ipsilon.git/ipsilon/tools, branch client-paos Unnamed repository; edit this file 'description' to name the repository. Define PAOS AssertionConsumerService in ipsilon-client-install 2015-08-27T21:18:02+00:00 John Dennis jdennis@redhat.com 2015-08-27T20:34:40+00:00 b6d4eed36301dc0f0f3058271a3f26f115d6f173 A SAML SP will not be able to perform ECP unless a AssertionConsumerService for the PAOS binding has been defined in it's metadata. The PAOS AssertionConsumerService participates in the ECP protocol exchange, specifically it's where the ECP client sends the IdP Assertion. If lasso starts to engage in an ECP transaction by trying to generate a Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in the SP metadata it will fail with a unknown provider error. Note, AssertionConsumerService elements are indexed endpoints, there may be one per protocol binding. Now that there is more than 1 AssertionConsumerService we set the isDefault flag to True on the existing post response at index 0. This isn't strictly necessary because the spec says if the default flag isn't set on any AssertionConsumerService endpoint then the first one is selected, but it's good practice anyway. FWIW, if mod_auth_mellon is not configured with metadata then mod_auth_mellon will generate it's own metadata which includes the PAOS AssertionConsumerService. However in ipsilon-client we generate the SP metadata and were failing to add the PAOS AssertionConsumerService, something mellon would have done automatically for us. This is why this bug was only first seen using ipsilon-client-install. Ticket: 162 Signed-off-by: John Dennis <jdennis@redhat.com> 
A SAML SP will not be able to perform ECP unless a
AssertionConsumerService for the PAOS binding has been defined in it's
metadata. The PAOS AssertionConsumerService participates in the ECP
protocol exchange, specifically it's where the ECP client sends the
IdP Assertion.

If lasso starts to engage in an ECP transaction by trying to generate a
Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in
the SP metadata it will fail with a unknown provider error.

Note, AssertionConsumerService elements are indexed endpoints, there
may be one per protocol binding. Now that there is more than 1
AssertionConsumerService we set the isDefault flag to True on the
existing post response at index 0. This isn't strictly necessary
because the spec says if the default flag isn't set on any
AssertionConsumerService endpoint then the first one is selected, but
it's good practice anyway.

FWIW, if mod_auth_mellon is not configured with metadata then
mod_auth_mellon will generate it's own metadata which includes the
PAOS AssertionConsumerService. However in ipsilon-client we generate
the SP metadata and were failing to add the PAOS
AssertionConsumerService, something mellon would have done
automatically for us. This is why this bug was only first seen using
ipsilon-client-install.

Ticket: 162
Signed-off-by: John Dennis <jdennis@redhat.com>
Set the value of WantAuthnRequestsSigned to True 2015-07-27T09:51:25+00:00 Rob Crittenden rcritten@redhat.com 2015-07-17T20:15:35+00:00 63c1a25a0a0fb3bcf8ea054c49ce88ffc81599cc The spec says the default should be False if not specified but lasso sets it to true unless it is explicitly set to False. So let's be explicit and set it to True. https://fedorahosted.org/ipsilon/ticket/136 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The spec says the default should be False if not specified
but lasso sets it to true unless it is explicitly set to
False. So let's be explicit and set it to True.

https://fedorahosted.org/ipsilon/ticket/136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Include timezone in metadata validUntil value and use UTC time 2015-07-17T14:22:33+00:00 Rob Crittenden rcritten@redhat.com 2015-07-16T18:04:56+00:00 16422cfd77e080ba1c1f2cb8559620d0c200e0b9 The python datetime module doesn't append the timezone in its isoformat() output, so add a Z indicating that the time is UTC time. Also generate the output using utcnow() rather than now() so the times line up. https://fedorahosted.org/ipsilon/ticket/137 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
The python datetime module doesn't append the timezone in its
isoformat() output, so add a Z indicating that the time is
UTC time. Also generate the output using utcnow() rather than
now() so the times line up.

https://fedorahosted.org/ipsilon/ticket/137

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add support for logout over SOAP 2015-07-16T13:04:36+00:00 Rob Crittenden rcritten@redhat.com 2015-06-25T15:00:59+00:00 2751451f4158417e66974d6415d2da84f612ab3c As each login session comes in, store the supported logout mechanisms in the SP metadata. Upon a logout request, loop through all of those SP's that support SOAP and log those out first, then log out any remaining sessions using HTTP Redirect. https://fedorahosted.org/ipsilon/ticket/59 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
As each login session comes in, store the supported logout
mechanisms in the SP metadata.

Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Implement ECP in Ipsilon 2015-05-08T15:17:02+00:00 John Dennis jdennis@redhat.com 2015-01-26T21:04:40+00:00 be55bdf7ee36ad38b25b5f79fc4b82edb2557148 * add saml2/SSO/SOAP endpoint. * add check for lasso version, ECP endpoint only exposed in metadata if lasso has full ECP support. * add SSO_SOAP soap authentication handler (used for ECP). * add SAML binding to transaction so we can determine if cookies and other HTTP concepts are expected. Each handler is responsible for setting the binding. * add some constants needed for ECP https://fedorahosted.org/ipsilon/ticket/4 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

https://fedorahosted.org/ipsilon/ticket/4

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Update Copyright header point to COPYING file 2015-05-08T15:00:48+00:00 Rob Crittenden rcritten@redhat.com 2015-05-08T02:40:19+00:00 cfe24fa3dc15d87f3ace944a2d62a0f4c5ee496c Point to a file containing the license rather than including it in every single source file. This will make it easier to manage the license in the future without another humongous commit. https://fedorahosted.org/ipsilon/ticket/126 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.

https://fedorahosted.org/ipsilon/ticket/126

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
pylint 1.4.3 version fixes 2015-05-07T18:44:20+00:00 Simo Sorce simo@redhat.com 2015-05-07T16:33:40+00:00 1bcc0d697dd37a9268641f0cbaa7e9e781552233 Pylint 1.4.3 completely stopped recognizing the star-args condition. In order to avoid pylint error with > 1.4.3 stop caring for star-args and add cmdline option to ignore those errors completly so older pylint versions are happy too. Also fix type() vs isinstance() checks, isinstance is generally a more correct approach to check for classes. In some 'admin' files the type() -> isinstance() fix required to invert the order in which ComplexList and MappingList are checked as the latter is a subclass of ComplexList, so it needs to be checked first otherwise the check for isinstance(option, ComplexList) matches for both and the code stops functioning properly. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.

Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.

In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add support for expiration in Metadata 2015-01-29T19:06:45+00:00 Simo Sorce simo@redhat.com 2015-01-19T20:15:03+00:00 5d0b299eea8efcebee263686cae35f905ab91512 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add function to import a cert from a file 2015-01-29T19:06:31+00:00 Simo Sorce simo@redhat.com 2015-01-19T20:14:43+00:00 184c3d6c292de297d0055655516651da2767e38d Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Fix file permissions and remove shebang's 2014-12-16T15:51:43+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2014-12-16T15:40:03+00:00 45cb73a21a90084818c3057e362ef9459f1600f3 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>