Require signing of authn requests and assertions
sstc-saml-metadata-2.0-cd-04 document notes in the "2.4.4 Element <SPSSODescriptor>" section that: 1) AuthnRequestsSigned is optional and the default is false; 2) WantAssertionsSigned is optional and the default is false. However, in order to facilitate more secure setups, the charm defaults are set to "true" in both cases. XML requires boolean values to be lowercase, therefore, they are converted from title-case python booleans before rendering.
This commit is contained in:
parent
7d58ad9558
commit
2d0f3a9ed0
|
@ -50,3 +50,15 @@ options:
|
|||
Default is on.
|
||||
This can be used for testing with something like testshib if
|
||||
you are behind a NAT.
|
||||
authn-requests-signed:
|
||||
type: boolean
|
||||
default: true
|
||||
description: |
|
||||
Indicates whether the <samlp:AuthnRequest> messages sent by the
|
||||
service provider (mellon) will be signed.
|
||||
want-assertions-signed:
|
||||
type: boolean
|
||||
default: true
|
||||
description: |
|
||||
Indicates a requirement for the <saml:Assertion> elements received
|
||||
by this service provider to be signed.
|
||||
|
|
|
@ -1,5 +1,11 @@
|
|||
<EntityDescriptor entityID="{{ options.sp_auth_url }}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
||||
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||
<EntityDescriptor
|
||||
entityID="{{ options.sp_auth_url }}"
|
||||
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
||||
<SPSSODescriptor
|
||||
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||
AuthnRequestsSigned="{{ options.authn_requests_signed|lower }}"
|
||||
WantAssertionsSigned="{{ options.want_assertions_signed|lower }}">
|
||||
<KeyDescriptor use="signing">
|
||||
{{ options.sp_signing_keyinfo }}
|
||||
</KeyDescriptor>
|
||||
|
|
Loading…
Reference in New Issue