search

IdentityPython / pysaml2

Python implementation of SAML2
Apache License 2.0
555 stars 422 forks source link

Delete AuthnStatement from Response #790

Closed SamGenTLEManKaka closed 3 years ago

SamGenTLEManKaka commented 3 years ago

Code Version

pysaml2 6.5.1 python3.6

Expected Behavior

i want have just one AuthnStatement in idp response xml but i have tow now

Current Behavior

image

the second AuthnStatement is my identity data 。 image

but i don't know what is the first one

Possible Solution

I want to delete the first AuthnStatement
How can i reach my idea

Steps to Reproduce

here is my idp_conf.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os.path

from saml2 import BINDING_HTTP_REDIRECT, BINDING_URI
from saml2 import BINDING_HTTP_ARTIFACT
from saml2 import BINDING_HTTP_POST
from saml2 import BINDING_SOAP
from saml2.saml import NAME_FORMAT_URI
from saml2.saml import NAMEID_FORMAT_TRANSIENT
from saml2.saml import NAMEID_FORMAT_PERSISTENT
from saml2.xmldsig import SIG_RSA_SHA256, DIGEST_SHA256

try:
    from saml2.sigver import get_xmlsec_binary
except ImportError:
    get_xmlsec_binary = None

if get_xmlsec_binary:
    xmlsec_path = get_xmlsec_binary(["/opt/local/bin"])
else:
    xmlsec_path = '/usr/bin/xmlsec1'

BASEDIR = os.path.abspath(os.path.dirname(__file__))

def full_path(local_file):
    return os.path.join(BASEDIR, local_file)

HOST = 'adfs.testyunwei.com'
PORT = 8088

HTTPS = True

if HTTPS:
    BASE = "https://%s:%s" % (HOST, PORT)
else:
    BASE = "http://%s:%s" % (HOST, PORT)

# HTTPS cert information
SERVER_CERT = "pki/mycert.pem"
SERVER_KEY = "pki/mykey.pem"
CERT_CHAIN = ""
SIGN_ALG = None
DIGEST_ALG = None
# SIGN_ALG = ds.SIG_RSA_SHA512
# DIGEST_ALG = ds.DIGEST_SHA512

CONFIG = {
    "entityid": "%s/idp.xml" % BASE,
    "description": "My IDP",
    "valid_for": 168,
    "service": {
        "idp": {
            "name": "Rolands IdP",
            # 端点
            "endpoints": {
                "single_sign_on_service": [
                    ("%s/sso/redirect" % BASE, BINDING_HTTP_REDIRECT),
                    ("%s/sso/post" % BASE, BINDING_HTTP_POST),
                ],
            },
            "policy": {
                "default": {
                    "lifetime": {"minutes": 15},
                    "attribute_restrictions": None,  # means all I have
                    "name_form": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
                },
            },
            "subject_data": "./idp.subject",
            "name_id_format": [
                "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"],
            # 指定IdP是否应该在身份验证响应中对断言进行签名
            "sign_assertion": True,
            # 指定IdP是否应该对身份验证响应进行签名。可以为True或False。默认值为False
            "sign_response": True,
            # 使用sha256
            'signing_algorithm': SIG_RSA_SHA256,
            'digest_algorithm': DIGEST_SHA256,
        },
    },
    "debug": 1,
    "key_file": full_path("pki/mykey.pem"),
    "cert_file": full_path("pki/mycert.pem"),
    # 使用sha256
    'signing_algorithm': SIG_RSA_SHA256,
    'digest_algorithm': DIGEST_SHA256,
    # 加密
    # 'encryption_keypairs': [
    #     {
    #         'key_file': full_path("pki/mykey.pem"),
    #         'cert_file': full_path("pki/mycert.pem"),
    #     },
    # ],
    # 元数据
    "metadata": {
        "local": [full_path("../sp-wsgi/sp.xml")],
    },
    # This database holds the map between a subject's local identifier and
    # 此数据库保存主题的本地标识符和返回给SP的标识符之间的映射
    # the identifier returned to a SP
    "xmlsec_binary": xmlsec_path,
    "attribute_map_dir": "../attributemaps",  # 属性映射
    # 日志
    "logging": {
        "version": 1,
        "formatters": {
            "simple": {
                "format": "[%(asctime)s] [%(levelname)s] [%(name)s.%(funcName)s] %(message)s",
            },
        },
        "handlers": {
            "stderr": {
                "class": "logging.StreamHandler",
                "stream": "ext://sys.stderr",
                "level": "DEBUG",
                "formatter": "simple",
            },
        },
        "loggers": {
            "saml2": {
                "level": "DEBUG"
            },
        },
        "root": {
            "level": "DEBUG",
            "handlers": [
                "stderr",
            ],
        },
    },
}

# Authentication contexts

# (r'verify?(.*)$', do_verify),

# CAS_SERVER = "https://cas.umu.se"
# CAS_VERIFY = "%s/verify_cas" % BASE
# PWD_VERIFY = "%s/verify_pwd" % BASE
#
# AUTHORIZATION = {
#     "CAS": {"ACR": "CAS", "WEIGHT": 1, "URL": CAS_VERIFY},
#     "UserPassword": {"ACR": "PASSWORD", "WEIGHT": 2, "URL": PWD_VERIFY}
# }
c00kiemon5ter commented 3 years ago

This Response is generated by some IdP (an ADFS IdP it seems).

It does not have two AuthnStatements but one. It does have an AuthnStatement and an AttributeStatement.

The <AuthnStatement> element describes a statement by the SAML authority asserting that the assertion subject was authenticated by a particular means at a particular time. Assertions containing <AuthnStatement> elements MUST contain a <Subject> element

The <AttributeStatement> element describes a statement by the SAML authority asserting that the assertion subject is associated with the specified attributes. Assertions containing <AttributeStatement> elements MUST contain a <Subject> element.

c00kiemon5ter commented 3 years ago

I am closing as it does not seem to be an issue with this library.