ipsilon.git/ipsilon/providers, branch rowmagic The Ipsilon project Validate SP names for admin pages and REST 2015-04-02T03:18:39+00:00 Nathan Kinder nkinder@redhat.com 2015-04-02T00:36:22+00:00 8ffd2629c6554124e7e3b15dce10275a2efd8261 We were previously only validating the SP name in the admin pages for SP creation and update. The REST API would allow a SP to be created with an invalid name, which would break the ability to manage that SP in the admin pages. This patch moves the SP name validation logic out of the admin page code and centralizes it in the provider creation code. This ensures that validation will occur regardless of the interface that is used. In addition, a helper method is added to allow the admin page to check if a name is valid during update operations. https://fedorahosted.org/ipsilon/ticket/102 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We were previously only validating the SP name in the admin pages
for SP creation and update.  The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.

This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code.  This
ensures that validation will occur regardless of the interface
that is used.  In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.

https://fedorahosted.org/ipsilon/ticket/102

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
IdP-initiated logout for current user 2015-04-02T02:53:55+00:00 Rob Crittenden rcritten@redhat.com 2015-03-30T15:42:10+00:00 5497278fab59361c5b6bc5d3c17407128b924b9a Perform Single Logout for the current user when a logout is initiated in the IdP. A fake initial session is created. In the current logout code the initial logout requestor holds the final redirect URL. In this case it redirects back to the root IdP page. https://fedorahosted.org/ipsilon/ticket/87 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Perform Single Logout for the current user when a logout is initiated
in the IdP.

A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.

https://fedorahosted.org/ipsilon/ticket/87

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Add options to explicitly set database uris during install 2015-03-30T18:20:11+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-30T14:38:10+00:00 3fd51fe0d4593cdc39c28f11deafe27845f25584 Also offer the option to set the OpenID database URI during install https://fedorahosted.org/ipsilon/ticket/17 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Also offer the option to set the OpenID database URI during install

https://fedorahosted.org/ipsilon/ticket/17

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add a method to Installer classes to validate argument input 2015-03-27T18:46:52+00:00 Rob Crittenden rcritten@redhat.com 2015-03-26T18:55:27+00:00 101022e3bf4dfe3f0c56ffb61abbf358a3b1ab26 There was no way to validate argument input from plugins and cause the installer to bail out. If a plugin needs to validate some input it can use the validate_args() method and raise ConfigurationError() if an issue is found. https://fedorahosted.org/ipsilon/ticket/78 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
There was no way to validate argument input from plugins and
cause the installer to bail out. If a plugin needs to validate
some input it can use the validate_args() method and raise
ConfigurationError() if an issue is found.

https://fedorahosted.org/ipsilon/ticket/78

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Try to return a redirect instead a 400 for "not logged in" state 2015-03-27T18:43:26+00:00 Rob Crittenden rcritten@redhat.com 2015-03-25T21:29:22+00:00 83ac397cd5904cbbaa5a21adcac73815dda9fa63 If the user is not logged in and submits a valid logout request then just redirect the user to the RelayState in the request indicating that the logout was successful. This provides a better user experience. https://fedorahosted.org/ipsilon/ticket/88 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.

https://fedorahosted.org/ipsilon/ticket/88

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Make unspecified the default Name ID format, add to enabled list 2015-03-23T22:00:34+00:00 Rob Crittenden rcritten@redhat.com 2015-03-23T21:25:55+00:00 424a03e5bd141bfa80220816d6e9bd6be9aa256f https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 2015-03-23T22:00:21+00:00 Rob Crittenden rcritten@redhat.com 2015-03-23T17:57:12+00:00 704452cfa38a1d880fab920dab25f670f4fbc519 Return the name the user authenticated with. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Return the name the user authenticated with.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2015-03-23T22:00:15+00:00 Rob Crittenden rcritten@redhat.com 2015-03-19T19:15:26+00:00 217cabe5a2b0950b9ac4090568aa8986d51f4fc5 This also makes persistent the default NameID format when generating metadata. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This also makes persistent the default NameID format when generating
metadata.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transient 2015-03-23T22:00:06+00:00 Rob Crittenden rcritten@redhat.com 2015-03-18T14:16:38+00:00 2ab0852570e3e18dfd7d959ae7c3bd62ea33dcca NameQualifier and SPNameQualifier are optional and are not included. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
NameQualifier and SPNameQualifier are optional and are not included.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
When a new logout session is received, save old session ids 2015-03-23T18:14:56+00:00 Rob Crittenden rcritten@redhat.com 2015-02-26T20:25:07+00:00 c84eaa4d5f44524ea37f8c2444cbd53520d75a0c When a new login session is received and an existing session exists in logout, save the old session IDs. These will be included in the sessions to logout of the SP. This will ensure that if the user clears their cookie cache, for example, that any previous sessions will also be logged out. https://fedorahosted.org/ipsilon/ticket/64 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
When a new login session is received and an existing session
exists in logout, save the old session IDs.

These will be included in the sessions to logout of the SP.

This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.

https://fedorahosted.org/ipsilon/ticket/64

Signed-off-by: Rob Crittenden <rcritten@redhat.com>