Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

multiple assertion consumer services #102

Open
dcwatson opened this issue Jun 21, 2018 · 6 comments
Open

multiple assertion consumer services #102

dcwatson opened this issue Jun 21, 2018 · 6 comments

Comments

@dcwatson
Copy link

I'd like to be able to support multiple assertionConsumerService entries for a single SP. I believe this boils down to the assertionConsumerService setting accepting a dict (for backwards compatibility using a single ACS) or a list, where each item would also have an "index" key (maybe optional to use the position in the list). Obviously the metadata output would need to be updated, and I'd like to be able to pass in an ACS index into the authentication request to tell it which ACS URL to use.

I don't mind doing the work to create a PR for this, I just wanted to make sure it was something you were interested in supporting.

Thanks for all your work on this library!

@pitbulk
Copy link
Contributor

pitbulk commented Jun 21, 2018

The implementation seems ok. I will review it deeper to validate.

btw, I'm trying to understand what use case are you trying to cover with multiple ACS endpoint.
do you plan to support HTTP-POST and HTTP-Redirect or just different endpoints for HTTP-POST?

@dcwatson
Copy link
Author

Different POST endpoints. I'd like a single SP that can connect to multiple IdPs, but be able to know which IdP a login came from by which ACS endpoint was POSTed to. And ideally I want to know all this before I parse the SAML response, i.e. based on the URL, so I can properly handle ADFS lowercasing (for instance). Imagine a Django app with an IdP model and a single set of views (metadata/login/acs) and URLs like:

/sso/metadata/
/sso/login/<slug>/
/sso/acs/<slug>/

@pitbulk
Copy link
Contributor

pitbulk commented Jun 22, 2018

The use case you describe is already possible with:

/sso/metadata/<slug>/
/sso/login/<slug>/
/sso/acs/<slug>/

So each slug is associated with a python3-saml setting, and there you can define an specific IdP + advanced settings.

See for example: https://github.com/MindPointGroup/django-saml2-pro-auth
Even at python-social-auth you can define multiple IdPs.

@dcwatson
Copy link
Author

True, I guess a better example would be using the same SP for multiple sites that potentially want different attributes or session handling or the like. There are plenty of shibboleth examples with multiple POST ACS to different locations, just seems like it would be nice for this library to support that as well.

@pitbulk
Copy link
Contributor

pitbulk commented Jun 22, 2018

if a site want different attributes, then a different SP need to be used since "requested atrributes" are set at SP level, not at endpoint level.

I underestand that in some corner cases, makes sense to offer different endpoints to process the same SAMLResponse but processing it different.

That can be easily managed by an extra POST parameter (not related with SAML).

I will think about pros/cons adding that feature and let you know.
Right now Im worried about:

  • Adding complexity to the code.
  • Why only ACS and not also SLS.
  • More documentation required to add that feature.

@dcwatson
Copy link
Author

dcwatson commented Jun 22, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants