Hi,
I have configured my app according to the setting suggested and following is the code
SAML_CONFIG = {
'allow_create': True,
full path to the xmlsec1 binary programm
'xmlsec_binary': '/usr/bin/xmlsec1',
your entity id, usually your subdomain plus the url to the metadata view
'entityid': 'https://kotak.phrazor.com/saml2/metadata/',
directory with attribute mapping
'attribute_map_dir': path.join(BASEDIR, 'attribute-maps'),
'allow_unknown_attributes': True,
this block states what services we provide
'service': {
# we are just a lonely SP
'sp' : {
"allow_unsolicited": True,
'name': 'Federated Django sample SP',
'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT,
'endpoints': {
# url and binding to the assetion consumer service view
# do not change the binding or service name
'assertion_consumer_service': [
('https://kotak.phrazor.com/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
# url and binding to the single logout service view
# do not change the binding or service name
'single_logout_service': [
('https://kotak.phrazor.com/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
('https://kotak.phrazor.com/saml2/ls/post/',
saml2.BINDING_HTTP_POST),
],
},
# attributes that this project need to identify a user
'required_attributes': ['emailAddress'],
# in this section the list of IdPs we talk to are defined
'idp': {
# we do not need a WAYF service since there is
# only an IdP defined here. This IdP should be
# present in our metadata
# the keys of this dictionary are entity ids
'https://localhost/simplesaml/saml2/idp/metadata.php': {
'single_sign_on_service': {
saml2.BINDING_HTTP_REDIRECT: 'https://localhost/simplesaml/saml2/idp/SSOService.php',
},
'single_logout_service': {
saml2.BINDING_HTTP_REDIRECT: 'https://localhost/simplesaml/saml2/idp/SingleLogoutService.php',
},
},
},
},
},
where the remote metadata is stored
'metadata': {
'local': [path.join(BASEDIR, 'remote_metadata.xml')],
},
set to 1 to output debugging information
'debug': 1,
Signing
'key_file': path.join(BASEDIR, 'mycert.key'), # private part
'cert_file': path.join(BASEDIR, 'mycert.pem'), # public part
Encryption
'encryption_keypairs': [{
'key_file': path.join(BASEDIR, 'my_encryption_key.key'), # private part
'cert_file': path.join(BASEDIR, 'my_encryption_cert.pem'), # public part
}],
own metadata settings
'contact_person': [
{'given_name': 'Sabyasachi',
'sur_name': 'Nandy',
'company': 'Vphrase',
'email_address': '[email protected]',
'contact_type': 'technical'},
],
you can set multilanguage information here
'organization': {
'name': [('Vphrase', 'es'), ('Vphrase', 'en')],
'display_name': [('Vphrase', 'es'), ('Vphrase', 'en')],
'url': [('https://www.vphrase.com', 'es'), ('https://www.vphrase.com', 'en')],
},
'valid_for': 24, # how long is our metadata valid
}
After running the app, we get directed to the IPD and get back the response , but the response cant be processed , and when i Checked the error log , we get the message
saml2.response.StatusInvalidNameidPolicy: urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy from urn:oasis:names:tc:SAML:2.0:status:Requester, and this ultimately comes from the error certificate verification failed:err=20;msg=unable to get local issuer certificate.
Any help on this topic,
Can you throw some more light about the keys used and their importance for the saml2?
In the signing key, should we use your public key or the public key of the IDP ?