Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OneLogin_Saml2_IdPMetadataParser.get_metadata not compatible with self-signed certificates #403

Open
sergei-maertens opened this issue Mar 29, 2024 · 2 comments · May be fixed by #415
Open

OneLogin_Saml2_IdPMetadataParser.get_metadata not compatible with self-signed certificates #403

sergei-maertens opened this issue Mar 29, 2024 · 2 comments · May be fixed by #415
Labels
enhancement

Comments

@sergei-maertens
Copy link

Relevant code:

python3-saml/src/onelogin/saml2/idp_metadata_parser.py

Line 51 in dab5813

if validate_cert:

So it looks like the options are either:

  • No support for self-signed certificate chains at all, because the default system context is used with the system CA bundles or...
  • You disable SSL verification entirely

In our situation, the government issues (intermediate) CAs from a self-signed root which is meant for private URLs (i.e. they should not be trusted by browsers/systems unless explicitly added). metadata is hosted on a URL with such a certificate. We do not want to disable SSL verification entirely, and we already have mechanisms to add this root certificate to our trust store.

Could there be an option to provide an SSLContext instance ourselves to be used as an optional kwarg? If you're open to this feature, then I can provide a PR.
@sergei-maertens sergei-maertens mentioned this issue Mar 29, 2024
Closed
sergei-maertens added a commit to maykinmedia/python3-saml that referenced this issue Apr 2, 2024
@sergei-maertens
🐛 Ensure the configure requests CA bundle is used
a5a90e8 
Replaced IDP metadata fetching via urllib with requests.

Projects making use of requests/self-certifi set up the CA bundle
to wire up additional trusted root CAs, which are picked up by
requests, so this should also work properly.

Upstream issue: SAML-Toolkits#403
Open Forms issue: open-formulieren/open-forms#4079
@sergei-maertens sergei-maertens mentioned this issue Apr 2, 2024
Merged
@pitbulk
Copy link
Contributor

pitbulk commented Jun 26, 2024

@sergei-maertens sorry for the delayed response.

Yes, I think makes sense to support it

@sergei-maertens
Copy link
Author

Nice, I'll draw up a PR!

sergei-maertens added a commit to maykinmedia/python3-saml that referenced this issue Jul 10, 2024
@sergei-maertens
✨ [SAML-Toolkits#403] Fetch IDP metadata using requests
78033d9 
Using requests allows us to easily customize the CA_BUNDLE to use
when verifying the server certificate, instead of having to disable SSL
certificate verification alltogether.
@sergei-maertens sergei-maertens linked a pull request Jul 10, 2024 that will close this issue
Open
sergei-maertens added a commit to maykinmedia/python3-saml that referenced this issue Oct 3, 2024
@sergei-maertens
✨ [SAML-Toolkits#403] Support cafile and capath parameters
f3d61ae 
When retrieving the IDP metadata, you can now optionally specify the the
capath or cafile to use for certificate verification, rather than just
enabling/disabling it.

This allows TLS verification of server certificates that are not in the
system root store (such as when using private CAs).
sergei-maertens added a commit to maykinmedia/python3-saml that referenced this issue Oct 3, 2024
@sergei-maertens
✨ [SAML-Toolkits#403] Support cafile and capath parameters
ed63c57 
When retrieving the IDP metadata, you can now optionally specify the the
capath or cafile to use for certificate verification, rather than just
enabling/disabling it.

This allows TLS verification of server certificates that are not in the
system root store (such as when using private CAs).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
2 participants
@pitbulk @sergei-maertens