7:26 p.m.
Hi,
Right now the saml2.py in src/satosa/backends/ has
def disco_query(self):
"""
Makes a request to the discovery server
:type context: satosa.context.Context
:type internal_req: satosa.internal.InternalData
:rtype: satosa.response.SeeOther
:param context: The current context
:param internal_req: The request
:return: Response
"""
return_url = self.sp.config.getattr("endpoints",
"sp")["discovery_response"][0][0]
loc = self.sp.create_discovery_service_request(self.discosrv,
self.sp.config.entityid, **{"return": return_url})
return SeeOther(loc)
Essentially this restricts the flow to one and only one IdP discovery
service that is configured statically.
I propose that this method be enhanced so that it can inspect the context
and internal data and if it finds a URL for the discovery service to use
it overrides what is in the configuration.
Then one can configure a request microservice that uses some logic to set
the URL for the discovery service, such as which SP the authentication
request came from.
Since the comment for the method already includes a mention of the context
and internal data, I suspect this functionality was designed but never
implemented.
Any objections to me implementing it?
Any other comments or input?
Thanks,
Scott K
4:45 a.m.
New subject: [Satosa-dev] More flexible discovery service process for SAML backend?
Hi Scott,
On 3 Apr 2019, at 18:26, Scott Koranda wrote:
Hi,
Right now the saml2.py in src/satosa/backends/ has
def disco_query(self):
"""
Makes a request to the discovery server
:type context: satosa.context.Context
:type internal_req: satosa.internal.InternalData
:rtype: satosa.response.SeeOther
:param context: The current context
:param internal_req: The request
:return: Response
"""
return_url = self.sp.config.getattr("endpoints",
"sp")["discovery_response"][0][0]
loc = self.sp.create_discovery_service_request(self.discosrv,
self.sp.config.entityid, **{"return": return_url})
return SeeOther(loc)
Essentially this restricts the flow to one and only one IdP discovery
service that is configured statically.
I propose that this method be enhanced so that it can inspect the
context
and internal data and if it finds a URL for the discovery service to
use
it overrides what is in the configuration.
Then one can configure a request microservice that uses some logic to
set
the URL for the discovery service, such as which SP the authentication
request came from.
This is something that we also need, but we did not manage to put it in
our roadmap yet.
Since the comment for the method already includes a
mention of the
context
and internal data, I suspect this functionality was designed but never
implemented.
Any objections to me implementing it?
Please go for it and I would be happy to provide feedback/testing
Any other comments or input?
As a matter of fact yes: there were two things regarding SATOSA and
discovery that I had in my longer term todo list. This was the first
one. The second is that sometimes it might be useful that the discovery
service itself knows which SP the user is trying to access. In the
classic scenario without the proxy, the discovery service can get this
information, but when a proxy like SATOSA is in the middle then the
discovery service sees always the proxy as the SP requesting the
discovery process (which technically is correct).
Thanks a lot for picking this up
Christos
Thanks,
Scott K
_______________________________________________
Satosa-dev mailing list
Satosa-dev at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-dev
--
Christos Kanellopoulos
Senior Trust & Identity Manager
GÉANT
M: +31 611 477 919
Networks • Services • People
Learn more at www.geant.org
GÉANT Vereniging (Association) is registered with the Chamber of
Commerce in Amsterdam with registration number 40535155 and operates in
the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode
3, 1102BR Amsterdam, The Netherlands. UK branch address: City House,
126-130 Hills Road, Cambridge CB2 1PQ, UK.
8:08 p.m.
New subject: [Satosa-dev] More flexible discovery service process for SAML backend?
Hi Scott,
On 3 Apr 2019, at 18:26, Scott Koranda wrote:
This is now PR 230 on SATOSA:
https://github.com/IdentityPython/SATOSA/pull/230
Thanks,
Scott K
Hi,
Right now the saml2.py in src/satosa/backends/ has
def disco_query(self):
"""
Makes a request to the discovery server
:type context: satosa.context.Context
:type internal_req: satosa.internal.InternalData
:rtype: satosa.response.SeeOther
:param context: The current context
:param internal_req: The request
:return: Response
"""
return_url = self.sp.config.getattr("endpoints",
"sp")["discovery_response"][0][0]
loc = self.sp.create_discovery_service_request(self.discosrv,
self.sp.config.entityid, **{"return": return_url})
return SeeOther(loc)
Essentially this restricts the flow to one and only one IdP discovery
service that is configured statically.
I propose that this method be enhanced so that it can inspect the
context
and internal data and if it finds a URL for the discovery service to
use
it overrides what is in the configuration.
Then one can configure a request microservice that uses some logic to
set
the URL for the discovery service, such as which SP the authentication
request came from.
This is something that we also need, but we did not manage to put it in
our roadmap yet.
Since the comment for the method already includes
a mention of the
context
and internal data, I suspect this functionality was designed but never
implemented.
Any objections to me implementing it?
Please go for it and I would be happy to provide feedback/testing
2067
days inactive
2089
days old
2 comments
2 participants
participants (2)
-
christos.kanellopoulos@geant.org -
skoranda@sphericalcowgroup.com