ipsilon.git/ipsilon/providers, branch review The Ipsilon project Add options to explicitly set database uris during install 2015-03-30T18:20:11+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-30T14:38:10+00:00 3fd51fe0d4593cdc39c28f11deafe27845f25584 Also offer the option to set the OpenID database URI during install https://fedorahosted.org/ipsilon/ticket/17 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Also offer the option to set the OpenID database URI during install

https://fedorahosted.org/ipsilon/ticket/17

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add a method to Installer classes to validate argument input 2015-03-27T18:46:52+00:00 Rob Crittenden rcritten@redhat.com 2015-03-26T18:55:27+00:00 101022e3bf4dfe3f0c56ffb61abbf358a3b1ab26 There was no way to validate argument input from plugins and cause the installer to bail out. If a plugin needs to validate some input it can use the validate_args() method and raise ConfigurationError() if an issue is found. https://fedorahosted.org/ipsilon/ticket/78 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
There was no way to validate argument input from plugins and
cause the installer to bail out. If a plugin needs to validate
some input it can use the validate_args() method and raise
ConfigurationError() if an issue is found.

https://fedorahosted.org/ipsilon/ticket/78

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Try to return a redirect instead a 400 for "not logged in" state 2015-03-27T18:43:26+00:00 Rob Crittenden rcritten@redhat.com 2015-03-25T21:29:22+00:00 83ac397cd5904cbbaa5a21adcac73815dda9fa63 If the user is not logged in and submits a valid logout request then just redirect the user to the RelayState in the request indicating that the logout was successful. This provides a better user experience. https://fedorahosted.org/ipsilon/ticket/88 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.

https://fedorahosted.org/ipsilon/ticket/88

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Make unspecified the default Name ID format, add to enabled list 2015-03-23T22:00:34+00:00 Rob Crittenden rcritten@redhat.com 2015-03-23T21:25:55+00:00 424a03e5bd141bfa80220816d6e9bd6be9aa256f https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 2015-03-23T22:00:21+00:00 Rob Crittenden rcritten@redhat.com 2015-03-23T17:57:12+00:00 704452cfa38a1d880fab920dab25f670f4fbc519 Return the name the user authenticated with. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Return the name the user authenticated with.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2015-03-23T22:00:15+00:00 Rob Crittenden rcritten@redhat.com 2015-03-19T19:15:26+00:00 217cabe5a2b0950b9ac4090568aa8986d51f4fc5 This also makes persistent the default NameID format when generating metadata. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This also makes persistent the default NameID format when generating
metadata.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transient 2015-03-23T22:00:06+00:00 Rob Crittenden rcritten@redhat.com 2015-03-18T14:16:38+00:00 2ab0852570e3e18dfd7d959ae7c3bd62ea33dcca NameQualifier and SPNameQualifier are optional and are not included. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
NameQualifier and SPNameQualifier are optional and are not included.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
When a new logout session is received, save old session ids 2015-03-23T18:14:56+00:00 Rob Crittenden rcritten@redhat.com 2015-02-26T20:25:07+00:00 c84eaa4d5f44524ea37f8c2444cbd53520d75a0c When a new login session is received and an existing session exists in logout, save the old session IDs. These will be included in the sessions to logout of the SP. This will ensure that if the user clears their cookie cache, for example, that any previous sessions will also be logged out. https://fedorahosted.org/ipsilon/ticket/64 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
When a new login session is received and an existing session
exists in logout, save the old session IDs.

These will be included in the sessions to logout of the SP.

This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.

https://fedorahosted.org/ipsilon/ticket/64

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Set Cache-control on all generated pages, centralize in Endpoint 2015-03-19T20:57:55+00:00 Rob Crittenden rcritten@redhat.com 2015-03-16T20:31:55+00:00 83ec7148841303516fe31e76116b70c8a5f73aab See "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0" section 3.2.3.2. https://fedorahosted.org/ipsilon/ticket/7 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
See "Bindings for the OASIS Security Assertion Markup Language (SAML)
V2.0" section 3.2.3.2.

https://fedorahosted.org/ipsilon/ticket/7

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Assertion AttributeStatements must be non-empty 2015-03-18T21:49:43+00:00 John Dennis jdennis@redhat.com 2015-03-18T21:14:07+00:00 b5730c293fc532fffd3f3300a14813027c4242ae The saml-core-2.0-os specification section 2.7.3 requires the AttributeStatement element to be non-empty. Shibboleth verifies this and rejects assertions that do not comply. We gather attributes into a local dict first before adding them to the AttributeStatement so the fix is easy. Test if the dict is empty, move the initialization of the assertion AttributeStatement inside the test so it's conditional on whether the dict has members. https://fedorahosted.org/ipsilon/ticket/61 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.

https://fedorahosted.org/ipsilon/ticket/61

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>