Add a PAOS endpoint to support ECP

See "4.13.2. Service Provider Metadata" in mellon_user_guide. Note: SOAP reversed: PAOS Change-Id: If94f9d306cb73e716560d608851412395adfe88d Closes-Bug: #1833134
3 years ago · b1b4ff3253
2 changed files with 6 additions and 0 deletions
--- a/src/lib/charm/openstack/keystone_saml_mellon.py
+++ b/src/lib/charm/openstack/keystone_saml_mellon.py
@ -111,6 +111,10 @@ class KeystoneSAMLMellonConfigurationAdapter(
    def sp_post_response_path(self):
        return '{}/postResponse'.format(self.mellon_endpoint_path)

+    @property
+    def sp_paos_response_path(self):
+        return '{}/paosResponse'.format(self.mellon_endpoint_path)
+
    @property
    def sp_logout_path(self):
        return '{}/logout'.format(self.mellon_endpoint_path)
--- a/src/templates/mellon-sp-metadata.xml
+++ b/src/templates/mellon-sp-metadata.xml
@ -15,9 +15,11 @@
 		</KeyDescriptor>
 		{% endif %}
 		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_logout_path }}"/>
+		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_logout_path }}"/>
 		{% for format in options.supported_nameid_formats -%}
 		<NameIDFormat>{{ format }}</NameIDFormat>
 		{% endfor -%}
 		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_post_response_path }}" isDefault="true" index="0"/>
+		<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="{{ keystone_fid_service_provider.base_url }}{{ options.sp_paos_response_path }}" index="1"/>
 	</SPSSODescriptor>
 </EntityDescriptor>