bpartridge / django-saml2-idp Goto Github PK

What steps will reproduce the problem?
1. Start the login conversation (either at the SP or using an IDP-initiated 
deep link)
2. Successfully login to the IDP
3. Click the "Continue" button in a browser with javascript enabled

What is the expected output? What do you see instead?

The user is expecting the browser to correctly authenticate at the SP. However, 
some service points don't like double authentication, which is what happens 
when the browser javascript submits the form, then the user clicks the button 
and submits the form a second time.

Instead, the SP sometimes chokes on the second (user-initiated) authentication.


What version of the product are you using? On what operating system?

This happens in r198, the latest at the time of submission.

Please provide any additional information below.

Suggestion: hide the submit button if javascript is enabled.

The current SingleLogOut view doesn't require a valid SAML LogoutRequest, but 
it should. At present, any hit on the logout URL will logout the current 
browser's user even though no standard LogoutRequest is being passed.

When running the test project, attempting to login results in a 404 where this 
page is requested:
http://127.0.0.1:8000/idp/sso/post/response/preview/

I see this is the login redirect url defined in settings.py however I don't see 
this path mapped in urls.py. Am I missing something?

Deeplinks currently only allow one replacement group per URL. It would be nice 
to expand this to allow multiple groups.

REF: https://bugs.launchpad.net/canonical-identity-provider/+bug/1032254

What steps will reproduce the problem?
1. "pip install saml2idp"
2. setup django project and settings.py
3. "python manage.py test saml2idp"

What is the expected output? What do you see instead?
Tests should pass out-of-the-box. (Maybe. Think about this.)

Instead, there are several errors, dealing with an incomplete Django 
configuration, I think:

======================================================================
ERROR: test_deeplink (saml2idp.tests.deeplink.TestDeepLink)
ERROR: test_deeplink (saml2idp.tests.deeplink.TestDeepLinkWithAttributes)
ERROR: test_authnrequest_handled 
(saml2idp.tests.google_apps.TestGoogleAppsProcessor)
ERROR: test_user_logged_in (saml2idp.tests.google_apps.TestGoogleAppsProcessor)
ERROR: test_process_request_not_authorized 
(saml2idp.tests.views.TestLoginProcessView)
ERROR: test_empty_post (saml2idp.tests.views.TestLoginView)
ERROR: test_get (saml2idp.tests.views.TestLoginView)
ERROR: test_post (saml2idp.tests.views.TestLoginView)
ERROR: test_logout (saml2idp.tests.views.TestLogoutView)
ERROR: test_logout_user (saml2idp.tests.views.TestLogoutView)
ERROR: test_authnrequest_handled 
(saml2idp.tests.salesforce.TestSalesForceProcessor)
ERROR: test_user_logged_in (saml2idp.tests.salesforce.TestSalesForceProcessor)
----------------------------------------------------------------------
TemplateDoesNotExist: 404.html

======================================================================
ERROR: test_signed_assertion (saml2idp.tests.signing.TestAssertionSalesForce)
ERROR: test_signed_response_with_signed_assertion 
(saml2idp.tests.signing.TestResponse)
ERROR: test1 (saml2idp.tests.signing.TestSigning)
----------------------------------------------------------------------
KeyError: 'private_key_file'

-----------
Maybe these tests don't matter, but if people include 'saml2idp' in their 
INSTALLED_APPS, it might give them concern.

1. Create view for setting up an SP, by entering the URL to its metadata.
2. Parse relevant bits from that metadata and store in relevant model(s).

Create a view that exposes this IDP's metadata for consumption by Service 
Points.

django-saml2-idp dont have a change password application yet. 

But why not just use django contrib password change?

I did like this and works as a charm.

(r'^user/change_password/done/$',    
'django.contrib.auth.views.password_change_done', {'template_name': 
password_change_done.html'}),

(r'^user/change_password/$',        
'django.contrib.auth.views.password_change', {'template_name': 
'password_change.html'}),

What steps will reproduce the problem?
1. Try to use the IdP to log into a Google Apps account
2. Google Apps displays this error message:

   Google Apps - This account cannot be accessed because we could not parse the login request.

Something is not right with the assertion we're sending to Google. Compare it 
with the one that Google does like, and fix what we're doing wrong.

According to this, the @csrf_view_exempt is going away in Django 1.6:

https://docs.djangoproject.com/en/dev/internals/deprecation/

It should be replaced with @csrf_exempt.

What steps will reproduce the problem?
1. create a user such as username [email protected]
2. login with SAML under auto_create and have the SAML provider return 
[email protected]
3. You will see that a second user is created and lots of things might go wrong 
in the password base authentication backend of the app if the authentication 
backend is customized to treat username as case insensitive (majority of django 
apps are probably like this!)

We need an option that would allow case insensitive lookup, e.g. 
Users.object.get_or_create(username__iexact=username) vs 
...get_or_create(username=username) to

Regarding SSO/SAML, I've noticed that sometimes we get an error from saml2idp 
trying to access a key in a dict that isn't really there... this looks like 
something you could maybe try to fix? One example of this is

  MultiValueDictKeyError: "Key 'SAMLRequest' not found in <QueryDict: {u'XY': [u'123'], u'startURL': [u'/abc']}>"

      File "/srv/.../lib/django/core/handlers/base.py", line 115, in get_response
    response = callback(request, *callback_args, **callback_kwargs)
  File "/srv/.../lib/django/views/decorators/csrf.py", line 77, in wrapped_view
    return view_func(*args, **kwargs)
  File "/srv/.../src/ubuntu_sso_saml/views.py", line 14, in saml_begin
    return login_begin(request)
  File "/srv/.../lib/django/views/decorators/csrf.py", line 77, in wrapped_view
    return view_func(*args, **kwargs)
  File "/srv/.../lib/saml2idp/views.py", line 49, in login_begin
    request.session['SAMLRequest'] = source['SAMLRequest']
  File "/srv/.../lib/django/utils/datastructures.py", line 295, in __getitem__
    raise MultiValueDictKeyError("Key %r not found in %r" % (key, self))

What steps will reproduce the problem?
1. Use a base template that has tags requiring request context, such as sekizai.
2. Run a saml2idp view, such as logout.
3. Get an exception from the one of the failing tags.

Adding context_instance=RequestContext(request) to render_to_response calls 
should fix it.

When a SP requests an Assertion, validate that SP against the list of 
Acceptable SPs.

What steps will reproduce the problem?
1. POST a SAML 2.0 AuthnRequest to the IdP
2. Fail to log in on the first attempt
3. Correctly log in on the second attempt

Instead of continuing with the login sequence, this error shows:

KeyError at /idp/login/continue/

'SAMLRequest'

This affects the latest revision in the "google-apps" branch, and probably the 
trunk as well.

Here's the stack trace:

Environment:

Request Method: GET
Request URL: http://127.0.0.1:8000/idp/login/continue/
Django Version: 1.2.3
Python Version: 2.6.5
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'saml2idp']
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware')


Traceback:
File "/usr/local/lib/python2.6/dist-packages/django/core/handlers/base.py" in 
get_response
  100.                     response = callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python2.6/dist-packages/django/contrib/auth/decorators.py" 
in _wrapped_view
  25.                 return view_func(request, *args, **kwargs)
File "/usr/local/lib/python2.6/dist-packages/django/views/decorators/csrf.py" 
in wrapped_view
  23.         resp = view_func(*args, **kwargs)
File "/home/john/code/saml/idp/idptest/saml2idp/views.py" in login_continue
  64.     msg = request.session['SAMLRequest']
File 
"/usr/local/lib/python2.6/dist-packages/django/contrib/sessions/backends/base.py
" in __getitem__
  46.         return self._session[key]

Exception Type: KeyError at /idp/login/continue/
Exception Value: 'SAMLRequest'

The google-apps branch at Rev 72 is actually working with SalesForce.com. It 
should also work against the django-saml2-sp, but this should be verified 
before merging with trunk.

doc/SETTINGS_AND_METADATA.txt says:

SAML2IDP_CONFIG = {
    # Default metadata to configure this local IdP.
    'autosubmit': True,
    'certificate_file': 'keys/certificate.pem', # If using relative paths, be careful!
    'certificate_key_file': 'keys/private-key.pem', # If using relative paths, be careful!
    'issuer': 'http://127.0.0.1:8000',
    'signing': True,
}

'certificate_key_file' should be 'private_key_file'

What steps will reproduce the problem?
1. Try installing in Ubuntu 11.10 or higher (64 bit version)

What is the expected output? What do you see instead?

The build fails because of some swig vs M2Crypto related issue. I expect to see 
the build succeed.


What version of the product are you using? On what operating system?

saml2idp 0.14 on Ubuntu 11.10 and 12.04 (alpha)


Please provide any additional information below.


I think the problem here is that saml2idp is tied to M2Cyrpto==0.20.1, which 
doesn't build properly on newer systems. Can we untag this dependency (or just 
require >=0.20.1?) I think that may solve this issue.

What steps will reproduce the problem?
1. visit PyPI
2. search for django SAML

What is the expected output? What do you see instead?

I'd expect to find one egg package for this project but instead seem to find 
two: django-saml2-idp and saml2idp.

Please provide any additional information below.

Based on naming, django-saml2-idp seems correct 
(https://pypi.python.org/pypi/django-saml2-idp). This package was also updated 
most recently. However, saml2idp (https://pypi.python.org/pypi/saml2idp) seems 
to have more download activity recently and apparently has a higher version 
number.

Which is the appropriate package to use?

thanks!