SAML-Toolkits
diff --git a/‎LICENSE‎
Lines changed: 24 additions & 0 deletions b/‎LICENSE‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎README‎
Lines changed: 152 additions & 0 deletions b/‎README‎
Lines changed: 152 additions & 0 deletions
diff --git a/‎example.cfg‎
Lines changed: 22 additions & 0 deletions b/‎example.cfg‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎example.py‎
Lines changed: 182 additions & 0 deletions b/‎example.py‎
Lines changed: 182 additions & 0 deletions
diff --git a/‎onelogin/__init__.py‎
Lines changed: 1 addition & 0 deletions b/‎onelogin/__init__.py‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,24 @@
+Copyright (c) 2011, OneLogin, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the <organization> nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL ONELOGIN, INC. BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,152 @@
+===========
+Python SAML
+===========
+
+This Python SAML toolkit provides functionality for creating SAML AuthnRequests
+which can be sent to an identity provider and for verifying SAML Responses from
+an identity provider. Onelogin is an example of an identity provider.
+
+Non-Python Requirements
+=======================
+
+- libxml2
+- libxslt
+- libxmlsec1
+- libxml2-dev
+- libxslt-dev
+- libxmlsec1-dev
+
+This toolkit makes use of the xmlsec binary in order to verify the response
+signature. Make sure you add the xmlsec binary to your Windows or Linux PATH.
+Unfortunately, the python bindings for libxml2, which xmlsec uses, do not
+provide the functionality needed to programmatically verify the signature,
+specifically the libxml2.xmlAddID function.
+For more information see http://www.aleksey.com/xmlsec/faq.html Section 3.2
+
+Python Requirements
+===================
+
+- python-setuptools
+- python2.6
+- python2.6-dev
+- lxml 2.3 or greater
+
+Test Requirements
+=================
+
+- fudge 0.9.5 or greater
+- nose 0.10.4 or greater
+
+Installing
+==========
+To install in the default Python library location::
+
+    python setup.py install
+
+To install in a custom Python library location in Linux::
+
+    MY_BASE_DIR=/home/foouser
+    export PYTHONPATH=$MY_BASE_DIR/lib/python2.6/site-packages
+    python setup.py install --prefix=$MY_BASE_DIR
+
+Testing
+=======
+To run the unit-tests::
+
+   python setup.py test
+
+Running the example app
+=======================
+To run with the default configuration file, example.cfg, which needs to be
+filled out completely::
+
+    python setup.py example
+
+To run with your own configuration file in Linux::
+
+    python setup.py example --config-file=~/my_config.cfg
+
+Example app breakdown
+=====================
+The example app subclasses the BaseHTTPRequestHandler in order to process
+GET and POST HTTP requests. It is by no means a secure application and should
+not be used for anything other than exploring and testing.
+
+Creating and sending the AuthnRequest to the identity provider
+--------------------------------------------------------------
+The identification flow starts when a user requests a resource from the service
+provider which, in this case, is implemented in our example app. In our example,
+the user requests a resource by going to the root path of our app, i.e,::
+
+    http://localhost:7070/
+
+Our example app receives this request and in turn creates a SAML AuthnRequest
+in the form of URL string which we use to redirect the user to our identity
+provider--OneLogin::
+
+        from BaseHTTPServer import BaseHTTPRequestHandler
+        from onelogin.saml import AuthRequest
+        ...
+        class SampleAppHTTPRequestHandler(BaseHTTPRequestHandler):
+          ...
+          def do_GET(self):
+            ...
+            url = AuthRequest.create(**self.settings)
+            self.send_response(301)
+            self.send_header("Location", url)
+            self.end_headers()
+
+The self.settings variable is a dictionary with the following entries. These
+entries are originally retrieved from the configuration file passed in as a
+command line option to the example app::
+
+    settings = dict(
+      assertion_consumer_service_url='http://localhost:7070/example/saml/consume',
+      issuer='python-saml',
+      name_identifier_format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+      idp_sso_target_url='https://app.onelogin.com/saml/signon/<id>',
+    )
+
+The idp_sso_target_url is the SAML Login URL from the SAML Test (IdP) app. You
+must register with OneLogin and add the SAML Test (IdP) app to your apps in
+order to get the idp_sso_target_url. You must also register the
+assertion_consumer_service_url with the SAML Test (IdP) app by entering it in
+the SAML Consumer URL field.
