search

jpf / okta-pysaml2-example

Example SAML Service Provider for Python/Flask using PySAML2
Apache License 2.0
73 stars 38 forks source link

Add support for using an https ACS URI #1

Closed gene1wood closed 9 years ago

gene1wood commented 9 years ago

The Okta example code shows ngrok images where both http and https are being forwarded to the okta-pysaml2-example flask app. Unfortunately, the example settings which us the url_for flask method only contain a list of http ACS endpoints. If a user using the example code sees the ngrok screenshots and wants to use an https endpoint instead, they'll encounter the error

ERROR:saml2.response:https://example.ngrok.com/saml/sso/test not in ['http://example.ngrok.com/saml/sso/test']

and the uncaught exception

INFO:werkzeug:127.0.0.1 - - [21/May/2015 11:18:02] "POST /saml/sso/test HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1820, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1403, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/path/to/okta-pysaml2-example/app.py", line 153, in idp_initiated
    authn_response.get_identity()
AttributeError: 'NoneType' object has no attribute 'get_identity'

Here's how I've updated the example code to work with https. If there's a more elegant way to get the ACS list to support https when needed, that would work too.

gene1wood commented 9 years ago

Another approach would be something with the PREFERRED_URL_SCHEME flask config setting

app.config.update(dict(
  PREFERRED_URL_SCHEME = 'https'
))
jpf commented 9 years ago

This is great! Is it safe for me to assume that you tested this as working?

I should write some tests

jpf commented 9 years ago

I like your first approach better. It's more verbose, but seems (to me) to be more clear.

gene1wood commented 9 years ago

Yes, I've tested this and it resolves the issue for https SPs. I also tried to get the PREFERRED_URL_SCHEME approach to work but didn't have luck.

jpf commented 9 years ago

Cool, thanks for the PR! :bow: