ipsilon

Clone
Source Code
GIT

#24 Define PAOS AssertionConsumerService in ipsilon-client-install
Merged 8 years ago by puiterwijk. Opened 8 years ago by jdennis.
jdennis/ipsilon client-paos  into  master

file modified
+12 -5 
@@ -89,6 +89,7 @@ 
 

      url_sp = url + args['saml_sp']
 

      url_logout = url + args['saml_sp_logout']
 

      url_post = url + args['saml_sp_post']
 

+     url_paos = url + args['saml_sp_paos']
 

  

      # Generate metadata
 

      m = Metadata('sp')
 
@@ -99,7 +100,10 @@ 
 

      m.add_service(SAML2_SERVICE_MAP['logout-redirect'], url_logout)
 

      if not args['no_saml_soap_logout']:
 

          m.add_service(SAML2_SERVICE_MAP['slo-soap'], url_logout)
 

-     m.add_service(SAML2_SERVICE_MAP['response-post'], url_post, index="0")
 

+     m.add_service(SAML2_SERVICE_MAP['response-post'], url_post,
 

+                   index="0", isDefault="true")
 

+     m.add_service(SAML2_SERVICE_MAP['response-paos'], url_paos,
 

+                   index="1")
 

      m.add_allowed_name_format(SAML2_NAMEID_MAP[args['saml_nameid']])
 

      sp_metafile = os.path.join(path, 'metadata.xml')
 

      m.output(sp_metafile)
 
@@ -336,6 +340,8 @@ 
 

                          help="Single Logout URL")
 

      parser.add_argument('--saml-sp-post', default=None,
 

                          help="Post response URL")
 

+     parser.add_argument('--saml-sp-paos', default=None,
 

+                         help="PAOS response URL, used for ECP")
 

      parser.add_argument('--no-saml-soap-logout', action='store_true',
 

                          default=False,
 

                          help="Disable Single Logout over SOAP")
 
@@ -366,7 +372,7 @@ 
 

  

      # Validate that all path options begin with '/'
 

      path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout',
 

-                  'saml_sp_post']
 

+                  'saml_sp_post', 'saml_sp_paos']
 

      for path_arg in path_args:
 

          if args[path_arg] is not None and not args[path_arg].startswith('/'):
 

              raise ValueError('--%s must begin with a / character.' %
 
@@ -377,10 +383,11 @@ 
 

      if not args['saml_sp'].startswith(args['saml_base']):
 

          raise ValueError('--saml-sp must be a subpath of --saml-base.')
 

  

-     # The saml_sp_logout and saml_sp_post settings must be subpaths
 

-     # of saml_sp (the mellon endpoint).
 

+     # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
 

+     # be subpaths of saml_sp (the mellon endpoint).
 

      path_args = {'saml_sp_logout': 'logout',
 

-                  'saml_sp_post': 'postResponse'}
 

+                  'saml_sp_post': 'postResponse',
 

+                  'saml_sp_paos': 'paosResponse'}
 

      for path_arg, default_path in path_args.items():
 

          if args[path_arg] is None:
 

              args[path_arg] = '%s/%s' % (args['saml_sp'].rstrip('/'),

file modified
+3 -1 
@@ -32,7 +32,9 @@ 
 

      'slo-soap': ('SingleLogoutService',
 

                   lasso.SAML2_METADATA_BINDING_SOAP),
 

      'response-post': ('AssertionConsumerService',
 

-                       lasso.SAML2_METADATA_BINDING_POST)
 

+                       lasso.SAML2_METADATA_BINDING_POST),
 

+     'response-paos': ('AssertionConsumerService',
 

+                       lasso.SAML2_METADATA_BINDING_PAOS),
 

  }
 

  

  EDESC = '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF

no initial comment

Perhaps we might want a little bit more explanation about this?
Maybe just the full text instead of the abbreviation?

We can do a better message, but out of curiosity why is the nearly identical "Post response URL" above any less informative? It seems to me that Logout URL and Post URL only have meaning if you already have a familiarity with SAML profiles. How does this sound as a reworded help message?

PAOS response URL, used for ECP.

We can't spell out PAOS because it's not an acronym, it's stands for "reverse soap" with soap spelled backwards, I don't really see how adding that tidbit adds much to the help message, likewise how does spelling out ECP as "Enhanced Client & Proxy" help? Either you know what this stuff is or you don't

The main issue I had was that "PAOS" sounds like it's an abbreviation, and I kept trying to think up what it could be to think if I would know what it means.
The Logout URL and Post URL don't sound like abbreviations, which makes me not even try to parse them if I have never heard of them before.

The rewording you suggest sounds reasonable, but we could also just lowercase "paos".

Looks good to me
Metadata
None
No Tags
Changes Summary 2
+12 -5
file changed
ipsilon/install/ipsilon-client-install
+3 -1
file changed
ipsilon/tools/saml2metadata.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.