-# Copyright (C) 2014 Simo Sorce <simo@redhat.com>
-#
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
from ipsilon.providers.common import ProviderBase, ProviderPageBase, \
ProviderInstaller
self.stage = transdata['saml2_stage']
if user.is_anonymous:
- self._debug("User is marked anonymous?!")
+ self.debug("User is marked anonymous?!")
# TODO: Return to SP with auth failed error
raise cherrypy.HTTPError(401)
- self._debug('Continue auth for %s' % user.name)
+ self.debug('Continue auth for %s' % user.name)
if 'saml2_request' not in transdata:
- self._debug("Couldn't find Request dump?!")
+ self.debug("Couldn't find Request dump?!")
# TODO: Return to SP with auth failed error
raise cherrypy.HTTPError(400)
dump = transdata['saml2_request']
try:
login = self.cfg.idp.get_login_handler(dump)
except Exception, e: # pylint: disable=broad-except
- self._debug('Failed to load status from dump: %r' % e)
+ self.debug('Failed to load status from dump: %r' % e)
if not login:
- self._debug("Empty Request dump?!")
+ self.debug("Empty Request dump?!")
# TODO: Return to SP with auth failed error
raise cherrypy.HTTPError(400)
def __init__(self, *args, **kwargs):
super(SLO, self).__init__(*args, **kwargs)
- self._debug('SLO init')
+ self.debug('SLO init')
self.Redirect = RedirectLogout(*args, **kwargs)
# one week
METADATA_RENEW_INTERVAL = 60 * 60 * 24 * 7
-# 30 days
-METADATA_VALIDITY_PERIOD = 30
+# five years (approximately)
+METADATA_DEFAULT_VALIDITY_PERIOD = 365 * 5
class Metadata(ProviderPageBase):
idp_cert = Certificate()
idp_cert.import_cert(self.cfg.idp_certificate_file,
self.cfg.idp_key_file)
+
+ validity = int(self.cfg.idp_metadata_validity)
meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
- timedelta(METADATA_VALIDITY_PERIOD))
+ timedelta(validity))
body = meta.output()
with open(self.cfg.idp_metadata_file, 'w+') as m:
m.write(body)
'/var/lib/ipsilon/saml2'),
pconfig.String(
'idp metadata file',
- 'The IdP Metadata file genearated at install time.',
+ 'The IdP Metadata file generated at install time.',
'metadata.xml'),
+ pconfig.String(
+ 'idp metadata validity',
+ 'The IdP Metadata validity period (in days) to use when '
+ 'generating new metadata.',
+ METADATA_DEFAULT_VALIDITY_PERIOD),
pconfig.String(
'idp certificate file',
- 'The IdP PEM Certificate genearated at install time.',
+ 'The IdP PEM Certificate generated at install time.',
'certificate.pem'),
pconfig.String(
'idp key file',
- 'The IdP Certificate Key genearated at install time.',
+ 'The IdP Certificate Key generated at install time.',
'certificate.key'),
pconfig.String(
'idp nameid salt',
return os.path.join(self.idp_storage_path,
self.get_config_value('idp metadata file'))
+ @property
+ def idp_metadata_validity(self):
+ return self.get_config_value('idp metadata validity')
+
@property
def idp_certificate_file(self):
return os.path.join(self.idp_storage_path,
try:
idp = IdentityProvider(self)
except Exception, e: # pylint: disable=broad-except
- self._debug('Failed to init SAML2 provider: %r' % e)
+ self.debug('Failed to init SAML2 provider: %r' % e)
return None
+ self._root.logout.add_handler(self.name, self.idp_initiated_logout)
+
# Import all known applications
data = self.get_data()
for idval in data:
try:
idp.add_provider(sp)
except Exception, e: # pylint: disable=broad-except
- self._debug('Failed to add SP %s: %r' % (sp['name'], e))
+ self.debug('Failed to add SP %s: %r' % (sp['name'], e))
return idp
if self.admin:
self.admin.add_sps()
+ def idp_initiated_logout(self):
+ """
+ Logout all SP sessions when the logout comes from the IdP.
+
+ For the current user only.
+ """
+ self.debug("IdP-initiated SAML2 logout")
+ us = UserSession()
+
+ saml_sessions = us.get_provider_data('saml2')
+ if saml_sessions is None:
+ self.debug("No SAML2 sessions to logout")
+ return
+ session = saml_sessions.get_next_logout(remove=False)
+ if session is None:
+ return
+
+ # Add a fake session to indicate where the user should
+ # be redirected to when all SP's are logged out.
+ idpurl = self._root.instance_base_url()
+ saml_sessions.add_session("_idp_initiated_logout",
+ idpurl,
+ "")
+ init_session = saml_sessions.find_session_by_provider(idpurl)
+ init_session.set_logoutstate(idpurl, "idp_initiated_logout", None)
+ saml_sessions.start_logout(init_session)
+
+ logout = self.idp.get_logout_handler()
+ logout.setSessionFromDump(session.session.dump())
+ logout.initRequest(session.provider_id)
+ try:
+ logout.buildRequestMsg()
+ except lasso.Error, e:
+ self.error('failure to build logout request msg: %s' % e)
+ raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s '
+ % e)
+
+ raise cherrypy.HTTPRedirect(logout.msgUrl)
+
class IdpMetadataGenerator(object):
def install_args(self, group):
group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
help='Configure SAML2 Provider')
+ group.add_argument('--saml2-metadata-validity',
+ default=METADATA_DEFAULT_VALIDITY_PERIOD,
+ help=('Metadata validity period in days '
+ '(default - %d)' %
+ METADATA_DEFAULT_VALIDITY_PERIOD))
def configure(self, opts):
if opts['saml2'] != 'yes':
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
+ validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert,
- timedelta(METADATA_VALIDITY_PERIOD))
- if 'krb' in opts and opts['krb'] == 'yes':
+ timedelta(validity))
+ if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
'idp key file': cert.key,
- 'idp nameid salt': uuid.uuid4().hex}
+ 'idp nameid salt': uuid.uuid4().hex,
+ 'idp metadata validity': opts['saml2_metadata_validity']}
po.save_plugin_config(config)
# Update global config to add login plugin