Issue while connecting to IdP using public RsaKeyValue (LemonLDAP-NG)

[remi-filament]

As mentioned in https://github.com/IdentityPython/pysaml2/issues/780 there is currently a limitation in implementation which is only relying on x509 certs for signature verification. In the comments, it was mentioned that there was not known of any IdP using another signature than x509, I guess I found one : LemonLDAP-NG which is using public RSA key in its manifest instead of x509 certificates.

According to spec (https://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd) it is valid to use these keys for signature and report these in metadata file.

Code Version

pip version 7.1.0

Expected Behavior

Successful signature verification

Current Behavior

Today I get an error when trying to retrieve certificates from issuer :

   File "/usr/local/lib/python3.9/site-packages/saml2/entity.py", line 1504, in _parse_response
      response = response.loads(xmlstr, False, origxml=xmlstr)
   File "/usr/local/lib/python3.9/site-packages/saml2/response.py", line 528, in loads
      self._loads(xmldata, decode, origxml)
   File "/usr/local/lib/python3.9/site-packages/saml2/response.py", line 344, in _loads
      self.response = self.signature_check(
   File "/usr/local/lib/python3.9/site-packages/saml2/sigver.py", line 1755, in correctly_signed_response
     self._check_signature(decoded_xml, response,
   File "/usr/local/lib/python3.9/site-packages/saml2/sigver.py", line 1480, in _check_signature
     raise MissingKey(_issuer)
 saml2.sigver.MissingKey: https://auth.le-filament.com/saml/metadata

Possible Solution

It would be great to allow for other types of key verification so that it can work with LemonLDAP-NG implementation.

Steps to Reproduce

1. Install and configure LemonLDAP-NG as SAML IDP
2. Try to connect to this IdP using pysaml2 library
3. You would get the above error and the authentication is not completed.

[MatanShemesh1]

Hi, is there anything new or any workaround for this?