SAML-Toolkits / python3-saml

MIT License
704 stars 309 forks source link

OneLogin_Saml2_IdPMetadataParser.get_metadata not compatible with self-signed certificates #403

Closed sergei-maertens closed 1 month ago

sergei-maertens commented 8 months ago

Relevant code: https://github.com/SAML-Toolkits/python3-saml/blob/dab581367e38d4b93987c3c836af30ba8ff4f7cd/src/onelogin/saml2/idp_metadata_parser.py#L51

So it looks like the options are either:

In our situation, the government issues (intermediate) CAs from a self-signed root which is meant for private URLs (i.e. they should not be trusted by browsers/systems unless explicitly added). metadata is hosted on a URL with such a certificate. We do not want to disable SSL verification entirely, and we already have mechanisms to add this root certificate to our trust store.

Could there be an option to provide an SSLContext instance ourselves to be used as an optional kwarg? If you're open to this feature, then I can provide a PR.

pitbulk commented 5 months ago

@sergei-maertens sorry for the delayed response.

Yes, I think makes sense to support it

sergei-maertens commented 5 months ago

Nice, I'll draw up a PR!