proto = 'https'
if not args['saml_secure_setup']:
proto = 'http'
- url = '%s://%s' % (proto, args['hostname'])
+
+ port_str = ''
+ if args['port']:
+ port_str = ':%s' % args['port']
+
+ url = '%s://%s%s' % (proto, args['hostname'], port_str)
url_sp = url + args['saml_sp']
url_logout = url + args['saml_sp_logout']
url_post = url + args['saml_sp_post']
m.add_certs(c)
m.add_service(SAML2_SERVICE_MAP['logout-redirect'], url_logout)
m.add_service(SAML2_SERVICE_MAP['response-post'], url_post, index="0")
+ m.add_allowed_name_format(SAML2_NAMEID_MAP[args['saml_nameid']])
sp_metafile = os.path.join(path, 'metadata.xml')
m.output(sp_metafile)
saml_protect = 'info'
saml_auth = '<Location %s>\n' \
' MellonEnable "auth"\n' \
+ ' Header append Cache-Control "no-cache"\n' \
'</Location>\n' % args['saml_auth']
psp = '# '
saml_secure = 'Off'
ssl_require = '#'
ssl_rewrite = '#'
+ if args['port']:
+ ssl_port = args['port']
+ else:
+ ssl_port = '443'
+
if args['saml_secure_setup']:
saml_secure = 'On'
ssl_require = ''
'saml_auth': saml_auth,
'ssl_require': ssl_require,
'ssl_rewrite': ssl_rewrite,
+ 'ssl_port': ssl_port,
'sp_hostname': args['hostname'],
+ 'sp_port': port_str,
'sp': psp}
files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts)
action='version', version='%(prog)s 0.1')
parser.add_argument('--hostname', default=socket.getfqdn(),
help="Machine's fully qualified host name")
+ parser.add_argument('--port', default=None,
+ help="Port number that SP listens on")
parser.add_argument('--admin-user', default='admin',
help="Account allowed to create a SP")
parser.add_argument('--httpd-user', default='apache',
help="Post response URL")
parser.add_argument('--saml-secure-setup', action='store_true',
default=True, help="Turn on all security checks")
+ parser.add_argument('--saml-nameid', default='unspecified',
+ choices=SAML2_NAMEID_MAP.keys(),
+ help="SAML NameID format to use")
parser.add_argument('--debug', action='store_true', default=False,
help="Turn on script debugging")
parser.add_argument('--config-profile', default=None,
args = parse_config_profile(args)
if len(args['hostname'].split('.')) < 2:
- raise ValueError('Hostname: %s is not a FQDN.')
+ raise ValueError('Hostname: %s is not a FQDN.' % args['hostname'])
+
+ if args['port'] and not args['port'].isdigit():
+ raise ValueError('Port number: %s is not an integer.' % args['port'])
+
+ # Validate that all path options begin with '/'
+ path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout',
+ 'saml_sp_post']
+ for path_arg in path_args:
+ if not args[path_arg].startswith('/'):
+ raise ValueError('--%s must begin with a / character.' %
+ path_arg.replace('_', '-'))
+
+ # The saml_sp setting must be a subpath of saml_base since it is
+ # used as the MellonEndpointPath.
+ if not args['saml_sp'].startswith(args['saml_base']):
+ raise ValueError('--saml-sp must be a subpath of --saml-base.')
+
+ # The saml_sp_logout and saml_sp_post settings must be subpaths
+ # of saml_sp (the mellon endpoint).
+ path_args = ['saml_sp_logout', 'saml_sp_post']
+ for path_arg in path_args:
+ if not args[path_arg].startswith(args['saml_sp']):
+ raise ValueError('--%s must be a subpath of --saml-sp' %
+ path_arg.replace('_', '-'))
# At least one on this list needs to be specified or we do nothing
sp_list = ['saml']