-
Notifications
You must be signed in to change notification settings - Fork 132
Added support for selectable SIGN and DIGEST algs in saml2_backend #214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for selectable SIGN and DIGEST algs in saml2_backend #214
Conversation
If the supported algorithms identifiers are not those from the W3C XMLDsig spec, the documentation should enumerate the possible values, e.g. by pointing to the relevant code section: https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/xmldsig/__init__.py#L17 Also, do I understand correctly, that there are different yaml paths for the key words in the SP and IDP config? if this is the case, it should be explained in the documentation. |
Yes, paths are different for sp and idp. In backend I followed this path to get the value: This could be also intelligibly understood because of its yaml structure
I think that we could document and develop a better approach to push custom options in every kwarg in a more generalized way as well. I just did this and probably this approach could be used to merge any other options. I'd prefer to avoid all those try/except found in pySAML2, because I think that it's better to raise the exception if an invalid option is used, instead of hide the problem. This could also remove the constant doubt in pysaml2 about config or code problems. I agree about a better documentation, we could do more. SaToSa need it, it's a great piece of software! A similar experience, about sign and digest algs, was already done in pySAML2 here: |
I'd also say regarding available algorithms:
This should be the reference, an easy way to document how to get them all without any static constant in the documentation. ...I'd like also to push an option in pySAML2 config to disallow some of those algorithms, but this would be another thread! |
Hi @c00kiemon5ter, probably it's the moment to merge this PR, IdentityPython/pysaml2#744 have been succesfully merged in pysaml2 as well, so it should work as it is |
We do not need this anymore. We have introduced the an example of the configuration would be module: satosa.backends.saml2.SAMLBackend
name: Saml2
config:
sp_config:
service:
sp:
signing_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
digest_algorithm: "http://www.w3.org/2001/04/xmlenc#sha512" YAML and satosa are not responsible to resolve symbols. A symbol like |
With this PR we can specify desidered sign and digest algs in saml2_backend.yaml as follow
With this we'll have backend's authnRequest to saml2 idp with the desidered sign and enc algorithm, as the following example:
Hope to see this merged soon. Thank you
All Submissions: