Hi,
I need 2 features that I don't see implemented, unless I didn't find them.
a) Our IdP uses ResponseLocation in addition to Location for its SingleLogoutService.
I.E. its metadata contains:
<ns0:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://<idp url>/idp/saml2/slo"
ResponseLocation="https://<idp url>/idp/saml2/slo_return" # this extra URL
/>
But it seems that using this second URL (optional in the SAML spec) isn't supported in python3-saml.
To implement it, it seems that we would need to:
- Support the response location URL in OneLogin_Saml2_Settings.
- Update logic in OneLogin_Saml2_Auth.process_slo in the case of SAMLResponse to use that URL when available or fall back on the current one.
b) Our IdP seems to require NameQualifier to be passed as an attribute of NameID in the LogoutRequest resulting from a logout initiated on the SP side.
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
# NameQualifier missing here
>transient id
</saml:NameID>
I see that the NameQualifier is included in the login assertion, and I think we can access it and keep track of it in our session. For the rest of the implementation we would have to:
- Modify OneLogin_Saml2_Auth.logout to accept name_qualifier and pass it to OneLogin_Saml2_Logout_Request.
- Modify OneLogin_Saml2_Logout_Request to accept name_qualifier and pass it to OneLogin_Saml2_Utils.generate_name_id.
- Modify OneLogin_Saml2_Utils.generate_name_id to accept name_qualifier and use it when building the XML element.
Would supporting these features fit with the project vision?
Would you implement them, or accept pull requests matching the high level implementations described above?
Thank you.
Pierre
Hi,
I need 2 features that I don't see implemented, unless I didn't find them.
a) Our IdP uses ResponseLocation in addition to Location for its SingleLogoutService.
I.E. its metadata contains:
But it seems that using this second URL (optional in the SAML spec) isn't supported in python3-saml.
To implement it, it seems that we would need to:
b) Our IdP seems to require NameQualifier to be passed as an attribute of NameID in the LogoutRequest resulting from a logout initiated on the SP side.
I see that the NameQualifier is included in the login assertion, and I think we can access it and keep track of it in our session. For the rest of the implementation we would have to:
Would supporting these features fit with the project vision?
Would you implement them, or accept pull requests matching the high level implementations described above?
Thank you.
Pierre