qh:SrSSKrSSKJr SSKJr SSKJrJr SSK J r S r S r S r S rS rSrSr"SS5r"SS\5r"SS\ 5rg)z Backend for SAML 2.0 support Terminology: "Service Provider" (SP): Your web app "Identity Provider" (IdP): The third-party site that is authenticating users via SAML N)OneLogin_Saml2_Auth)OneLogin_Saml2_Settings) AuthFailedAuthMissingParameter)BaseAuthzurn:oid:2.5.4.3z urn:oid:1.3.6.1.4.1.5923.1.1.1.6z urn:oid:1.3.6.1.4.1.5923.1.1.1.7zurn:oid:2.5.4.42z!urn:oid:0.9.2342.19200300.100.1.3zurn:oid:2.5.4.4z!urn:oid:0.9.2342.19200300.100.1.1cp\rSrSrSrSrSrSrSr\ S5r \ S5r \ S 5r \ S 5r S rg ) SAMLIdentityProviderz9Wrapper around configuration for a SAML Identity providerc jXlSUR;aSUR;dS5eX lg)zLoad and parse configuration: z.IdP "name" should be a slug (short, no spaces)N)nameconf)selfrkwargss K/var/www/html/env/lib/python3.13/site-packages/social_core/backends/saml.py__init__SAMLIdentityProvider.__init__ s7 $))#499(< < < c~XRRS[5n[U[5(aUSnU$)z The most important method: Get a permanent, unique identifier for this user from the attributes supplied by the IdP. If you want to use the NameID, it's available via attributes['name_id'] attr_user_permanent_idr)rget OID_USERID isinstancelist)r attributesuids rget_user_permanent_id*SAMLIdentityProvider.get_user_permanent_id*s7'?LM c4 a&C rc URUS[5URUS[5URUS[5URUS[5URUS[ 5S.$)zY Given the SAML attributes extracted from the SSO response, get the user data like name. attr_full_nameattr_first_nameattr_last_name attr_username attr_email)fullname first_name last_nameusernameemail)get_attrOID_COMMON_NAMEOID_GIVEN_NAME OID_SURNAMErOID_MAIL)rrs rget_user_details%SAMLIdentityProvider.get_user_details8sa  j2BOT-- 4E~Vz3C[Q j/:N]]:|XF   rcURRX#5nURUS5n[U[5(aU(aUSOSnU$)z Internal helper method. Get the attribute 'default_attribute' out of the attributes, unless self.conf[conf_key] overrides the default by specifying another attribute to use. Nr)rrrr)rrconf_keydefault_attributekeyvalues rr-SAMLIdentityProvider.get_attrEsEiimmH8sD) eT " " %E!H4E rc URS$)zGet the entity ID for this IdP entity_idrrs rr;SAMLIdentityProvider.entity_idRsyy%%rc URS$)zGet the SSO URL for this IdPurlr<r=s rsso_urlSAMLIdentityProvider.sso_urlXs yyrc8URRS5$)zGet the SLO URL for this IdPslo_url)rrr=s rrDSAMLIdentityProvider.slo_url_syy}}Y''rc:URURSS.S.nUR(aURSS.US'URR SS5nU(aX!S'U$URR SS5nU(aX!S'U$[ S5e) zDGet the IdP configuration dict in the format required by python-samlz2urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectr@binding)entityIdsingleSignOnServicesingleLogoutServicex509certN x509certMultiz*IDP must contain x509cert or x509certMulti)r;rArDrrKeyError)rresultcerts rsaml_config_dict%SAMLIdentityProvider.saml_config_dictds ||O$  <<||O-F( ) yy}}Z. !%: Myy}}_d3 &*? #MCDDr)rrN)__name__ __module__ __qualname____firstlineno____doc__rr r2r-propertyr;rArDrQ__static_attributes__rrr r skC    &&   ((EErr c,^\rSrSrSrU4SjrSrU=r$)DummySAMLIdentityProviderz A placeholder IdP used when we must specify something, e.g. when generating SP metadata. If OneLogin_Saml2_Auth is modified to not always require IdP config, this can be removed. c&>[TU]SSSSS9 g)Ndummyzhttps://dummy.none/saml2zhttps://dummy.none/SSO)r;r@rL)superr)r __class__s rr"DummySAMLIdentityProvider.__init__s!  0(  rrZ)rSrTrUrVrWrrY __classcell__rbs@rr\r\s  rr\c^\rSrSrSrSr/rSrSSjrSr Sr Sr S r S r S rSU4S jjrSS jrSrSrSrU=r$)SAMLAutha PSA Backend that implements SAML 2.0 Service Provider (SP) functionality. Unlike all of the other backends, this one can be configured to work with many identity providers (IdPs). For example, a University that belongs to a Shibboleth federation may support authentication via ~100 partner universities. Also, the IdP configuration can be changed at runtime if you require that functionality - just subclass this and override `get_idp()`. Several settings are required. Here's an example: SOCIAL_AUTH_SAML_SP_ENTITY_ID = "https://saml.example.com/" SOCIAL_AUTH_SAML_SP_PUBLIC_CERT = "... X.509 certificate string ..." SOCIAL_AUTH_SAML_SP_PRIVATE_KEY = "... private key ..." SOCIAL_AUTH_SAML_ORG_INFO = { "en-US": { "name": "example", "displayname": "Example Inc.", "url": "http://example.com" } } SOCIAL_AUTH_SAML_TECHNICAL_CONTACT = { "givenName": "Tech Gal", "emailAddress": "technical@example.com" } SOCIAL_AUTH_SAML_SUPPORT_CONTACT = { "givenName": "Support Guy", "emailAddress": "support@example.com" } SOCIAL_AUTH_SAML_ENABLED_IDPS = { "testshib": { "entity_id": "https://idp.testshib.org/idp/shibboleth", "url": "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO", "x509cert": "MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0B... ...8Bbnl+ev0peYzxFyF5sQA==", } } Optional settings: SOCIAL_AUTH_SAML_SP_EXTRA = {} SOCIAL_AUTH_SAML_SECURITY_CONFIG = {} samlcBURS5Un[U40UD6$)z=Given the name of an IdP, get a SAMLIdentityProvider instance ENABLED_IDPS)settingr )ridp_name idp_configs rget_idpSAMLAuth.get_idps%\\.1(; #H; ;;rc URnURS5URS5S.SU(a URO0URS5SSS.US S .URS 5URS 5URS 5S.SS.nUSRURS055 USRURS055 U$)zH Generate the configuration required to instantiate OneLogin_Saml2_Auth TECHNICAL_CONTACTSUPPORT_CONTACT) technicalsupportTORG_INFOr`P10D)metadataValidUntilmetadataCacheDurationz.urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSTrG SP_ENTITY_IDSP_PUBLIC_CERTSP_PRIVATE_KEY)assertionConsumerServicerIrL privateKey) contactPersondebugidp organizationsecurityspstrictrSECURITY_CONFIGrSP_EXTRA) redirect_urirlrQupdate)rrabs_completion_urlconfigs rgenerate_saml_configSAMLAuth.generate_saml_configs ".."\\*=><<(9:+.3''B LL4&()/ .O- !LL8 LL)9:"ll+;< - 0 z!!$,,/@""EFt DLLR89 rc~UR5n[USS9nUR5nURU5nX44$)a' Helper method that can be used from your web app to generate the XML metadata required to link your web app as a Service Provider. Returns (metadata XML string, list of errors) Example usage (Django): from ..apps.django_app.utils import load_strategy, load_backend def saml_metadata_view(request): complete_url = reverse('social:complete', args=("saml", )) saml_backend = load_backend(load_strategy(request), "saml", complete_url) metadata, errors = saml_backend.generate_metadata_xml() if not errors: return HttpResponse(content=metadata, content_type='text/xml') return HttpResponseServerError(content=', '.join(errors)) T)sp_validation_only)rrget_sp_metadatavalidate_metadata)rr saml_settingsmetadataerrorss rgenerate_metadata_xmlSAMLAuth.generate_metadata_xmlsE(**,/4P  00200:rcLURU5nURR5(aSOSURR5URR 5URR 5URR 5S.n[X25$)z&Get an instance of OneLogin_Saml2_Authonoff)https http_host script_nameget_data post_data)rstrategyrequest_is_secure request_host request_path request_get request_postr)rrr request_infos r_create_saml_authSAMLAuth._create_saml_auths}**3/!]]