ipsilon.git/ipsilon/providers/saml2, branch rowmagic The Ipsilon project Validate SP names for admin pages and REST 2015-04-02T03:18:39+00:00 Nathan Kinder nkinder@redhat.com 2015-04-02T00:36:22+00:00 8ffd2629c6554124e7e3b15dce10275a2efd8261 We were previously only validating the SP name in the admin pages for SP creation and update. The REST API would allow a SP to be created with an invalid name, which would break the ability to manage that SP in the admin pages. This patch moves the SP name validation logic out of the admin page code and centralizes it in the provider creation code. This ensures that validation will occur regardless of the interface that is used. In addition, a helper method is added to allow the admin page to check if a name is valid during update operations. https://fedorahosted.org/ipsilon/ticket/102 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We were previously only validating the SP name in the admin pages
for SP creation and update.  The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.

This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code.  This
ensures that validation will occur regardless of the interface
that is used.  In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.

https://fedorahosted.org/ipsilon/ticket/102

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
IdP-initiated logout for current user 2015-04-02T02:53:55+00:00 Rob Crittenden rcritten@redhat.com 2015-03-30T15:42:10+00:00 5497278fab59361c5b6bc5d3c17407128b924b9a Perform Single Logout for the current user when a logout is initiated in the IdP. A fake initial session is created. In the current logout code the initial logout requestor holds the final redirect URL. In this case it redirects back to the root IdP page. https://fedorahosted.org/ipsilon/ticket/87 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Perform Single Logout for the current user when a logout is initiated
in the IdP.

A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.

https://fedorahosted.org/ipsilon/ticket/87

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Try to return a redirect instead a 400 for "not logged in" state 2015-03-27T18:43:26+00:00 Rob Crittenden rcritten@redhat.com 2015-03-25T21:29:22+00:00 83ac397cd5904cbbaa5a21adcac73815dda9fa63 If the user is not logged in and submits a valid logout request then just redirect the user to the RelayState in the request indicating that the logout was successful. This provides a better user experience. https://fedorahosted.org/ipsilon/ticket/88 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.

https://fedorahosted.org/ipsilon/ticket/88

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Implement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 2015-03-23T22:00:21+00:00 Rob Crittenden rcritten@redhat.com 2015-03-23T17:57:12+00:00 704452cfa38a1d880fab920dab25f670f4fbc519 Return the name the user authenticated with. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Return the name the user authenticated with.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2015-03-23T22:00:15+00:00 Rob Crittenden rcritten@redhat.com 2015-03-19T19:15:26+00:00 217cabe5a2b0950b9ac4090568aa8986d51f4fc5 This also makes persistent the default NameID format when generating metadata. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This also makes persistent the default NameID format when generating
metadata.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transient 2015-03-23T22:00:06+00:00 Rob Crittenden rcritten@redhat.com 2015-03-18T14:16:38+00:00 2ab0852570e3e18dfd7d959ae7c3bd62ea33dcca NameQualifier and SPNameQualifier are optional and are not included. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
NameQualifier and SPNameQualifier are optional and are not included.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
When a new logout session is received, save old session ids 2015-03-23T18:14:56+00:00 Rob Crittenden rcritten@redhat.com 2015-02-26T20:25:07+00:00 c84eaa4d5f44524ea37f8c2444cbd53520d75a0c When a new login session is received and an existing session exists in logout, save the old session IDs. These will be included in the sessions to logout of the SP. This will ensure that if the user clears their cookie cache, for example, that any previous sessions will also be logged out. https://fedorahosted.org/ipsilon/ticket/64 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
When a new login session is received and an existing session
exists in logout, save the old session IDs.

These will be included in the sessions to logout of the SP.

This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.

https://fedorahosted.org/ipsilon/ticket/64

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Assertion AttributeStatements must be non-empty 2015-03-18T21:49:43+00:00 John Dennis jdennis@redhat.com 2015-03-18T21:14:07+00:00 b5730c293fc532fffd3f3300a14813027c4242ae The saml-core-2.0-os specification section 2.7.3 requires the AttributeStatement element to be non-empty. Shibboleth verifies this and rejects assertions that do not comply. We gather attributes into a local dict first before adding them to the AttributeStatement so the fix is easy. Test if the dict is empty, move the initialization of the assertion AttributeStatement inside the test so it's conditional on whether the dict has members. https://fedorahosted.org/ipsilon/ticket/61 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.

https://fedorahosted.org/ipsilon/ticket/61

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Properly handle groups info in SAML provider 2015-03-18T00:38:27+00:00 Simo Sorce simo@redhat.com 2015-03-17T17:22:06+00:00 acd6db64e46c8fa5b93c07dc5ff5c5172ddfa4f6 Also removes internal attributes (any attribute that starts with _ Fixes: https://fedorahosted.org/ipsilon/ticket/71 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Also removes internal attributes (any attribute that starts with _

Fixes: https://fedorahosted.org/ipsilon/ticket/71

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Require admin when accessing REST pages 2015-03-03T02:44:38+00:00 Rob Crittenden rcritten@redhat.com 2015-03-02T19:47:22+00:00 13b359d8e4682fb239cf02293aef3a1b235a2cf6 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>