| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our current default IdP metadata validity period is hardcoded to 30
days. This is very limiting for anything other than a test environment
unless there is a way to allow SPs to automatically fetch updated metadata
on a regular interval.
This patch increases the default validity period to 5 years. In addition,
a new option for ipsilon-server-install is provided to allow a different
validity period to be specified.
https://fedorahosted.org/ipsilon/ticket/103
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The --config-profile option for the ipsilon-server-install and
ipsilon-client-install commands is designed to be used by the
in-tree functional tests. It is not meant to be used by users,
but we are advertising the option in the help output. This patch
suppresses the option from the help output.
https://fedorahosted.org/ipsilon/ticket/37
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This adds documentation on recommended practices for integrating
web applications with Ipsilon for SAML SSO.
https://fedorahosted.org/ipsilon/ticket/43
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were previously only validating the SP name in the admin pages
for SP creation and update. The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.
This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code. This
ensures that validation will occur regardless of the interface
that is used. In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.
https://fedorahosted.org/ipsilon/ticket/102
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install. To register an SP, the following
options are used:
--saml-idp-url (Ipsilon IDP URL)
--saml-sp-name (Name to register the SP as)
--admin-user (Ipsilon admin user)
--admin-password (Ipsilon admin password file)
If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username. If the
--admin-password option is not specified, we prompt for the password.
The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata. You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.
https://fedorahosted.org/ipsilon/ticket/101
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Perform Single Logout for the current user when a logout is initiated
in the IdP.
A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.
https://fedorahosted.org/ipsilon/ticket/87
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When running 'ipsilon-client-install --uninstall' to uninstall a SP,
we call the install routine again after completing the uninstallation.
This leads to confusing error messages about missing required options.
This patch corrects the uninstallation logic.
https://fedorahosted.org/ipsilon/ticket/100
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also offer the option to set the OpenID database URI during install
https://fedorahosted.org/ipsilon/ticket/17
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than requiring --info-sssd-domain as an argument make it
an optional argument, defaulting to enabling all SSSD domains.
Convert the argument from a single value into a list so that multiple
invocations can be made and all domains in the list will be enabled.
There is still the possibility that failures in configuring a domain
will occur (no domain found, for example) and these are considered
"soft" failures. That is it won't abort the server installation.
https://fedorahosted.org/ipsilon/ticket/78
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There was no way to validate argument input from plugins and
cause the installer to bail out. If a plugin needs to validate
some input it can use the validate_args() method and raise
ConfigurationError() if an issue is found.
https://fedorahosted.org/ipsilon/ticket/78
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.
https://fedorahosted.org/ipsilon/ticket/88
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some Name ID formats are not implemented so are expected to fail.
Kerberos is implemented but the test is done using form authentication
so no Kerberos principal is available so authentication is denied.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Return the name the user authenticated with.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
NameQualifier and SPNameQualifier are optional and are not included.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new login session is received and an existing session
exists in logout, save the old session IDs.
These will be included in the sessions to logout of the SP.
This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.
https://fedorahosted.org/ipsilon/ticket/64
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
| |
This finally tests the LDAP login/info plugins as well as the special
"groups" attribute.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
See "Bindings for the OASIS Security Assertion Markup Language (SAML)
V2.0" section 3.2.3.2.
https://fedorahosted.org/ipsilon/ticket/7
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.
https://fedorahosted.org/ipsilon/ticket/61
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a SP using ipsilon-client-install, there is no
ability to use a non-standard port. We should allow a port number
to be specified that results in the proper URLs in the SP metadata.
This patch adds a --port option to ipsilon-client-install. This is
used in the construction of the URLs used in the SP metadata as well
as in the httpd redirect rules if httpd is being configured.
https://fedorahosted.org/ipsilon/ticket/92
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also removes internal attributes (any attribute that starts with _
Fixes: https://fedorahosted.org/ipsilon/ticket/71
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some login plugins use form based authentication and let the user retry
on authentication errors. This is fine, however the wrong error code is
returned in this case, 401 should be returned.
Fixes: https://fedorahosted.org/ipsilon/ticket/94
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/23#comment:13
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
| |
This stores the build date and git commit in the version.
This way, it's a lot easier to determine when it was last built.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.
Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.
https://fedorahosted.org/ipsilon/ticket/86
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the only way to force in a custom version string
so that the remote IPA server doesn't reject the request
as being newer than the server.
This also removes the need to iterate over all servers
as the IPA connection API does this automatically.
https://fedorahosted.org/ipsilon/ticket/47
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Create an additional SP, log into one, fetch the other and
the client is now logged into both. Log out of the first one
and the client is logged out of both.
https://fedorahosted.org/ipsilon/ticket/58
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
MALLOC_CHECK_ set to 3 should abort if a memory problem is found.
MALLOC_PERTURB_ should catch any usage of freed memory.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save. Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.
This patch removes our explicit save calls. We should rely on the
hook to save and unlock the session.
https://fedorahosted.org/ipsilon/ticket/84
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.
https://fedorahosted.org/ipsilon/ticket/74
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:
- All path options must be prefixed with '/'.
- The mellon endpoint path (--saml-sp) must be a subpath of the
httpd 'Location' element is it contained within (--saml-base).
- The logout (--saml-sp-logout) and post (--saml-sp-post) paths
must be subpaths of the mellon endpoint (--saml-sp).
This adds validation for all of the above rules.
https://fedorahosted.org/ipsilon/ticket/82
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds the mod_wsgi display-name setting to allow the Ipsilon
WSGI process to show up with a useful process name instead of
'httpd'. This allows one to easily distinguish the WSGI process
from other httpd processes.
https://fedorahosted.org/ipsilon/ticket/62
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:
Header append Cache-Control "no-cache"
https://fedorahosted.org/ipsilon/ticket/81
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication. We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.
This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified. In addition, we add a
rewrite rule to rewrite http requests to https for the SP.
https://fedorahosted.org/ipsilon/ticket/80
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
On internal redirections, such as when ErrorDocument is used to
redirect on failed negotiate authentication we need to look harder
for the transaction id.
Ticket: #74
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provision two Service Providers then test:
- We can fetch a blank list of SPs
- Add an SP via the admin interface
- We get list of all SPs and that is it
- Add an SP via POST
- We get list of all SPs and now there are two
- We get a specific SP and confirm we got the right one.
https://fedorahosted.org/ipsilon/ticket/26
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This allows us to get the metadata for creation via REST POST
https://fedorahosted.org/ipsilon/ticket/26
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/26
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The mount point is /idp/rest/providers/saml2/SPS.
GET .../SPS will retrieve all Service Providers
GET .../SPS/foo will retrieve the Service Provider named foo
POST .../SPS/foo will create the Service Provider named foo
https://fedorahosted.org/ipsilon/ticket/26
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
