Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle encrypted assertions #9

Open
jkakavas opened this issue May 27, 2017 · 0 comments
Open

Handle encrypted assertions #9

jkakavas opened this issue May 27, 2017 · 0 comments

Comments

@jkakavas
Copy link
Contributor

InAcademia backend fails to handle encrypted assertions even though SATOSA supports it. The issue is that in
https://github.com/SUNET/svs/blob/master/src/svs/inacademia_backend.py#L29, auth_response is still encrypted. The translate() method called right below handles the decryption successfully and modifies the auth_response object in place.

The obvious solution is to call translate() first

def _translate_response(self, auth_response, state):
      # translate() will handle potentially encrypted SAML Assertions
      # auth_response object will also be modified
      internal_resp = super()._translate_response(auth_response, state)
      if 'eduPersonAffiliation' not in auth_response.ava:
          raise SATOSAAuthenticationError(state, 'Missing eduPersonAffiliation in response from IdP.')
      internal_resp.user_id = self._get_user_id(auth_response)
      if not internal_resp.user_id:
          raise SATOSAAuthenticationError(state, 'Failed to construct persistent user id from IdP response.')
       return internal_resp

The next issue is with the

      internal_resp.user_id = self._get_user_id(auth_response)

The _get_user_id() method attempts to read a unique identifier from either the SAML2 NameID or the eduPersonTargetedID / eduPersonPrincipalName attributes.
If the NameID or the eduPersonTargetedID is present, the internal_resp.user_id or internal_resp.name_id will have been populated already in the translate method ( Well SATOSA currently only handles eptid but it will soon -IdentityPython/SATOSA#95 handle NameIDs too ).

The method should be updated after the pull request has landed and incorporated in SATOSA
@jkakavas jkakavas changed the title Hande encrypted assertions Handle encrypted assertions May 27, 2017
jkakavas added a commit to jkakavas/svs that referenced this issue May 27, 2017
@jkakavas
Handle encrypted assertions
621cd81 
(Partly) resolves SUNET#9
@jkakavas jkakavas mentioned this issue May 27, 2017
Closed
saxtouri pushed a commit to saxtouri/svs that referenced this issue Jan 17, 2018
@jkakavas @saxtouri
Handle encrypted assertions
e2417ce 
(Partly) resolves SUNET#9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle encrypted assertions jkakavas/svs
1 participant
@jkakavas