djangosaml2idp
djangosaml2idp copied to clipboard
pysaml2 incompatible with xmlsec1 version 1.3.0
The IDP server doesn't work anymore with xmlsec 1.3.0. This is required when importing from saml2.sigver import get_xmlsec_binary. The breaking change is the following:
https://www.aleksey.com/xmlsec/news.html
(API breaking change) The XMLSec command line utility is using 'strict' key search mode by default. To restore the old 'lax' key search mode, use the new '--lax-key-search' option.
As there we cannot pass any arg to get_xmlsec_binary method we are stuck and have to wait for a new pysaml2 release see issue on: https://github.com/IdentityPython/pysaml2/issues/906
Code to update:
https://github.com/IdentityPython/pysaml2/blob/2d47437a21aaaa77abed1b1aacdf5bda5a7f7b87/src/saml2/sigver.py#L220
line.660 --> com_list
Broken command:
/usr/bin/xmlsec1 --sign --privkey-pem /app/idp/certificates/private.key --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id id-ypHQSxfXdaDrDXrHe --output /tmp/tmpjltassif.xml /tmp/tmpw0hrid6t.xml
Signature status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to sign file "/tmp/tmpw0hrid6t.xml"
Working command (--lax-key-search
):
/usr/bin/xmlsec1 --sign --lax-key-search --privkey-pem /app/idp/certificates/private.key --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion --node-id id-ypHQSxfXdaDrDXrHe --output /tmp/tmpjltassif.xml /tmp/tmpw0hrid6t.xml
Signature status: OK
Temporary solution is to stick the xmlsec1 lib to xmlsec1-1.2.37 available on http://www.aleksey.com/xmlsec/download/xmlsec1-1.2.37.tar.gz