summaryrefslogtreecommitdiffstats
path: root/authentic/admin/settings.ptl
diff options
context:
space:
mode:
authorDamien Laniel <dlaniel@entrouvert.com>2008-05-30 09:56:31 (GMT)
committerDamien Laniel <dlaniel@entrouvert.com>2008-05-30 09:56:31 (GMT)
commit2143c9ac384164c6e1b5db4fd17c4a373f17cdf3 (patch)
tree26ed52870ff0247300a7dedf6c50beb4ac1c1ff3 /authentic/admin/settings.ptl
parent03fd10256317a894dd3ebb3ab9b063feb649ab62 (diff)
downloadauthentic-old-2143c9ac384164c6e1b5db4fd17c4a373f17cdf3.zip
authentic-old-2143c9ac384164c6e1b5db4fd17c4a373f17cdf3.tar.gz
authentic-old-2143c9ac384164c6e1b5db4fd17c4a373f17cdf3.tar.bz2
Improved metadata generation code :
* made generated metadatas compatibles with most other implementations * added some missing keydescriptors * made generated metadatas more readable * cleaned up code
Diffstat (limited to 'authentic/admin/settings.ptl')
-rw-r--r--authentic/admin/settings.ptl342
1 files changed, 167 insertions, 175 deletions
diff --git a/authentic/admin/settings.ptl b/authentic/admin/settings.ptl
index 2a16541..f2e82ab 100644
--- a/authentic/admin/settings.ptl
+++ b/authentic/admin/settings.ptl
@@ -1243,15 +1243,8 @@ class SettingsDirectory(Directory):
get_publisher().write_cfg()
- def get_metadata(self):
- prologue = """<?xml version="1.0"?>
-<EntityDescriptor
- providerID="%(providerid)s"
- xmlns="urn:liberty:metadata:2003-08">""" % get_publisher().cfg['idp']
-
- idp_head = '<IDPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08">'
-
- idp_key = {}
+ def get_key_descriptors(self):
+ idp_keys = {}
dir = get_publisher().app_dir
publickey_fn = os.path.join(dir, 'public-key.pem')
@@ -1263,218 +1256,217 @@ class SettingsDirectory(Directory):
encryption_pem_key = ''
if os.path.exists(encryption_publickey_fn):
encryption_pem_key = file(encryption_publickey_fn).read()
-
+
for key_type in ('signing', 'encryption'):
if key_type == 'signing':
pem_key = signing_pem_key
else:
pem_key = encryption_pem_key
if 'CERTIF' in pem_key:
- idp_key[key_type] = """<KeyDescriptor use="%s">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:X509Data><ds:X509Certificate>%s</ds:X509Certificate></ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>""" % (key_type, pem_key)
+ pem_key = pem_key.strip()
+ pem_key = pem_key.strip('-----BEGIN CERTIFICATE-----')
+ pem_key = pem_key.strip('-----END CERTIFICATE-----')
+ pem_key = pem_key.strip()
+ idp_keys[key_type] = """
+ <KeyDescriptor use="%s">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data><ds:X509Certificate>%s</ds:X509Certificate></ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>""" % (key_type, pem_key)
elif 'KEY' in pem_key:
- idp_key[key_type] = """<KeyDescriptor use="%s">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyValue>%s</ds:KeyValue>
- </ds:KeyInfo>
- </KeyDescriptor>""" % (key_type, pem_key)
+ pem_key = pem_key.strip()
+ pem_key = pem_key.strip('-----END PUBLIC KEY-----')
+ pem_key = pem_key.strip('-----BEGIN PUBLIC KEY-----')
+ pem_key = pem_key.strip()
+ idp_keys[key_type] = """
+ <KeyDescriptor use="%s">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyValue>%s</ds:KeyValue>
+ </ds:KeyInfo>
+ </KeyDescriptor>""" % (key_type, pem_key)
else:
- idp_key[key_type] = ''
+ idp_keys[key_type] = ''
+ return idp_keys
+
+ def get_metadata(self):
+ key_descriptors = self.get_key_descriptors()
+
+ prologue = """<?xml version="1.0"?>
+<EntityDescriptor
+ providerID="%(providerid)s"
+ xmlns="urn:liberty:metadata:2003-08">""" % get_publisher().cfg['idp']
+
+ idp_head = """
+ <IDPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08">"""
idp_body = """
- <SoapEndpoint>%(base_soap_url)s/soapEndpoint</SoapEndpoint>
-
- <SingleLogoutServiceURL>%(base_url)s/singleLogout</SingleLogoutServiceURL>
- <SingleLogoutServiceReturnURL>%(base_url)s/singleLogoutReturn</SingleLogoutServiceReturnURL>
-
- <FederationTerminationServiceURL>%(base_url)s/federationTermination</FederationTerminationServiceURL>
- <FederationTerminationServiceReturnURL>%(base_url)s/federationTerminationReturn</FederationTerminationServiceReturnURL>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-soap</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
-
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http</SingleLogoutProtocolProfile>
-
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-soap</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-http</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-soap</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-http</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierServiceURL>%(base_url)s/registerNameIdentifier</RegisterNameIdentifierServiceURL>
- <RegisterNameIdentifierServiceReturnURL>%(base_url)s/registerNameIdentifierReturn</RegisterNameIdentifierServiceReturnURL>
-
- <SingleSignOnServiceURL>%(base_url)s/singleSignOn</SingleSignOnServiceURL>
- <SingleSignOnProtocolProfile>http://projectliberty.org/profiles/brws-art</SingleSignOnProtocolProfile>
- <SingleSignOnProtocolProfile>http://projectliberty.org/profiles/brws-post</SingleSignOnProtocolProfile>
-
-</IDPDescriptor>""" % get_publisher().cfg['idp']
-
- sp = ''
- sp_key = ''
+ <SoapEndpoint>%(base_soap_url)s/soapEndpoint</SoapEndpoint>
+
+ <SingleLogoutServiceURL>%(base_url)s/singleLogout</SingleLogoutServiceURL>
+ <SingleLogoutServiceReturnURL>%(base_url)s/singleLogoutReturn</SingleLogoutServiceReturnURL>
+
+ <FederationTerminationServiceURL>%(base_url)s/federationTermination</FederationTerminationServiceURL>
+ <FederationTerminationServiceReturnURL>%(base_url)s/federationTerminationReturn</FederationTerminationServiceReturnURL>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-soap</FederationTerminationNotificationProtocolProfile>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
+
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http</SingleLogoutProtocolProfile>
+
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-soap</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-http</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-soap</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-http</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierServiceURL>%(base_url)s/registerNameIdentifier</RegisterNameIdentifierServiceURL>
+ <RegisterNameIdentifierServiceReturnURL>%(base_url)s/registerNameIdentifierReturn</RegisterNameIdentifierServiceReturnURL>
+
+ <SingleSignOnServiceURL>%(base_url)s/singleSignOn</SingleSignOnServiceURL>
+ <SingleSignOnProtocolProfile>http://projectliberty.org/profiles/brws-art</SingleSignOnProtocolProfile>
+ <SingleSignOnProtocolProfile>http://projectliberty.org/profiles/brws-post</SingleSignOnProtocolProfile>
+
+ </IDPDescriptor>""" % get_publisher().cfg['idp']
+
+ idp = '\n'.join([idp_head, key_descriptors['signing'], key_descriptors['encryption'], idp_body])
+
if get_publisher().cfg['idp'].get('idff_proxy'):
- sp = """
- <SPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08">
+ sp_head = """
+ <SPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08">"""
+ sp_body = """
+ <SoapEndpoint>%(base_soap_url)s/proxySoapEndpoint</SoapEndpoint>
- <SoapEndpoint>%(base_soap_url)s/proxySoapEndpoint</SoapEndpoint>
+ <SingleLogoutServiceURL>%(base_url)s/proxySingleLogout</SingleLogoutServiceURL>
+ <SingleLogoutServiceReturnURL>%(base_url)s/proxySingleLogoutReturn</SingleLogoutServiceReturnURL>
- <SingleLogoutServiceURL>%(base_url)s/proxySingleLogout</SingleLogoutServiceURL>
- <SingleLogoutServiceReturnURL>%(base_url)s/proxySingleLogoutReturn</SingleLogoutServiceReturnURL>
+ <FederationTerminationServiceURL>%(base_url)s/proxyFederationTermination</FederationTerminationServiceURL>
+ <FederationTerminationServiceReturnURL>%(base_url)s/proxyFederationTerminationReturn</FederationTerminationServiceReturnURL>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-soap</FederationTerminationNotificationProtocolProfile>
+ <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationServiceURL>%(base_url)s/proxyFederationTermination</FederationTerminationServiceURL>
- <FederationTerminationServiceReturnURL>%(base_url)s/proxyFederationTerminationReturn</FederationTerminationServiceReturnURL>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-soap</FederationTerminationNotificationProtocolProfile>
- <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile>
+ <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile>
- <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http</SingleLogoutProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-soap</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-http</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-soap</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-http</RegisterNameIdentifierProtocolProfile>
+ <RegisterNameIdentifierServiceURL>%(base_url)s/proxyRegisterNameIdentifier</RegisterNameIdentifierServiceURL>
+ <RegisterNameIdentifierServiceReturnURL>%(base_url)s/proxyRegisterNameIdentifierReturn</RegisterNameIdentifierServiceReturnURL>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-soap</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-idp-http</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-soap</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/rni-sp-http</RegisterNameIdentifierProtocolProfile>
- <RegisterNameIdentifierServiceURL>%(base_url)s/proxyRegisterNameIdentifier</RegisterNameIdentifierServiceURL>
- <RegisterNameIdentifierServiceReturnURL>%(base_url)s/proxyRegisterNameIdentifierReturn</RegisterNameIdentifierServiceReturnURL>
+ <AssertionConsumerServiceURL id="AssertionConsumerServiceURL1" isDefault="true">%(base_url)s/proxyAssertionConsumer</AssertionConsumerServiceURL>
- <AuthnRequestsSigned>true</AuthnRequestsSigned>
+ <AuthnRequestsSigned>true</AuthnRequestsSigned>
- <AssertionConsumerServiceURL id="AssertionConsumerServiceURL1" isDefault="true">%(base_url)s/proxyAssertionConsumer</AssertionConsumerServiceURL>
+ </SPDescriptor>""" % get_publisher().cfg['idp']
-</SPDescriptor>""" % get_publisher().cfg['idp']
+ sp = '\n'.join([sp_head, key_descriptors['signing'], key_descriptors['encryption'], sp_body])
+ else:
+ sp = ''
if get_publisher().cfg['idp'].get('organization_name'):
- epilogue = """<Organization>
- <OrganizationName>%s</OrganizationName>
- </Organization>
+ epilogue = """
+ <Organization>
+ <OrganizationName>%s</OrganizationName>
+ </Organization>
- </EntityDescriptor>""" % unicode(
+</EntityDescriptor>""" % unicode(
get_publisher().cfg['idp']['organization_name'], 'iso-8859-1').encode('utf-8')
else:
epilogue = '</EntityDescriptor>'
- return '\n'.join([prologue, idp_head, idp_key['signing'], idp_key['encryption'], idp_body, sp, sp_key, epilogue])
+ return '\n'.join([prologue, idp, sp, epilogue])
def get_saml2_metadata(self):
+ key_descriptors = self.get_key_descriptors()
+
prologue = """<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="%(saml2_providerid)s">""" % get_publisher().cfg['idp']
- idp_head = """<IDPSSODescriptor
- WantAuthnRequestsSigned="true"
- protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">"""
-
- idp_key = {}
- dir = get_publisher().app_dir
-
- publickey_fn = os.path.join(dir, 'public-key.pem')
- signing_pem_key = ''
- if os.path.exists(publickey_fn):
- signing_pem_key = file(publickey_fn).read()
-
- encryption_publickey_fn = os.path.join(get_publisher().app_dir, 'encryption-public-key.pem')
- encryption_pem_key = ''
- if os.path.exists(encryption_publickey_fn):
- encryption_pem_key = file(encryption_publickey_fn).read()
-
- for key_type in ('signing', 'encryption'):
- if key_type == 'signing':
- pem_key = signing_pem_key
- else:
- pem_key = encryption_pem_key
- if 'CERTIF' in pem_key:
- idp_key[key_type] = """<KeyDescriptor use="%s">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:X509Data><ds:X509Certificate>%s</ds:X509Certificate></ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>""" % (key_type, pem_key)
- elif 'KEY' in pem_key:
- idp_key[key_type] = """<KeyDescriptor use="%s">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyValue>%s</ds:KeyValue>
- </ds:KeyInfo>
- </KeyDescriptor>""" % (key_type, pem_key)
- else:
- idp_key[key_type] = ''
-
+ idp_head = """
+ <IDPSSODescriptor
+ WantAuthnRequestsSigned="true"
+ protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">"""
idp_body = """
- <ArtifactResolutionService isDefault="true" index="0"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="%(saml2_base_soap_url)s/artifact" />
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="%(saml2_base_soap_url)s/singleLogoutSOAP" />
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="%(saml2_base_url)s/singleLogout"
- ResponseLocation="%(saml2_base_url)s/singleLogoutReturn" />
- <ManageNameIDService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="%(saml2_base_soap_url)s/manageNameIdSOAP" />
