Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Selecting IdP from SPConfig #273

Open
pauldekkers opened this issue May 14, 2021 · 2 comments
Open

Selecting IdP from SPConfig #273

pauldekkers opened this issue May 14, 2021 · 2 comments
Labels
Documentation Issues that document features and specific configuration/use cases

Comments

@pauldekkers
Copy link
Contributor

Hi,

I was looking at the SAML_CONFIG_LOADER callable to select an IdP (or possible even set scoping attributes later ;-)) based on other logic. (Since the callable is used in a new authentication request for every user, one could use the hostname or part of the path for instance, or something from a session.)

In the djangosaml2 documentation I read:

# in this section the list of IdPs we talk to are defined
# This is not mandatory! All the IdP available in the metadata will be considered instead.
'idp': {

for the idp section in the SPConfig { "service": { "sp": { "idp": [] } } }, but looking at the code, I wonder if any of this idp information is used at all? Because djangosaml2.utils.available_idps() only considers metadata from the SPConfig.

Maybe it could be another way to get a selected_idp (and of course I'm also looking at Scoping), or am I misinterpreting this?

In the pysaml2 documentation I found this section:

Defines the set of IdPs that this SP is allowed to use; if unset, all listed IdPs may be used. If set, then the value is expected to be a list with entity identifiers for the allowed IdPs. A typical configuration, when the allowed set of IdPs are limited, would look something like this:

Which also implies to me that there is no point in considering other IdPs from the metadata. Also, the example there is different from the example in djangosaml2. (Looks like it's taken from idp definition instead of preselection?)
@peppelinux
Copy link
Member

consider that you can have multiple idp in a metadata store (let's assume we have a MDQ) and just enable one of these in your SP.

that's something that belong to pysaml2, three years at this part that I don't use this feature so I would appreciate your patches if needed and coupled with some tests as well

tell more about your use case if there's something that we could share for a better implementation

thank you @pauldekkers

@peppelinux peppelinux added the Documentation Issues that document features and specific configuration/use cases label May 14, 2021
@peppelinux
Copy link
Member

Hi @pauldekkers
sorry for delay and for the lazy answer I gave to you, is there any updates about your question?

take a look here, If I'm not wrong that's what you're looking for:

djangosaml2/djangosaml2/tests/__init__.py

Line 232 in 57ad2ba

def test_login_several_idps(self):

@peppelinux peppelinux mentioned this issue Mar 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation Issues that document features and specific configuration/use cases
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peppelinux @pauldekkers