http://shibboleth.net/pipermail/users/2013-July/010958.html

Otherwise Shibboleth SP AttrChecker will apply this rule in /etc/shibboleth/attribute-policy.xml

    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
    an AttributeRule for each attribute you want to check.
    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="AttributeValueRegex" regex="@"/>
        </Rule>
        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
    </afp:PermitValueRule>

Comment it as a workaround or disable AttrChecker (not recommended)

This looks like an awesome, stable project! One issue though is that it's shipped as a monolithic system, which means that the idp core can't be used in other, non uniAuth based projects. I propose separating out core functionality into a second repo, and keeping this as a starting template/starting project example. @peppelinux what are your thoughts on this?

At this moment we can choose if assertion will be encrypted for every SP.
It would be better let the SP ask for assertion encryption, if encryption keyDescriptor is present in SP metadata the IdP should encrypt assertion using it.

the actual option of sp encryption, admin ui side, can be refactored to force disabilitation of assertion encryption where needed.

I am currently in the process of deploying UniAuth to Amazon Elastic Beanstalk using the Amazon Linux 2 OS, and I ran into an issue when trying to access the idp/metadata path that xmlsec1-openssl is not installed.

We should consider adding this package to the requirements in the documentation. It might even be useful to show different installation/requirements procedures for different operating systems.

If it's a good idea, I can update the documentation for this.

See
IdentityPython/pysaml2#634

Until this PR/issues will not be closed in a succesfull way there will be the need to schedule a file remover.

idp.metadata.dumps() return a saml2 exception.
probably related to a pysaml2 update, needs more investigations.

SAML_IDP_DJANGO_USERNAME_FIELD is only used for nameid forgery, this features is completely delegated to attribute processors so it must be handled in their configurations.

so this
SAML_IDP_DJANGO_USERNAME_FIELD = 'username'

should me moved after
'processor': 'idp.processors.LdapAcademiaProcessor',

and should take this name
'nameid_attribute':

Fare in modo che certi utenti ad un determinato sp non possano nemmeno arrivare.

Disable a specific user to a specific SP.

[Support] How to release attributes ( map value) which are in other tables other the User table ?

If a SP authnrequest have allowcreate in its Nameid declaration, the targetedId Will be stored in PersistentId model only if Nameid format Is different from transient.

https://github.com/UniversitaDellaCalabria/uniAuth/blob/master/idp/ldap_auth.py#L54
and
https://github.com/UniversitaDellaCalabria/uniAuth/blob/master/idp/multildap_auth.py#L62

This is probably quite useless with the latest processors updates.

This https://github.com/UniversitaDellaCalabria/uniAuth/blob/master/idp/processors.py#L43 would use instead nameid_attribute.

This must be done before this one:
#8

This could also facilitate an easy migration from shibboleth persistent id entries.

Display SP name and logo in login page

If an SP entityID is present in the MetadataStore but not have been yet defined in ServiceProviders model, It should be allowed to make an authentication.

Add DISALLOW_UNDEFINED_SP to saml2 idp global configuration to disallow this behaviour and only accept authentication by already configured SP.

An undefined SP could came from an indentity federation, where would be impossibile to classify each SP by their entityID manually (or via metadata processing). If an undefined SP would authenticate and DISALLOW_UNDEFINED_SP is set to False (as expected with the inner default behaviour) the idp should:

1. Check if SP exposes some attributes as required in its metadata (need a metadata store query);

   • If true: release only the required and even the optional attributes to the SP;
   • If false: release the default set of attributes configured in the global configuration;
   • If some required attributes from the SP should be absent -> expose an error message explaining to the user that the IdP cannot release some of the required attributes (expose them) and bring him to the technical assistance of the SP;

2. Add a SP option called "force available attributes release" (default=False) -> this ignores required/optional attributes and release attributes configured in the global configuration;

3. Every undefined SP when allowed to do authnrequests will be classified in the ServiceProvider model, with the attributes that it requested and the Default attribute processor available in the global configuration (the default one);

4. Once an undefined SP have been made its authentication on the IdP it will be classified. If the sysadmin will disable it by hands -> the SP cannot do auth anymore. If the sysadmin will change the attr processor in "Attribute mapping" json field, it will persist. If its required attributes will changes and "force available attributes release" is set to False, the attributes released will be updated into the "Attribute mapping" json field.

5. Add "last_seen" datetime attribute to ServiceProvider Model to collect the last authentication datetime of the SP.

This feature permit uniAuth to deal with large federation.
Test todo: idem test federation testbed.

Shibolleth IdP AACLI is a powerfull utility that permits to test the attributes release of a specified user with a specified requester_id (sp entityID) without knowing the user's password.

this is a very important utility for a production grade software.

When this function calls get_nameid_unspecified(), it is currently passing in too many arguments for get_nameid_unspecified() to process.

A solution would be to add **kwargs as a parameter to the definition of get_nameid_unspecified() here.

