[Satosa-dev] Front end support for the HTTP-POST binding

Rainer Hoerbe rainer at hoerbe.at
Fri Sep 8 17:12:13 CEST 2017


> Am 08.09.2017 um 02:14 schrieb Matthew X. Economou <xenophon at irtnog.org>:
> 
> Rainer Hoerbe writes:
> 
>> the config:idp_config key in SaToSa maps to CONFIG in the Pysaml2
>> example that Ivan mentioned. At this place you can define the various
>> endpoints. I have used HTTP/POST binding for AuthnRequests in the past
>> with pysaml2.
> 
> Like the following?
> 
> config:
>  idp_config:
>    preferred_binding:
>      single_sign_on_service:
>        - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
>        - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> 
> Or is there more to the configuration than that?

You need to configure endpoints to generate complete metadata. For the moment I can only copy paste a JSON config file from a predecessor of SaToSa:

BASE = "https://%s:%s" % (HOST, PORT)
...
        "idp": {
            "name": "Test PEFIM IdP",
            "want_authn_requests_signed": True,
            "want_authn_requests_only_with_valid_cert": True,
            "sign_response": True,
            "sign_assertion": False,
            "verify_encrypt_cert": verify_encrypt_cert,
            "encrypt_assertion": True,
            "endpoints": {
                "single_sign_on_service": [
                    ("%s/sso/redirect" % BASE, BINDING_HTTP_REDIRECT),
                    ("%s/sso/post" % BASE, BINDING_HTTP_POST),
                    ("%s/sso/art" % BASE, BINDING_HTTP_ARTIFACT),
                    ("%s/sso/ecp" % BASE, BINDING_SOAP)
                ],
                "single_logout_service": [
                    ("%s/slo/soap" % BASE, BINDING_SOAP),
                    ("%s/slo/post" % BASE, BINDING_HTTP_POST),
                    ("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT)
                ],
            },

Do not take this snippet verbatim, use it for orientation only. 

- Rainer


More information about the Satosa-dev mailing list