Require signing of authn requests and assertions

sstc-saml-metadata-2.0-cd-04 document notes in the "2.4.4 Element
<SPSSODescriptor>" section that:

1) AuthnRequestsSigned is optional and the default is false;
2) WantAssertionsSigned is optional and the default is false.

However, in order to facilitate more secure setups, the charm defaults
are set to "true" in both cases.

XML requires boolean values to be lowercase, therefore, they are
converted from title-case python booleans before rendering.
This commit is contained in:
Dmitrii Shcherbakov 2019-02-08 21:40:56 +03:00
parent 7d58ad9558
commit 2d0f3a9ed0
2 changed files with 20 additions and 2 deletions

View File

@ -50,3 +50,15 @@ options:
Default is on.
This can be used for testing with something like testshib if
you are behind a NAT.
authn-requests-signed:
type: boolean
default: true
description: |
Indicates whether the <samlp:AuthnRequest> messages sent by the
service provider (mellon) will be signed.
want-assertions-signed:
type: boolean
default: true
description: |
Indicates a requirement for the <saml:Assertion> elements received
by this service provider to be signed.

View File

@ -1,5 +1,11 @@
<EntityDescriptor entityID="{{ options.sp_auth_url }}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<EntityDescriptor
entityID="{{ options.sp_auth_url }}"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="{{ options.authn_requests_signed|lower }}"
WantAssertionsSigned="{{ options.want_assertions_signed|lower }}">
<KeyDescriptor use="signing">
{{ options.sp_signing_keyinfo }}
</KeyDescriptor>