I found out about this bug when I was trying to log in to a service provider that was asking for the unspecified nameid format.

Please clear how to link the database (e.g. mysql) to uniauth.

This issues must be done before this one: #9

Create a default attribute mapping, called DEFAULT_ATTR_MAP.

into processors.create_identity method:
swap out_attr<->user_attr to permit a list of attributes:

• if type->list: the first occourrence will be used (an iteration is needed);
• if type->str: takes it

this permit us to handle a generalized map that works with multiple attr processors by default.
Each SP attr mapping could be also specialized one by one where needed.

Code Version

Master Branch

Expected Behavior

There shouldn't be an LDAP error when LDAP is specified to be disabled.

Current Behavior

When logging in from an SP (while 'ldap_peoples' and 'multildap' are removed from INSTALLED_APPS in django_idp/settingslocal.py), I get an LDAPSocketOpenError from the IdP.

Possible Solution

I solved this by commenting out all the code under # pyMultiLDAP related in settingslocal.py. Doing this gave me an error that LDAP_CONNECTIONS has no attribute, so I just set LDAP_CONNECTIONS = {} to get around this. After, I was able to log in using a test SP.

A permanent solution might be to refrain from running all LDAP-related code when ldap_peoples and multildap are disabled.

Steps to Reproduce

1. Set up django_idp using the documentation, and add a test SP to test login.
2. Remove ldap_peoples and multildap from INSTALLED_APPS in django_idp/settingslocal.py
3. Try logging in from SP, and see the LDAPSocketOpenError in the CLI and IdP UI.

name_id_format shoudl be handled and memorized in the sp config, in sso_init.
Then refactored its pointers in AAcli (TargetedID: None when metadata have different structures) and in uniauth.views.IdPHandlerMixin class

It would be useful to have a management command to query an entityId and get its metadata from pySAML2 Metadata store. Something like:

./manage.py mdquery https://that.sp.entity.id/Shibboleth/metadata

This would a be good test for an entity presence and validity. That's trivial following this:
https://github.com/UniversitaDellaCalabria/uniAuth/blob/master/uniauth/models.py#L109

Document a typical migration from shibboleth IdP 3.x.y

attributes --> {'displayName': 'pranay', 'eduPersonPrincipalName': 'vjpranay', 'eduPersonTargetedID': 1234456, 'mail': ['[email protected]', '[email protected]']}

Error from pysaml2 says
{'exception': AttributeError("'int' object has no attribute 'extend'"), 'status': 500} from pysaml2

How can be this be fixed ?

Thank you

As made in djangosaml2 also in uniauth we should handle SAML session in a separate cookie configured as SameSite=None.
Here how to made it: IdentityPython/djangosaml2@23f25b6

in https://github.com/UniversitaDellaCalabria/uniAuth/blob/master/uniauth/views.py#L305

the IdP should have a default attr policy and customized policy for each SP.
example in settings.py, where '' meand default, an entityID should apply only on the corresponding SP.

SAML_ATTRIBUTE_POLICIES = {
                   '':  [{'package': 'uniauth.policies',
                         'policy_name': 'regexp_match',
                         'attribute_name': 'schacHomeOrganization',
                         'kwargs': {'regexp':'\.*unical.it',}},
                        ]
}

At the same way some attribute rewriter

SAML_ATTRIBUTE_REWRITERS = {
                   'that.ugly.sp':  [{'package': 'uniauth.rewriters',
                         'rewriter_name': 'replace',
                         'attribute_name': 'schacHomeOrganization',
                         'kwargs': {'from_str': 'unical', 'to_str': 'lacinu',}},

                          {'package': 'uniauth.rewriters',
                           'rewriter_name': 'regexp_replace',
                           'attribute_name': 'schacHomeOrganization',
                           'kwargs': {'regexp': 'unical', 'sub': 'gnocc',}},

                          {'package': 'uniauth.rewriters',
                           'rewriter_name': 'add_static_attribute',
                           'attribute_name': 'schacHomeOrganization',
                          'kwargs': {'value': 'ingoalla',}}
                        ]
}

rewriters result example:

schacHomeOrganization: unical.it
schacHomeOrganizationType: university
schacHomeOrganizationType: educationInstitution

if accounts doesn't have some common attribute values.

policies result example:
Filter out an Affiliation without a value "member"

After forceAuthn implementation the parse_authn_request was replicated into decorators.
We should leave it and fill a request.session variable containing the new req_info objects then remove the parse_authn_requests from views.

adfs 2019
python 3.6
uniAuth

Tutorial on using uniauth in ADFs 2019
FederationMetadata.zip
Based on this metadatastore generation idp.xml

This code MUST be improved

@francesco-filicetti ^

I just want to attract your attention to the fact that there is an existing, open-source project called Uniauth, of which the goal is exactly what you are doing:

https://github.com/lgoodridge/django-uniauth

I am very confused as to why you would create a completely new project, rather than integrate pysaml2 to this existing project.

Is it just a problem of NIH?