search

SAML-Toolkits / python3-saml

MIT License
683 stars 304 forks source link

Specify multiple ACS and SLS endpoints #221

Open spaceone opened 3 years ago

spaceone commented 3 years ago

The current configuration only allows to specify one endpoint and binding for an ACS or SLS:

"sp": {
        "assertionConsumerService": {
            "url": "https://<sp_domain>/?acs",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        },
        "singleLogoutService": {
            "url": "https://<sp_domain>/?sls",
            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
}

Please include support for adding lists of dicts to this. The generated metadata.xml should include them all:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" entityID="https://master80.school.dev/saml/metadata">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://master80.school.dev/saml/" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://master80.school.dev/saml/" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.200.27.80/saml/" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.200.27.80/saml/" index="4"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://master80.school.dev/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://master80.school.dev/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://master80.school.dev/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://master80.school.dev/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.200.27.80/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.200.27.80/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.200.27.80/saml/sls/"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://10.200.27.80/saml/sls/"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
pitbulk commented 3 years ago

Right now only the Redirect binding is supported, except the ACS SP endpoint that uses HTTP-POST binding. Based on that, there is no need right now to extend the current configuration.

If you plan to support multiple bindings on your Service Provider, I recommend you to take a look to: https://github.com/IdentityPython/pysaml2

spaceone commented 3 years ago

pysaml2 is the product we currently use. I created this issue as an evaluation whether a migration to this project is possible. This would be a blocking issue.