Skip to content

Metadata Namespaces #131

New issue
New issue
Closed
Closed
Metadata Namespaces#131
@msunardi

Description

@msunardi
msunardi
opened on Sep 19, 2018

I cannot produce the sp metadata with the correct namespaces. I'm expecting the correct namespaces on the tags (like in sp_metadata.xml), but my metadata gives <ns#:...>. I'm looking for help. Any ideas?
I'm using python==3.6.5, django==1.11, djangosaml2==0.17.2, pysaml2==4.6.2

This is the metadata I got from localhost:8000/saml2/metadata/:

<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" entityID="localhost:8000/saml2/metadata" validUntil="2018-09-20T20:13:45Z">
  <ns0:Extensions>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
  </ns0:Extensions>
  <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns0:KeyDescriptor use="signing">
      <ns2:KeyInfo>
        <ns2:X509Data>
          <ns2:X509Certificate>
            <!-- omitted -->
          </ns2:X509Certificate>
        </ns2:X509Data>
      </ns2:KeyInfo>
    </ns0:KeyDescriptor>
    <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/saml2/ls/"/>
    <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml2/ls/post"/>
    <ns0:NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    </ns0:NameIDFormat>
    <ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8000/saml2/acs/" index="1"/>
    <ns0:AttributeConsumingService index="1">
      <ns0:ServiceName xml:lang="en"/>
      <ns0:RequestedAttribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
    </ns0:AttributeConsumingService>
  </ns0:SPSSODescriptor>
  <ns0:ContactPerson contactType="technical">
    <ns0:Company>company</ns0:Company>
    <ns0:GivenName>firstname</ns0:GivenName>
    <ns0:SurName>surname</ns0:SurName>
    <ns0:EmailAddress>[email protected]</ns0:EmailAddress>
  </ns0:ContactPerson>
</ns0:EntityDescriptor>

This is my djangosaml2 settings (added to the end of the settings.py file)

INSTALLED_APPS = [
   ...
    'djangosaml2'
]

# the other settings are hidden
# ...

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',  # same result with or without this backend
    'djangosaml2.backends.Saml2Backend',
)

LOGIN_URL = '/saml2/login'
SESSION_EXPIRE_AT_BROWSER_CLOSE = True


from os import path
import saml2
import saml2.saml
BASEDIR = path.dirname(path.abspath(__file__))
SAML_CONFIG = {
  # full path to the xmlsec1 binary programm
  'xmlsec_binary': '/usr/bin/xmlsec1',

  # your entity id, usually your subdomain plus the url to the metadata view
  'entityid': 'localhost:8000/saml2/metadata',

  # directory with attribute mapping
  'attribute_map_dir': path.join(BASEDIR, 'attribute-maps'),

  # this block states what services we provide
  'service': {
      # we are just a lonely SP
      'sp' : {
          'name': 'Federated Django sample SP',
          'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT,
          'endpoints': {
              # url and binding to the assetion consumer service view
              # do not change the binding or service name
              'assertion_consumer_service': [
                  ('http://localhost:8000/saml2/acs/',
                   saml2.BINDING_HTTP_POST),
                  ],
              # url and binding to the single logout service view
              # do not change the binding or service name
              'single_logout_service': [
                  ('http://localhost:8000/saml2/ls/',
                   saml2.BINDING_HTTP_REDIRECT),
                  ('http://localhost:8000/saml2/ls/post',
                   saml2.BINDING_HTTP_POST),
                  ],
              },

           # attributes that this project need to identify a user
          'required_attributes': ['uid'],

           # attributes that may be useful to have but not required
          # 'optional_attributes': ['eduPersonAffiliation'],

          # in this section the list of IdPs we talk to are defined
          'idp': {
              # we do not need a WAYF service since there is
              # only an IdP defined here. This IdP should be
              # present in our metadata

              # the keys of this dictionary are entity ids
              '<the idp entityId>': {
                  'single_sign_on_service': {
                      saml2.BINDING_HTTP_REDIRECT: '...', # some url
                      },
                  'single_logout_service': {
                      saml2.BINDING_HTTP_REDIRECT: '...', # some url
                      },
                  },
              },
          },
      },

  # where the remote metadata is stored
  'metadata': {
      'remote': [{
            "url": "..." # url to remote metadata
      }],
  },

  # set to 1 to output debugging information
  'debug': 1,

  # Signing
  'key_file': path.join(BASEDIR, 'this.key'),  # private part
  'cert_file': path.join(BASEDIR, 'this.pem'),  # public part

  # Encryption
  # 'encryption_keypairs': [{
  #     'key_file': path.join(BASEDIR, 'my_encryption_key.key'),  # private part
  #     'cert_file': path.join(BASEDIR, 'my_encryption_cert.pem'),  # public part
  # }],

  # own metadata settings
  'contact_person': [
      {'given_name': 'firstname',
       'sur_name': 'lastname',
       'company': 'company',
       'email_address': '[email protected]',
       'contact_type': 'technical'},
      # {'given_name': 'Angel',
      #  'sur_name': 'Fernandez',
      #  'company': 'Yaco Sistemas',
      #  'email_address': '[email protected]',
      #  'contact_type': 'administrative'},
      ],
  # you can set multilanguage information here
  # 'organization': {
  #     'name': [('Yaco Sistemas', 'es'), ('Yaco Systems', 'en')],
  #     'display_name': [('Yaco', 'es'), ('Yaco', 'en')],
  #     'url': [('http://www.yaco.es', 'es'), ('http://www.yaco.com', 'en')],
  #     },
  'valid_for': 24,  # how long is our metadata valid
  }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions