Cannot specify alternative IDP metadata sources

OTA-Insight / djangosaml2idp

SAML 2.0 Identity Provider in Django

Apache License 2.0

104 stars 96 forks source link

Cannot specify alternative IDP metadata sources #106

Open daggaz opened 4 years ago

daggaz commented 4 years ago

This change introduced model backed Service Providers.

This prevents the user from ever specifying a different SP metadata source (for example an MDQ server):

SAML_IDP_CONFIG = {
    "metadata": {
       "mdq": ["https://example.com/mdq/"],
    },
}

If the IDP config object contains a metadata key, then this should probably not be overriden.

peppelinux commented 4 years ago

Imagine to have more than 3000 SP, like in edugain federation, have you ever loaded thousands of metadata on each service start?

It could take more than a minute and a huge RAM usage. MDQ Is the smartest solution for request a fresh metadata on each occourrence. @mhindery why you should reduce the features of pysaml2?

daggaz commented 4 years ago

The latest version that supports non-model based service providers is 0.6.

This is incompatible with the latest PySAML2 (a dependency of djangosaml2) so you need PySAML4.x:

djangosaml2idp<0.7
pysaml2<5

peppelinux commented 4 years ago

The latest version that supports non-model based service providers is 0.6.

This is incompatible with the latest PySAML2 (a dependency of djangosaml2) so you need PySAML4.x:
djangosaml2idp<0.7
pysaml2<5

Discouraged due to some important weakness in pysaml2<5.2