search

UniversitaDellaCalabria / uniAuth

a Django SAML2 IDentity Provider based on pySAML2
Apache License 2.0
45 stars 17 forks source link

Allow authentication from undefined SP if they are present in the MetadataStore #9

Closed peppelinux closed 5 years ago

peppelinux commented 5 years ago

If an SP entityID is present in the MetadataStore but not have been yet defined in ServiceProviders model, It should be allowed to make an authentication.

Add DISALLOW_UNDEFINED_SP to saml2 idp global configuration to disallow this behaviour and only accept authentication by already configured SP.

An undefined SP could came from an indentity federation, where would be impossibile to classify each SP by their entityID manually (or via metadata processing). If an undefined SP would authenticate and DISALLOW_UNDEFINED_SP is set to False (as expected with the inner default behaviour) the idp should:

  1. Check if SP exposes some attributes as required in its metadata (need a metadata store query);

    • If true: release only the required and even the optional attributes to the SP;
    • If false: release the default set of attributes configured in the global configuration;
    • If some required attributes from the SP should be absent -> expose an error message explaining to the user that the IdP cannot release some of the required attributes (expose them) and bring him to the technical assistance of the SP;

  2. Add a SP option called "force available attributes release" (default=False) -> this ignores required/optional attributes and release attributes configured in the global configuration;

  3. Every undefined SP when allowed to do authnrequests will be classified in the ServiceProvider model, with the attributes that it requested and the Default attribute processor available in the global configuration (the default one);

  4. Once an undefined SP have been made its authentication on the IdP it will be classified. If the sysadmin will disable it by hands -> the SP cannot do auth anymore. If the sysadmin will change the attr processor in "Attribute mapping" json field, it will persist. If its required attributes will changes and "force available attributes release" is set to False, the attributes released will be updated into the "Attribute mapping" json field.

  5. Add "last_seen" datetime attribute to ServiceProvider Model to collect the last authentication datetime of the SP.

This feature permit uniAuth to deal with large federation. Test todo: idem test federation testbed.

peppelinux commented 5 years ago

To fetch required/optional, if any, for an entityID just access to its metadata store object (in its pysaml2 obj conf) and:

In [4]: mdstore.attribute_requirement("https://sptest.auth.unical.it/saml2/metadata/")
Out[4]: 
{'optional': [],
 'required': [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&RequestedAttribute',
   'friendly_name': 'email',
   'is_required': 'true',
   'name': 'email',
   'name_format': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'}]}
peppelinux commented 5 years ago

https://github.com/UniversitaDellaCalabria/uniAuth/commit/c3efb687b419e16ab7663dca6e2fac7007cef030