-
-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using a single SP endpoint to handle multiple IdPs #162
Comments
However, if you have any other thoughts on the matter I'd welcome them. |
My recommendation is to create different endpoints per IdP and then you can load its SAML settings and then process the Response. If you have 1 unique endpoint,
|
I appreciate the input - I realize this isn't ideal for all situations, but for the given constraints this single endpoint does the job. When I first started with this package I wasn't sure if it could even work (thus my question). |
You can implement the X IdP -> 1 unique endpoint concept. Recognize the user to later retrieve a relation to an IdP, as I mentioned, isn't easy/secure. My proposal: You can read the Issuer of the SAMLResponse and then recover its IdP data if is registered on your SP. The Response class has the get_issuers method. P.S With the current implementation, you always gonna need to parse the SAMLResponse 2 times, 1 to retrieve the Issuer, another to validate the SAMLResponse if you do it at the Auth class. |
That's basically what I ended up doing for this iteration. |
This might be a good feature addition to this package, if the authors agree. |
I don't have code that I can share, but if I were going to do this in a more scalable way (for handling lots of providers) I'd do what @pitbulk suggested and extend the classes. Time constraints and a limited handful of providers didn't make that a priority. |
If I wanted one endpoint that can service multiple IdPs, it would be advantageous to be able to peek at the encrypted data to get information as to which user the request came in from, and in turn use that to determine which cert to verify the signature against.
But is such a thing possible with this library (again, without parameters or unique endpoints)? Multiple targets would work, but would add their own security considerations.
I could disassemble and decrypt the payload myself to get that initial information, but that would duplicate code (though it might come down to that).
The text was updated successfully, but these errors were encountered: