Minimal SAML for metadata url

[ryanhiebert]

When setting up a new SAML integration, it is helpful to create a SocialApp instance without the IDP data, so that they can have access to the /metadata/ url to help configure their IdP. However, in order to render the metadata URL, I have to have the idp key in the settings set, and it must be populated with the entity_id and either a valid metadata_url or a sso_url and x509cert that can be the empty string.

It would be optimal if we could lift that restriction and permit the default empty settings dictionary be sufficient to let the metadata url work.

[pennersr]

If we go that route, what should the other SAML endpoints do? Return a status code? Which one? Render render_authentication_error() ?

[ryanhiebert]

Each endpoint should only error if they don't have the configuration needed for that endpoint's functionality. I'm not immediately sure what that should be as far as a status code. For the moment I'm fine with a 500 error as we're currently doing it, but I'm looking to see if the SAML spec gives any guidance on the appropriate http response codes for these situations.

[ryanhiebert]

I am by no means confident in my assessment of the spec, but I have not yet found any guidance in the SAML2 spec regarding the appropriate HTTP status codes when the server is misconfigured. It seems to delegate all of that entirely to the SAML messages and leave that undefined.

If the other URLs are misconfigured, any generic error page should be acceptable. That seems like what render_authentication_error() does, so that might be appropriate, but I'm not too familiar with it.

[baileyglen]

We are setting up SAML for the first time, and are trying to do this with allauth. Similar to the original poster, our IDP is requesting our metadata file. Is this implemented?

[pennersr]

@baileyglen Yes, the metadata can be found at the /accounts/saml/<org>/metadata/ URL.