No support for self-signed certificate chains at all, because the default system context is used with the system CA bundles or...
You disable SSL verification entirely
In our situation, the government issues (intermediate) CAs from a self-signed root which is meant for private URLs (i.e. they should not be trusted by browsers/systems unless explicitly added). metadata is hosted on a URL with such a certificate. We do not want to disable SSL verification entirely, and we already have mechanisms to add this root certificate to our trust store.
Could there be an option to provide an SSLContext instance ourselves to be used as an optional kwarg? If you're open to this feature, then I can provide a PR.
Relevant code: https://github.com/SAML-Toolkits/python3-saml/blob/dab581367e38d4b93987c3c836af30ba8ff4f7cd/src/onelogin/saml2/idp_metadata_parser.py#L51
So it looks like the options are either:
In our situation, the government issues (intermediate) CAs from a self-signed root which is meant for private URLs (i.e. they should not be trusted by browsers/systems unless explicitly added). metadata is hosted on a URL with such a certificate. We do not want to disable SSL verification entirely, and we already have mechanisms to add this root certificate to our trust store.
Could there be an option to provide an
SSLContext
instance ourselves to be used as an optional kwarg? If you're open to this feature, then I can provide a PR.