +++ b/src/onelogin/saml2/authn_request.py @@ -9,7 +9,7 @@ """ from base64 import b64encode - +from urlparse import urlparse from onelogin.saml2.constants import OneLogin_Saml2_Constants from onelogin.saml2.utils import OneLogin_Saml2_Utils @@ -48,7 +48,8 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) - destination = idp_data['singleSignOnService']['url'] + destination_url_parts = urlparse(idp_data['singleSignOnService']['url']) + destination = "%s://%s" % (destination_url_parts.scheme, destination_url_parts.netloc) provider_name_str = '' organization_data = settings.get_organization() @@ -77,8 +78,8 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol nameid_policy_str = """ """ % name_id_policy_format + Format="%s" />""" % name_id_policy_format + # SPID: AllowCreate="true" />""" % name_id_policy_format requested_authn_context_str = '' if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False: @@ -110,7 +111,10 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s" %(attr_consuming_service_str)s> - %(entity_id)s%(nameid_policy_str)s%(requested_authn_context_str)s + %(entity_id)s%(nameid_policy_str)s%(requested_authn_context_str)s """ % \ { 'id': uid, diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index a566f489..ced89f28 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -14,6 +14,7 @@ from lxml import etree from defusedxml.lxml import fromstring from xml.dom.minidom import Document +from urlparse import urlparse from onelogin.saml2.constants import OneLogin_Saml2_Constants from onelogin.saml2.utils import OneLogin_Saml2_Utils @@ -87,7 +88,8 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= nq = None elif nq is not None: # We only gonna include SPNameQualifier if NameQualifier is provided - spNameQualifier = sp_data['entityId'] + # SPID: no! spNameQualifier = sp_data['entityId'] + pass name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, @@ -103,6 +105,9 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= else: session_index_str = '' + destination_url_parts = urlparse(idp_data['singleLogoutService']['url']) + destination = "%s://%s" % (destination_url_parts.scheme, destination_url_parts.netloc) + logout_request = """ - %(entity_id)s + %(entity_id)s %(name_id)s %(session_index)s """ % \ { 'id': uid, 'issue_instant': issue_instant, - 'single_logout_url': idp_data['singleLogoutService']['url'], + 'single_logout_url': destination, 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str,