Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Understanding the use of /saml2/metadata

See original GitHub issue

Hello, I’m manage to integrate SAML authentication in my Django 3.2 application using the package Djangosaml2 and Pysaml2 with Azure as IdP provider.

In Azure I created a SAML application with these url : my entityid : https://company.website.com/ assertion consumer service : https://company.website.com/saml/acs/

this is my login and logout redirection url : https://login.microsoftonline.com/***-***-***6c/saml2 my Azure identifier : https://sts.windows.net/***-***-***/ present in my remote metadata.

With this configuration my authentication works very well, I can login through https://company.website.com/saml/login/ and logout with https://company.website.com/saml/logout/

SAML_CONFIG = {
  # full path to the xmlsec1 binary programm
  'xmlsec_binary': '/usr/bin/xmlsec1',

  # your entity id, usually your subdomain plus the url to the metadata view
  'entityid': 'https://company.website.com/',

  # directory with attribute mapping
  'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'),

  # this block states what services we provide
  'service': {
      # we are just a lonely SP
      'sp' : {
          'name': 'SP',
          'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
          # Enable AllowCreate in NameIDPolicy.
          'name_id_format_allow_create': False,

          # For Okta add signed logout requests. Enable this:
          # "logout_requests_signed": True,

          'endpoints': {
              # url and binding to the assetion consumer service view
              # do not change the binding or service name
              'assertion_consumer_service': [
                  ('https://company.website.com/saml/acs/',
                   saml2.BINDING_HTTP_REDIRECT),
                  ('https://company.website.com/saml/acs/',
                   saml2.BINDING_HTTP_POST),
               ],
              # url and binding to the single logout service view
              # do not change the binding or service name
              'single_logout_service': [
                  ('https://company.website.com/saml/ls/', saml2.BINDING_HTTP_REDIRECT),
               ],
           },

             # attributes that this project need to identify a user
             'required_attributes': ['UserName'],
             # attributes that may be useful to have but not required
             'optional_attributes': ['Email'],

             'want_response_signed': False,
             'authn_requests_signed': False,
             'logout_requests_signed': False,
             # Indicates that Authentication Responses to this SP must
             # be signed. If set to True, the SP will not consume
             # any SAML Responses that are not signed.
             'want_assertions_signed': True,

             'only_use_keys_in_metadata': True,
             'force_authn': False,

             # When set to true, the SP will consume unsolicited SAML
             # Responses, i.e. SAML Responses for which it has not sent
             # a respective SAML Authentication Request.
             'allow_unsolicited': True,

          },
      },

  # where the remote metadata is stored, local, remote or mdq server.
  # One metadatastore or many ...
  'metadata': {
      'local': [os.path.join(BASE_DIR, 'remote_company.xml')],
      },

  # how long is our metadata valid
  'valid_for': 24 * 10,

  # set to 1 to output debugging information
  'debug': 1,

  }

But what I don’t understand is what the use of the metadata present in my url https://company.website.com/saml/metatdata and this url https://company.website.com/saml/ls/ ? In the doc it’s says that : you need to send the entity id and the metadata of this new SP to the IdP administrators so they can add it to their list of trusted services.

If someone can explain it to me that would be very helpfull. Thanks in advance

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
peppelinuxcommented, Oct 4, 2022

To enable a sp to request an authentication to an idp the RP have to save the idp metadata in its metadata storie (you have configured a local folder, so download the idp metadata and Place It in that folder)

Then the idp have to save the RP metadata

Once you’ve done this and if both metadata are valid and also their urls reachable over internet you’ll be able to start your First authentication

Welcome to the saml2 world

0reactions
peppelinuxcommented, Oct 5, 2022

In the current documentation we may have a section related to your use case and how you implemented it, few lines of text that points to the inheritance of the method customize_session

Read more comments on GitHub >

github_iconTop Results From Across the Web

Reloading SAML: Why do you need SAML Metadata?
This element can be used to provide various kind of information about a contact person such as individuals' name, email address and phone...
Read more >
SAML metadata - Wikipedia
A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to...
Read more >
7. Metadata configuration - Spring
SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers.
Read more >
Defining a SAML 2.0 metadata file - IBM
The SAML metadata file contains information about the various SAML Authorities that can be used in SAML 2.0 protocol message exchanges.
Read more >
How to use the metadata file (saml2) - Stack Overflow
The metadata file basically provides you information of your client. Such as entityID, credential, and so on. If it is an IdP then...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Support for SameSite cookies

Next page

Forbidden /saml2/acs/ and Signature missing for response