<<>>TE335==557 113335  #<88rc0URR5SnUR UR U5S9nUUR RS5S.nUR[R"U5S9$![a [US5ef=f)zGGet the URL to which we must redirect in order to authenticate the userr)rnext)rr) return_to) r request_datarNrrrodatarloginjsondumps)rrmauth relay_states rauth_urlSAMLAuth.auth_urls 4}}113E:H%%$,,x*@%A IIMM&) zzDJJ{$;z<< 4&tU3 3 4s A>>BcRURUS5nURUS5$)zRGet user details like full name, email, etc. from the response - see auth_completermr)ror2)rresponsers rr2SAMLAuth.get_user_details#s-ll8J/0##H\$:;;rctURUS5nURUS5nURSU3$)z Get the permanent ID for this user from the response. We prefix each ID with the name of the IdP so that we can connect multiple IdPs to this user. rmrr)ror r)rdetailsrrrs r get_user_idSAMLAuth.get_user_id)sA ll8J/0''(>?((1SE""rcURR5Sn[R "U5n[ U[5(aSU;a [S5eUSnURS5=n(a,URRURSS5U5 URU5nURU5nUR5 UR5n U (dUR5(d#UR!5n [#USU SU S35eUR%5n UR'5U S 'UR)X{5 UU UR+5S .n UR-XS .5 URR."U0UD6$![a [US5ef=f![a UnGN!f=f) zi The user has been redirected back from the IdP and we should now log them in, if everything checks out. RelayStaterzARelayState is expected to contain a JSON object with an 'idp' keyr redirect_namezSAML login failed: z ()name_id)rmr session_index)rbackend)rrrNrrloadsrdict ValueErrorr session_setrorprocess_response get_errorsis_authenticatedget_last_error_reasonrget_attributes get_nameid_check_entitlementsget_session_indexr authenticate) rargsrrelay_state_strrrmnext_urlrrrreasonrrs r auth_completeSAMLAuth.auth_complete3s  ;"mm88:<HO Y**_5Kk400E4L W5M#5)H&??622x2 ))&**_f*MxXll8$%%c* " ..00//1FT%86(!#LM M((* $ 1 9   1 $!335   8=>}}))4:6::I ;&t\: : ; ''H 'sF[TU]"XUS/UQ7SU0UD6nUSUS'USSUS'U$)Nrrrr)ra extra_data) ruserrrrrrrrbs rrSAMLAuth.extra_data`s_W' x - AE 7> IO '/&? ?# ( 6y A 9rcURU5nURU5nURSnURSnURXgUS9$)Nrr)rrr)rorrlogout)rrm social_authrrrrrs rrequest_logoutSAMLAuth.request_logouths[ll8$%%c*((3#..? {{I  rcURU5nURU5nURUS9nUR5nXV4$)N)delete_session_cb)ror process_slor)rrmrrrr@rs rprocess_logoutSAMLAuth.process_logoutqsHll8$%%c*1BC"{rcg)a] Additional verification of a SAML response before authenticating the user. Subclasses can override this method if they need custom validation code, such as requiring the presence of an eduPersonEntitlement. raise social_core.exceptions.AuthForbidden if the user should not be authenticated, or do nothing to allow the login pipeline to continue. NrZ)rrrs rrSAMLAuth._check_entitlementsxsrrZ)N)rSrTrUrVrWr EXTRA_DATArorrrrr2rrrrrrrYrdres@rrgrgsX)V DJ< !F 4 9=$< #+;Z    rrg)rWronelogin.saml2.authronelogin.saml2.settingsr exceptionsrrbaser r.OID_EDU_PERSON_PRINCIPAL_NAMEOID_EDU_PERSON_ENTITLEMENTr/r1r0rr r\rgrZrrrsl 3;9$ B?# . 0 bEbEJ 4 $p xp r