providers/saml: disallow idp-initiated SSO by default and validate Request ID

2020-09-12 00:53:38 +02:00
parent c2ebaa7f64
commit ca0ba85023
10 changed files with 138 additions and 47 deletions
--- a/passbook/sources/saml/models.py
+++ b/passbook/sources/saml/models.py
@ -53,6 +53,21 @@ class SAMLSource(Source):
        verbose_name=_("SSO URL"),
        help_text=_("URL that the initial Login request is sent to."),
    )
+    slo_url = models.URLField(
+        default=None,
+        blank=True,
+        null=True,
+        verbose_name=_("SLO URL"),
+        help_text=_("Optional URL if your IDP supports Single-Logout."),
+    )
+
+    allow_idp_initiated = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Allows authentication flows initiated by the IdP. This can be a security risk, "
+            "as no validation of the request ID is done."
+        ),
+    )
    name_id_policy = models.TextField(
        choices=SAMLNameIDPolicy.choices,
        default=SAMLNameIDPolicy.TRANSIENT,
@ -66,14 +81,6 @@ class SAMLSource(Source):
        default=SAMLBindingTypes.Redirect,
    )

-    slo_url = models.URLField(
-        default=None,
-        blank=True,
-        null=True,
-        verbose_name=_("SLO URL"),
-        help_text=_("Optional URL if your IDP supports Single-Logout."),
-    )
-
    temporary_user_delete_after = models.TextField(
        default="days=1",
        verbose_name=_("Delete temporary users after"),