Open Malshtur opened 1 year ago
Yes, option 3 is very good
you just have to inherit https://github.com/IdentityPython/djangosaml2/blob/master/djangosaml2/views.py#L408 and then you can do overload of the method post_login, custom_redirect or whatever
then you have to map your new ACS to a specific urls (urls.py of your project) and also map it in the metadata, defining its url/webpath in the pysaml2 configuration, here (to get signed metadata automatically):
Thanks for your reactivity and the details, truly fast !
Just to be sure we are talking about the same thing, in saml-core :
`AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the
for the security of the solution the IDP should only response to a known ACS, taken from the metadata of the requester
In general, i completly agree but if and only if the AuthnRequest is signed then the underlying security is the same because it is based on the same cryptographic keys.
The only case i could think of is that the underlying SP is vulnerable to injections that could lead to sign an AuthnRequest with a malicious AssertionConsumerServiceUrl. This could also modify metadata nonetheless.
The standard allows both as I mentionned above, but if I were to use djangosaml2 as you explained I have to share metadata dynamically between SP and IDP to refresh the list of AssertionConsumerService, right ?
right
Hello,
I am working to port SAML to a multi tenant application where each tenant has its own database. So every tenant manage its own users, objects, etc.
The issue I am trying to resolve has to do with our authentication scheme requiring to specify what tenant the user authenticates to. I have considered the three following approaches :
The latter is my preffered way to go but I can't wrap my finger around if it is possible with djangosaml2. Could you point me in the right direction if you support it ? If it is not the case I am only trying to find how to do it at pysaml2 level but I have no luck so far.
Thanks for your time.