+
+Receiving and verifying the response
+------------------------------------
+The user will then be redirected to the OneLogin login page where they will
+enter their credentials in order to verify their identity. After Onelogin has
+verified their identity, it will redirect the user to the
+assertion_consumer_service_url--http://localhost:7070/example/saml/consume.
+
+Our example app then verifies the SAML Response from OneLogin using the fingerprint
+of the public certificate originally obtained from OneLogin::
+
+          def do_POST(self):
+            ...
+            length = int(self.headers['Content-Length'])
+            data = self.rfile.read(length)
+            query = urlparse.parse_qs(data)
+            res = Response(
+                query['SAMLResponse'].pop(),
+                self.settings['idp_cert_fingerprint'],
+                )
+            valid = res.is_valid()
+            name_id = res.name_id
+            if valid:
+                msg = 'The identify of {name_id} has been verified'.format(
+                    name_id=name_id,
+                    )
+                self._serve_msg(200, msg)
+            else:
+                msg = '{name_id} is not authorized to use this resource'.format(
+                    name_id=name_id,
+                    )
+                self._serve_msg(401, msg)
+
+Once again, the self.settings variable is populated from an entry in
+the configuration file. You can find the public certificate under Security->SAML
+after you login to OneLogin.
+
+For full details see **example.py** and **example.cfg**.
@@ -0,0 +1,22 @@
+[app]
+host = localhost
+port = 7070
+
+[saml]
+issuer = python-saml
+# Email address is a common format to use when verifying identity
+name_identifier_format = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+# The SAML Consumer URL from your OneLogin app
+assertion_consumer_service_url =
+# The SAML Login URL from your OneLogin app
+idp_sso_target_url =
+# The x.509 certificate fingerprint from OneLogin, found under Security->SAML,
+# as a file path. Only one of idp_cert_file and idp_cert_fingerprint will be
+# used by the example app, with idp_cert_file being having priority if both are
+# defined.
+idp_cert_file =
+# The x.509 certificate fingerprint from OneLogin, found under Security->SAML,
+# as a string. Only one of idp_cert_file and idp_cert_fingerprint will be
+# used by the example app, with idp_cert_file being having priority if both are
+# defined.
+idp_cert_fingerprint =
@@ -0,0 +1,182 @@
+import os
+import ConfigParser
+import optparse
+import logging
+import shutil
+import urlparse
+
+from StringIO import StringIO
+from BaseHTTPServer import BaseHTTPRequestHandler
+from BaseHTTPServer import HTTPServer
+
+from onelogin.saml import AuthRequest, Response
+
+__version__ = '0.1'
+
+log = logging.getLogger(__name__)
+
+class SampleAppHTTPRequestHandler(BaseHTTPRequestHandler):
+    server_version = 'SampleAppHTTPRequestHandler/%s' % __version__
+
+    def _serve_msg(self, code, msg):
+        f = StringIO()
+        f.write('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">')
+        f.write("<html>\n<body>\n%s</body>\n</html>\n" % msg)
+        length = f.tell()
+        f.seek(0)
+
+        if code == 200:
+            self.send_response(code)
+        else:
+            self.send_error(code, message=msg)
+
+        self.send_header('Content-type', 'text/html')
+        self.send_header('Content-Length', str(length))
+        self.end_headers()
+
+        shutil.copyfileobj(f, self.wfile)
+
+    def _bad_request(self):
+        """Serve Bad Request (400)."""
+        self._serve_msg(400, 'Bad Request')
+
+    def log_message(self, format, *args):
+        log.info(format % args)
+
+    def do_HEAD(self):
+        """Serve a HEAD request."""
+        self._bad_request()
+
+    def do_DEL(self):
+        """Serve a DEL request."""
