Hi,
(Apologies sending this to the satosa-dev list but I don't recall that
there is a dedicated pysaml2-dev email list?)
I submitted a pull request to pysaml2 that enables configuration of
signature verification for responses from a MDQ server:
https://github.com/rohe/pysaml2/pull/483
I formally clicked to ask Ioannis for a review but welcome feedback from
anyone.
The current code allows MDQ configuration like this:
metadata:
mdq:
-
http://mdq.ukfederation.org.uk/
There is no way to specify a certificate to use to verify the signature
and there is no verification done.
The version in the pull request would still support that configuration
but would enable this configuration:
metadata:
mdq:
- url:
http://mdq.ukfederation.org.uk/
cert: /etc/satosa/ukfederation-mdq.pem
That follows the same configuration pattern as for remote metadata (ie.
an aggregate downloaded from a URL).
I did both positive and negative tests with the UK MDQ server and the
Incommon beta MDQ server.
I also updated the config.rst metadata example to show the explicit
configuration.
Please let me know if you have any questions or concerns.
Thanks,
Scott K