Skip to content

Commit

Permalink
providers/saml: set WantAuthnRequestsSigned in metadata
Browse files Browse the repository at this point in the history 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
  • Loading branch information
@BeryJu
BeryJu committed Sep 11, 2023
1 parent 5b6fb4a commit 69973f1
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
2 changes: 2 additions & 0 deletions authentik/providers/saml/processors/metadata.py
View file
Expand Up @@ -171,6 +171,8 @@ def build_entity_descriptor(self) -> str:
entity_descriptor, f"{{{NS_SAML_METADATA}}}IDPSSODescriptor"
)
idp_sso_descriptor.attrib["protocolSupportEnumeration"] = NS_SAML_PROTOCOL
if self.provider.verification_kp:
idp_sso_descriptor.attrib["WantAuthnRequestsSigned"] = "true"

Check warning on line 175 in authentik/providers/saml/processors/metadata.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/saml/processors/metadata.py#L175 

Added line #L175 was not covered by tests

signing_descriptor = self.get_signing_key_descriptor()
if signing_descriptor is not None:
Expand Down
20 changes: 19 additions & 1 deletion authentik/providers/saml/tests/test_metadata.py
View file
Expand Up @@ -12,7 +12,7 @@
from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
from authentik.providers.saml.processors.metadata import MetadataProcessor
from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
from authentik.sources.saml.processors.constants import NS_MAP
from authentik.sources.saml.processors.constants import NS_MAP, NS_SAML_METADATA

Check warning on line 15 in authentik/providers/saml/tests/test_metadata.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/saml/tests/test_metadata.py#L15 

Added line #L15 was not covered by tests


class TestServiceProviderMetadataParser(TestCase):
Expand Down Expand Up @@ -55,6 +55,24 @@ def test_schema(self):
schema = etree.XMLSchema(etree.parse("schemas/saml-schema-metadata-2.0.xsd")) # nosec
self.assertTrue(schema.validate(metadata))

def test_schema_WantAuthnRequestsSigned(self):

Check warning on line 58 in authentik/providers/saml/tests/test_metadata.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/saml/tests/test_metadata.py#L58 

Added line #L58 was not covered by tests
"""Test metadata generation with WantAuthnRequestsSigned"""
cert = create_test_cert()
provider = SAMLProvider.objects.create(

Check warning on line 61 in authentik/providers/saml/tests/test_metadata.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/saml/tests/test_metadata.py#L60-L61 

Added lines #L60 - L61 were not covered by tests
name=generate_id(),
authorization_flow=self.flow,
verification_kp=cert,
)
Application.objects.create(

Check warning on line 66 in authentik/providers/saml/tests/test_metadata.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/saml/tests/test_metadata.py#L66 

Added line #L66 was not covered by tests
name=generate_id(),
slug=generate_id(),
provider=provider,
)
request = self.factory.get("/")
metadata = lxml_from_string(MetadataProcessor(provider, request).build_entity_descriptor())
idp_sso_descriptor = metadata.findall(f"{{{NS_SAML_METADATA}}}IDPSSODescriptor")[0]
self.assertEqual(idp_sso_descriptor.attrib["WantAuthnRequestsSigned"], "true")

Check warning on line 74 in authentik/providers/saml/tests/test_metadata.py

View check run for this annotation

Codecov / codecov/patch

authentik/providers/saml/tests/test_metadata.py#L71-L74 

Added lines #L71 - L74 were not covered by tests

def test_simple(self):
"""Test simple metadata without Signing"""
metadata = ServiceProviderMetadataParser().parse(load_fixture("fixtures/simple.xml"))
Expand Down

0 comments on commit 69973f1

Please sign in to comment.