+        self._bad_request()
+
+    def do_GET(self):
+        """Serve a GET request."""
+        if not self.path == '/':
+            self._bad_request()
+            return
+
+        url = AuthRequest.create(**self.settings)
+        self.send_response(301)
+        self.send_header("Location", url)
+        self.end_headers()
+
+    def do_POST(self):
+        """Serve a POST request."""
+        if not self.path == self.saml_post_path:
+            self._bad_request()
+            return
+
+        length = int(self.headers['Content-Length'])
+        data = self.rfile.read(length)
+        query = urlparse.parse_qs(data)
+        res = Response(
+            query['SAMLResponse'].pop(),
+            self.settings['idp_cert_fingerprint'],
+            )
+        valid = res.is_valid()
+        name_id = res.name_id
+        if valid:
+            msg = 'The identify of {name_id} has been verified'.format(
+                name_id=name_id,
+                )
+            self._serve_msg(200, msg)
+        else:
+            msg = '{name_id} is not authorized to use this resource'.format(
+                name_id=name_id,
+                )
+            self._serve_msg(401, msg)
+
+def main(config_file):
+    logging.basicConfig(
+        level=logging.INFO,
+        format='%(asctime)s.%(msecs)03d example: %(levelname)s: %(message)s',
+        datefmt='%Y-%m-%dT%H:%M:%S',
+        )
+
+    config = ConfigParser.RawConfigParser()
+    config_path = os.path.expanduser(config_file)
+    config_path = os.path.abspath(config_path)
+    with open(config_path) as f:
+        config.readfp(f)
+
+    host = config.get('app', 'host')
+    port = config.get('app', 'port')
+    port = int(port)
+
+    settings = dict()
+    settings['assertion_consumer_service_url'] = config.get(
+        'saml',
+        'assertion_consumer_service_url'
+        )
+    settings['issuer'] = config.get(
+        'saml',
+        'issuer'
+        )
+    settings['name_identifier_format'] = config.get(
+        'saml',
+        'name_identifier_format'
+        )
+    settings['idp_sso_target_url'] = config.get(
+        'saml',
+        'idp_sso_target_url'
+        )
+    settings['idp_cert_file'] = config.get(
+        'saml',
+        'idp_cert_file'
+        )
+    settings['idp_cert_fingerprint'] = config.get(
+        'saml',
+        'idp_cert_fingerprint'
+        )
+
+    cert_file = settings.pop('idp_cert_file', None)
+
+    # idp_cert_file has priority over idp_cert_fingerprint
+    if cert_file:
+        cert_path = os.path.expanduser(cert_file)
+        cert_path = os.path.abspath(cert_path)
+
+        with open(cert_path) as f:
+            settings['idp_cert_fingerprint'] = f.read()
+
+    parts = urlparse.urlparse(settings['assertion_consumer_service_url'])
+    SampleAppHTTPRequestHandler.protocol_version = 'HTTP/1.0'
+    SampleAppHTTPRequestHandler.settings = settings
+    SampleAppHTTPRequestHandler.saml_post_path = parts.path
+    httpd = HTTPServer(
+        (host, port),
+        SampleAppHTTPRequestHandler,
+        )
+
+    socket_name = httpd.socket.getsockname()
+
+    log.info(
+        'Serving HTTP on {host} port {port} ...'.format(
+            host=socket_name[0],
+            port=socket_name[1],
+            )
+        )
+
+    httpd.serve_forever()
+
+if __name__ == '__main__':
+    parser = optparse.OptionParser(
+        usage='%prog [OPTS]',
+        )
+    parser.add_option(
+        '--config-file',
+        metavar='PATH',
+        help='The configuration file containing the app and SAML settings',
+        )
+
+    parser.set_defaults(
+        config_file='example.cfg'
+        )
+
+    options, args = parser.parse_args()
+    if args:
+        parser.error('Wrong number of arguments')
+
+    main(options.config_file)
@@ -0,0 +1 @@
+__import__('pkg_resources').declare_namespace(__name__)
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+__import__('pkg_resources').declare_namespace(__name__)`