Support for AuthnRequest HTTP-POST binding with enveloped signatures

[tachang]

Adding support for:

    "assertionConsumerService": {
        "url": "https://sp.example.com/saml/?acs",
        "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    },

Only the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding gets the enveloped signature

[tachang]

This is what the enveloped AuthnRequest looks like. This should validate when put into a file named authn_signed_assertion.xml via the following command:

xmlsec1 --verify --id-attr:ID AuthnRequest --trusted-pem tests/certs/example.com/example.crt tests/sample_output/authn_signed_assertion.xml

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_04273cc52656e53b0a3ca0861d498d713ff04fac" Version="2.0" ProviderName="example.com" IssueInstant="2015-08-08T19:54:42Z" Destination="https://idp.example.com/login" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://sp.example.com/saml/?acs">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#ONELOGIN_04273cc52656e53b0a3ca0861d498d713ff04fac"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Pzv7pLMvZ8HyMiWElqgsTFiX2LQ=</DigestValue></Reference></SignedInfo><SignatureValue>cdw7y1vPlovmvJM6C/5JzU+3ooqdd7qC/NUbhIhjt3KRapSlZN4fo149k5fPbPXY
HaPDk+FnN60ffCLDB2fIG4HEZ6ROPiTwUWwvWD5sLxSLOWrxeQYZM3CEry6kplzH
c57+VYLDBTfgrESW9+ofDYY5ZyBy9BqY1qHoVlXdOX5ncnaFBFjwYjsHZCB+abZm
2JkYz6+i7azVy3jXnAgAPhbAcJH8QytVeyhFXkiso0xmPX/Oau9GZ6V21KQG5VMA
DaxjqjJ3Uk+/i1/ZfCh/4AHLf2amSH1OnTAxDKRMC2cdwkwEM+MThTxWhuTfhxlN
io563s6sEbwPnE2YkakuRw==</SignatureValue><KeyInfo><KeyName/><X509Data>
<X509Certificate>MIIDuTCCAqGgAwIBAgIJALO8tfVURFsvMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
C2V4YW1wbGUuY29tMB4XDTE1MDgwODE4NDQ1OVoXDTI1MDgwNTE4NDQ1OVowczEL
MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBG
cmFuY2lzY28xITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIG
A1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDrkTb+VmDnhRUyuCO+i6fWJIey9ilwLMw+o/7TSM8qqB5PCZbVnePmd97Pbhak
VRqoYFfNpbMbD1QjFXXICkolVVS2tmRGsGlE9n1/P9egnVmrfByRrVViJd4EEG3F
YqKmpfGaPXUhJGqsYXXdv7Zi3ZcC+pKDrMjiQfv/MlZsHcZ1FBbOk5KSe/b8Rpzk
tbF4AqhjiO/XjpskUIVMlUcyqDlTkLYxU1uNIU9RJEY0/9Kbm/VT3SMFjhpMTbU1
4DmGARLXsLZiejs/c6O6Yvz1CJf8pCzUBR8SsUD0FUYgm3R1NBqAgNPMJeNDUAx6
qlu98RYjEnyBVyKT/0Th0BgtAgMBAAGjUDBOMB0GA1UdDgQWBBRghqUeLjDqMaJi
kgHWgxYQnQm1azAfBgNVHSMEGDAWgBRghqUeLjDqMaJikgHWgxYQnQm1azAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAs0h0MFMDme/07Gj5TJkaxQLWi
acNhqmqEa3Mt1C3k2Wva6OwAAqMMWcAQMdmACg8Qk0xjLBizs7go7QvkmV+RNbHD
BdD0p00GRrBj1XTPR4VJiJJvOmY2G7A084lx0M9nOGHtQRLgs116TNOTMHz3rPDe
N0SdQJien1AAKa4JhcWtuC0yBlPXtx9nQ4TSrCTgOEOnYfYjh+WKD/ZGUeYzmNlT
9Sl6aPjjbpSBMzZzckhxDAdQrveTKb75z8BFr+60X3f76qCO7xsoCCUJfybsgiUZ
vp6s7qcAkJNnWeIKWao5XEkAOvr6Kry/oncaUNm6Q1LRKgXmB8FiIx3i3xdP</X509Certificate>
</X509Data></KeyInfo></Signature><saml:Issuer>sp.example.com</saml:Issuer>


    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"/>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

[tachang]

Yay finally. Managed to pass all the checks.

[tachang]

This is actually not full support for it since we still need to generate a form.

This is just up here as a place holder.

[pitbulk]

@tachang are you insterested in maintain a branch of python-saml that implements HTTP-POST binding for AuthnRequest, LogoutRequest and LogoutResponse?

I have no problem to be hosting that branch, and maybe when mature, we could create a release based on that branch and modify the toolkit name, releasing it at pypi.
But I need someone that want to support it and merge/push changes done on master to this branch.
Right now I'm maintaining python-saml and python3-saml and can't afford that task, and I don't want to
push this feature on master branch since core changes wil be required.

This branch should also support Assertion Consumer Service HTTP-Redirect binding. #71

[sbc100]

+1 I'd like to see this feature land.

I would advise against maintaining this in a separate branch. Are the core changes required bad/scary in some way?

[tachang]

@pitbulk Hi Sixto I actually didn't notice this message until now!

Right now not really making any changes until I have more time. I just pushed this PR incase someone else would be interested in it. We are actually not using it right now but might if a customer requests it in which case I'd totally push to open source the changes.

[tachang]

@sbc100 The changes are not too scary unless you need the feature. I opened this PR just to get a discussion going. I managed to get the code maybe 60-70% there. The big part was just getting some tests written as to what was actually needed.

[tachang]

Obviously I didn't even rebase which is nice for PRs.

[ekreiser]

Any update on when this work might become part of the core product?