pitbulk
commented
3 months ago @sergei-maertens sorry for the delayed response.
Yes, I think makes sense to support it
Open sergei-maertens opened 6 months ago
pitbulk
commented
3 months ago @sergei-maertens sorry for the delayed response.
Yes, I think makes sense to support it
sergei-maertens
commented
3 months ago Nice, I'll draw up a PR!
Relevant code: https://github.com/SAML-Toolkits/python3-saml/blob/dab581367e38d4b93987c3c836af30ba8ff4f7cd/src/onelogin/saml2/idp_metadata_parser.py#L51
So it looks like the options are either:
In our situation, the government issues (intermediate) CAs from a self-signed root which is meant for private URLs (i.e. they should not be trusted by browsers/systems unless explicitly added). metadata is hosted on a URL with such a certificate. We do not want to disable SSL verification entirely, and we already have mechanisms to add this root certificate to our trust store.
Could there be an option to provide an
SSLContextinstance ourselves to be used as an optional kwarg? If you're open to this feature, then I can provide a PR.