Use higher-level function to create a saml request on the saml2 backend #380
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@vladimir-mencl-eresearch in reference to IdentityPython/pysaml2#819 would like to test this? |
c00kiemon5ter
commented
Aug 27, 2021
| logger.debug(logline) | ||
| raise SATOSAAuthenticationError(context.state, msg) | ||
| self.outstanding_queries[req_id] = req | ||
| self.outstanding_queries[req_id] = req_id |
There was a problem hiding this comment.
I know that this looks weird.
outstanding_queries is used as a dict throughout the code. It seems that the value content is not used; the value is only checked to be non-null (value is not None). This allows us to put anything we want as the value, except for None.
I think that outstanding_queries could be turned into a list/set. But that would require to sync changes under pysaml2. We can look into that later.
In general, the way we check for unsolicited responses should be refactored.
|
Hi @c00kiemon5ter , Thanks - yes, I'm happy to confirm this works in my environment and does the right thing - SAML AuthnRequest is only signed via external Thanks for the fix - and sorry, did not get to it yet myself. Cheers, |
Signed-off-by: Ivan Kanakarakis <[email protected]>
c00kiemon5ter
force-pushed
the
refactor-saml-backend-create-authnreq
branch
from
9bdcfef to
7ed0774
Compare
4 tasks
jonathanperret
added a commit
to proconnect-gouv/oidc2fer
that referenced
this pull request
Sep 18, 2025
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
Hopefully this can be temporary.
jonathanperret
added a commit
to proconnect-gouv/oidc2fer
that referenced
this pull request
Sep 25, 2025
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
Hopefully this can be temporary.
jonathanperret
added a commit
to proconnect-gouv/oidc2fer
that referenced
this pull request
Sep 25, 2025
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
IdentityPython/pysaml2#947
Hopefully this can be temporary.
jonathanperret
added a commit
to proconnect-gouv/oidc2fer
that referenced
this pull request
Sep 25, 2025
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
IdentityPython/pysaml2#947
Hopefully this can be temporary.
jonathanperret
added a commit
to proconnect-gouv/oidc2fer
that referenced
this pull request
Sep 25, 2025
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
IdentityPython/pysaml2#947
Hopefully this can be temporary.
jonathanperret
added a commit
to proconnect-gouv/oidc2fer
that referenced
this pull request
Sep 25, 2025
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
IdentityPython/pysaml2#819
And it was fixed by a changed in SATOSA:
IdentityPython/SATOSA#380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
IdentityPython/pysaml2#973
They report that the regression was introduced in pysaml2 by
IdentityPython/pysaml2#834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
IdentityPython/pysaml2#947
Hopefully this can be temporary.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ref: IdentityPython/pysaml2#819
All Submissions: