bpartridge / django-saml2-sp Goto Github PK

Currently, the AuthnRequest is a simple "TODO" string. This must be 
properly-formatted XML, according to the spec.

Background (snipped from an email conversation)

So anyway, I was wondering how you dealt with verifying IdP's signatures to 
make sure they were actually sent by an IdP one's SP trusts.

Please correct me if I'm wrong but I can't see any code for performing 
signature validations by SP, is that right?

If that's the case, I'm wondering if it's not insecure. Consider that the SAML2 
spec says an SP /must/ support unsolicited responses from an IdP - so it's like 
everyone can POST a SamlResponse with a bunch of attributes and django-saml2-sp 
won't validate that this request has been actually initiated by an IdP?

What steps will reproduce the problem?

1. create a user such as username [email protected]
2. login with SAML under auto_create and have the SAML provider return 
[email protected]
3. You will see that a second user is created and lots of things might go wrong 
in the password base authentication backend of the app if the authentication 
backend is customized to treat username as case insensitive (majority of django 
apps are probably like this!)

We need an option that would allow case insensitive lookup, e.g. 
Users.object.get_or_create(username__iexact=username) vs 
...get_or_create(username=username) ...

Create a view that:
1. Takes the URL to an IDP's metadata.
2. Populates appropriate model(s) with data parsed from that metadata.
3. Adds the IDP to the internal list of supported IDPs, so that it is 
selectable from the "idpselect" view.

Create a view that exposes this SP's metadata for consumption by Identity 
Providers.