- <ManageNameIDService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="%(saml2_base_url)s/manageNameId"
- ResponseLocation="%(saml2_base_url)s/manageNameIdReturn" />
- <SingleSignOnService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="%(saml2_base_url)s/singleSignOn" />
- <SingleSignOnService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="%(saml2_base_soap_url)s/singleSignOnSOAP" />
-</IDPSSODescriptor>""" % get_publisher().cfg['idp']
-
- sp = ''
+ <ArtifactResolutionService isDefault="true" index="0"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="%(saml2_base_soap_url)s/artifact" />
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="%(saml2_base_soap_url)s/singleLogoutSOAP" />
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="%(saml2_base_url)s/singleLogout"
+ ResponseLocation="%(saml2_base_url)s/singleLogoutReturn" />
+ <ManageNameIDService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="%(saml2_base_soap_url)s/manageNameIdSOAP" />
+ <ManageNameIDService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="%(saml2_base_url)s/manageNameId"
+ ResponseLocation="%(saml2_base_url)s/manageNameIdReturn" />
+ <SingleSignOnService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="%(saml2_base_url)s/singleSignOn" />
+ <SingleSignOnService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="%(saml2_base_soap_url)s/singleSignOnSOAP" />
+ </IDPSSODescriptor>""" % get_publisher().cfg['idp']
+
+ idp = '\n'.join([idp_head, key_descriptors['signing'], key_descriptors['encryption'], idp_body])
+
if get_publisher().cfg['idp'].get('idff_proxy'):
- sp_head = '''<SPSSODescriptor
- AuthnRequestsSigned="true"
- protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">'''
-
- sp_body = '''
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="%(saml2_base_url)s/proxySingleLogoutSOAP" />
- <SingleLogoutService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="%(saml2_base_url)s/proxySingleLogout"
- ResponseLocation="%(saml2_base_url)s/proxySingleLogoutReturn" />
- <AssertionConsumerService isDefault="true" index="0"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="%(saml2_base_url)s/proxySingleSignOnArtifact" />
- <AssertionConsumerService index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- Location="%(saml2_base_url)s/proxySingleSignOnPost" />
- <AssertionConsumerService index="2"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="%(saml2_base_url)s/proxySingleSignOnRedirect" />
-</SPSSODescriptor>''' % get_publisher().cfg['idp']
-
- sp = '\n'.join([sp_head, idp_key['signing'], idp_key['encryption'], sp_body])
+ sp_head = """
+ <SPSSODescriptor
+ AuthnRequestsSigned="true"
+ protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">"""
+
+ sp_body = """
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="%(saml2_base_url)s/proxySingleLogoutSOAP" />
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="%(saml2_base_url)s/proxySingleLogout"
+ ResponseLocation="%(saml2_base_url)s/proxySingleLogoutReturn" />
+ <AssertionConsumerService isDefault="true" index="0"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="%(saml2_base_url)s/proxySingleSignOnArtifact" />
+ <AssertionConsumerService index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ Location="%(saml2_base_url)s/proxySingleSignOnPost" />
+ <AssertionConsumerService index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="%(saml2_base_url)s/proxySingleSignOnRedirect" />
+ </SPSSODescriptor>""" % get_publisher().cfg['idp']
+
+ sp = '\n'.join([sp_head, key_descriptors['signing'], key_descriptors['encryption'], sp_body])
+ else:
+ sp = ''
if get_publisher().cfg['idp'].get('organization_name'):
- epilogue = """<Organization>
- <OrganizationName xml:lang="en">%s</OrganizationName>
-</Organization>
+ epilogue = """
+ <Organization>
+ <OrganizationName xml:lang="en">%s</OrganizationName>
+ </Organization>
</EntityDescriptor>""" % unicode(
get_publisher().cfg['idp']['organization_name'], 'iso-8859-1').encode('utf-8')
else:
epilogue = '</EntityDescriptor>'
- return '\n'.join([prologue, idp_head, idp_key['signing'], idp_key['encryption'],
- idp_body, sp, epilogue])
+ return '\n'.join([prologue, idp, sp, epilogue])
-
def debug_options [html] (self):
form = Form(enctype='multipart/form-data')
debug_cfg = get_cfg('debug', {})