search

IdentityPython / SATOSA

Proxy translating between different authentication protocols (SAML2, OpenID Connect and OAuth2)
https://idpy.org
Apache License 2.0
202 stars 123 forks source link

MDQ always uses sha1 entityId encoding, but some MDQ server only handle percent-encoding #460

Open prigaux opened 7 months ago

prigaux commented 7 months ago

Code Version

8.4.0 (via docker)

Expected Behavior

With

  sp_config:
    metadata:
      mdq:
         - url: https://mdq.federation.renater.fr/test

I expected requests /test/entities/https%3A%2F%2Fidp-test.univ-paris1.fr

Current Behavior

It did /test/entities/%7Bsha1%7Dd75d16c821f38b1bf6e33dc3d4d44e542a9f6786 which is not handled by mdq.federation.renater.fr (I will contact them to add sha1 support)

Possible Solution

Suggested tested solution:

  sp_config:
    metadata:
      mdq:
         - url: https://mdq.federation.renater.fr/test
           entity_transform: percent_encoded

with new feature from https://github.com/prigaux/pysaml2/commit/562dd2d329dd67987a097245ae434bf72e28f2cc

Steps to Reproduce

This is currently failing : https://filex-ng-test.univ-paris1.fr/Shibboleth.sso/Login?entityID=https://satosa.univ-paris1.fr/filex_ng_test/idp.xml

  1. choose "Utiliser mon compte Paris 1"
  2. you get an error
guillomovitch commented 7 months ago

Renater MDQ server should accept this kind of identifier monday, thanks to our own satosa testing :)

c00kiemon5ter commented 7 months ago

@prigaux would you want to make a PR with this change?

I think it would be fine to have that option available.

prigaux commented 7 months ago

My only issue with my patch is the mix of types for param entity_transform: it currently expects a function or None. I added the possibility to handle string "percent_encoded". If it's ok for you, i can PR right away!

c00kiemon5ter commented 7 months ago

I think this is OK. If you create the PR we can discuss more on it.