If the authenticated path doesn't reside under saml_base (which
defaults to /) then mod_auth_mellon can't find the IdP.
https://fedorahosted.org/ipsilon/ticket/163
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewd-by: Patrick Uiterwijk <puiterwijk@redhat.com>
if not args['saml_sp'].startswith(args['saml_base']):
raise ValueError('--saml-sp must be a subpath of --saml-base.')
+ # The samle_auth setting must be a subpath of saml_base otherwise
+ # the IdP cannot be identified by mod_auth_mellon.
+ if not args['saml_auth'].startswith(args['saml_base']):
+ raise ValueError('--saml-auth must be a subpath of --saml-base.')
+
# The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
# be subpaths of saml_sp (the mellon endpoint).
path_args = {'saml_sp_logout': 'logout',