search

OTA-Insight / djangosaml2idp

SAML 2.0 Identity Provider in Django
Apache License 2.0
104 stars 96 forks source link

BINDING_HTTP_REDIRECT endpoints do not store Signature GET parameter #108

Closed okke-formsma closed 3 years ago

okke-formsma commented 3 years ago

When an endpoint is configured with the BINDING_HTTP_REDIRECT binding, the Signature GET parameter is not stored. This causes an exception in the LoginProcessView.GET, when the parse_auth_request fails due to missing signature.

            # Parse incoming request
            req_info = idp_server.parse_authn_request(request.session['SAMLRequest'], binding) <---- this line fails

            # check SAML request signature
            try:
                verify_request_signature(req_info)

config snippet:

        "idp": {
            "endpoints": {
                "single_sign_on_service": [
                    (f"{BASE_URL}/sso/redirect/", saml2.BINDING_HTTP_REDIRECT,),
                ],
            },
            "want_authn_requests_signed": True,

Workaround is to disable BINDING_HTTP_REDIRECT and only use BINDING_HTTP_POST.

peppelinux commented 3 years ago

Yes, it's pysaml2 related https://github.com/IdentityPython/pysaml2/issues/633

That's not something you can handle with a wrapper like djangosaml2idp

jur-clerkx commented 3 years ago

This issue has been fixed in pysaml2 6.4.0 https://github.com/IdentityPython/pysaml2/commit/2f756bad04da7358449a78ae75804f08fb6d25e0