djangosaml2idp icon indicating copy to clipboard operation
djangosaml2idp copied to clipboard

Published 20 hours ago verified publisher icon OTA-Insight

Cannot specify alternative IDP metadata sources

Open daggaz opened this issue 3 years ago • 3 comments

This change introduced model backed Service Providers.

This prevents the user from ever specifying a different SP metadata source (for example an MDQ server):

SAML_IDP_CONFIG = {
    "metadata": {
       "mdq": ["https://example.com/mdq/"],
    },
}

If the IDP config object contains a metadata key, then this should probably not be overriden.

daggaz avatar Aug 06 '20 15:08 daggaz

Imagine to have more than 3000 SP, like in edugain federation, have you ever loaded thousands of metadata on each service start?

It could take more than a minute and a huge RAM usage. MDQ Is the smartest solution for request a fresh metadata on each occourrence. @mhindery why you should reduce the features of pysaml2?

peppelinux avatar Aug 06 '20 15:08 peppelinux

The latest version that supports non-model based service providers is 0.6.

This is incompatible with the latest PySAML2 (a dependency of djangosaml2) so you need PySAML4.x:

djangosaml2idp<0.7
pysaml2<5

daggaz avatar Aug 07 '20 11:08 daggaz

The latest version that supports non-model based service providers is 0.6.

This is incompatible with the latest PySAML2 (a dependency of djangosaml2) so you need PySAML4.x:

djangosaml2idp<0.7
pysaml2<5

Discouraged due to some important weakness in pysaml2<5.2

peppelinux avatar Aug 07 '20 12:08 peppelinux