esaml
esaml copied to clipboard
handnot2
Erlang SAML library, SSO and SLO, with Cowboy integration
@handnot2 I've noticed merge requests have been sitting open a for a while, and with OTP 24 out now deprecated some functions used here, are you still interesting in maintaining...
The encrypted key can be stored in the outer context and referenced using https://www.w3.org/TR/xmldsig-core1/#sec-RetrievalMethod.
@handnot2 this appears to work okay locally for me, and is a blocker to upgrading Phoenix. Happy to do any additional work needed to help get this merged
Is there are reason `esaml` is pinned specifically to Cowboy 2.6.0? Can we update the constraint to allow Cowboy 2.7 as well?
`crypto:block_decrypt` was [deprecated](https://erlang.org/doc/apps/crypto/new_api.html#the-old-api) in OTP 23 and has been removed in OTP 24. This PR uses the [new API](https://erlang.org/doc/apps/crypto/new_api.html#the-new-api).
Just an observation over `xmerl` usage. When it parses data, every tag and attribute is converted to an atom. Even if schema validation is applied, at least the root element...
`xmerl_dsig:verify/2` accepts the atom `any` (instead of a list of fingerprints). I think it would make sense for esaml_sp to accept this as a config option too. @handnot2 what do...
This PR fixes a problem with logout only being possible with POST binding.
According to the SAML RFC when using redirect binding and encoding method DEFLATE there should be no signature in SAMLRequest. It should be put in the url parameter. [1] https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf...