i'm using keycloak and I want to change this attribute WantAuthnRequestsSigned to false in SAML Identity Provider Metadata,
thx
Just edit the saved SAML IDP metadata xml file and change WantAuthnRequestsSigned to false directly.
You also need to TURN OFF Client Signature Required in your client settings.
Based on the source code, WantAuthnRequestsSigned is hardcoded as true. But it doesn't matter.
Related
I'm using the ITfoxtec Identity SAML2 library with Keycloak as IdP. When requesting the IdP metadata information, the ITfoxtec Identity SAML2 library seems not to recognize the <EntitiesDescriptor> tag and expects a <EntityDescriptor> as the top level element in the metadata xml.
Use of <EntitiesDescriptor> is described in https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
I have released version 4.6.2-beta1 with support for reading SAML 2.0 metadata with a EntitiesDescriptor root element. The first EntityDescriptor element is selected.
Please let me know if it works for you.
I am looking to integrate Cookie based authentication in my FastAPI App. I want the same to work seamlessly with swagger as well.
I want to have a route (eg: /login) which sets my browser cookies. All other protected route uses Depends in the decorator to verify the key present in cookie. How do I get this to work with OpenAPI authorize button?
Important factor here is integration with Swagger/OpenAPI docs auto generated by FastAPI.
You can have a look at the fastapi-users module that implements a cookie-based authentication (it implements other user-management-related stuff as well, so it is worth a look anyway!).
According to the coookie docs:
Configuration
from fastapi_users.authentication import CookieAuthentication
SECRET = "SECRET"
auth_backends = []
cookie_authentication = CookieAuthentication(secret=SECRET, lifetime_seconds=3600)
auth_backends.append(cookie_authentication)
As you can see, instantiation is quite simple. You just have to define
a constant SECRET which is used to encode the token and the lifetime
of the cookie (in seconds).
You can also define the parameters for the generated cookie:
cookie_name (fastapiusersauth): Name of the cookie.
cookie_path (/): Cookie path.
cookie_domain (None): Cookie domain.
cookie_secure (True): Whether to only send the cookie to the server via SSL request.
cookie_httponly (True): Whether to prevent access to the cookie via JavaScript.
cookie_samesite (lax): A string that specifies the same site strategy for the cookie. Valid values are 'lax', 'strict' and 'none'.
Defaults to 'lax'.
Then you can login with a POST request on the /login endpoint and set the cookie on the browser.
I found no info on the auto-OpenAPI integration, but since login is setting the cookie on the browser, you can log in once and then use the API.
I'm starting to learn Play framework with Scala and I'm trying to set the session cookie.
I have the play.crypto.secret config set and also the settings for the cookie like this
play.http {
session {
httpOnly = true
domain = "localhost"
}
}
Is it normal that I see the content of the cookie in the console without problems?
for example:
As mentioned in official Play documentation, play.crypto.secret is used for signing session cookies and CSRF tokens. That's means that you will see cookie values on a client side, but they will be encrypted with the secret key.
No, the cookie is not encrypted. It is signed, meaning that part of the cookie (or a separate cookie) contains a signature value calculated using the cookie value itself and the secret key.
For my project I am required to display the encrypted as well as decrypted version of the SAML response to the user.
Currently the Spring SAML sample app displays the Encrypted (i.e. original) SAML response, but I am not sure how to show the same response with all elements (NameID, assertions, and other elements) decrypted.
I know that the Spring SAML sample app displays the assertions in a table format, but I am required to display the entire 'decrypted' XML SAML response with all the tags and attributes.
Note I am working the SP part and the IDP is configured to send encrypted SAML responses with encrypted attributes and NameIDs.
Any help is appreciated.
Part 9.5 of the manual should help you.
9.5 Authentication assertion
Assertion used to authenticate user is stored in the SAMLCredential
object under property authenticationAssertion. By default the original
content (DOM) of the assertion is discarded and system only keeps an
unmarshalled version which might slightly differ from the original,
e.g. in white-spaces. In order to instruct Spring SAML to keep the
assertion in the original form (keep its DOM) set property releaseDOM
to false on bean WebSSOProfileConsumerImpl.
Assertion can be serialized to String using the following call:
XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()))
How can I access to saml2:NameID from saml2:Subject response XML node by using Kentor AuthService?
I couldn't find in code anything that deals with that part of XML. Maybe I'm missing something.
I'm not asking about Kentor IdP, I see that there NameID is sent as additional claim, which is translated as attribute, I'm asking in general, IdP does not have to be powered by Kentor, so I can't rely that I will have this value passed as attribute.
So, if it's handled I couldn't find it here:
https://github.com/KentorIT/authservices/tree/master/Kentor.AuthServices
One option can be to parse XML on my own, but if there's already implemented or better solution that will be great.
The Subject NameID is translated to a claim with type ClaimTypes.NameIdentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier).
It should be in the claims collection of the created claims identity.