Merge pull request #225 from alexstuart/redirect-binding

c00kiemon5ter · web-flow · commit 123620d40560 · 2019-07-08T20:12:52.000+03:00
Warn when AssertionConsumerService binding is HTTP-Redirect
diff --git a/example/plugins/backends/saml2_backend.yaml.example b/example/plugins/backends/saml2_backend.yaml.example
@@ -50,7 +50,6 @@ config:
         endpoints:
           assertion_consumer_service:
           - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
-          - [<base_url>/<name>/acs/redirect, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
           discovery_response:
           - [<base_url>/<name>/disco, 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol']
         name_id_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
diff --git a/src/satosa/backends/saml2.py b/src/satosa/backends/saml2.py
@@ -5,9 +5,11 @@
 import functools
 import json
 import logging
+import warnings as _warnings
 from base64 import urlsafe_b64encode
 from urllib.parse import urlparse
 
+from saml2 import BINDING_HTTP_REDIRECT
 from saml2.client_base import Base
 from saml2.config import SPConfig
 from saml2.extension.ui import NAMESPACE as UI_NAMESPACE
@@ -429,6 +431,20 @@ def register_endpoints(self):
         for endp, binding in sp_endpoints["assertion_consumer_service"]:
             parsed_endp = urlparse(endp)
             url_map.append(("^%s$" % parsed_endp.path[1:], functools.partial(self.authn_response, binding=binding)))
+            if binding == BINDING_HTTP_REDIRECT:
+                msg = " ".join(
+                    [
+                        "AssertionConsumerService endpoint with binding",
+                        BINDING_HTTP_REDIRECT,
+                        "is not recommended.",
+                        "Quoting section 4.1.2 of",
+                        "'Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0':",
+                        "The HTTP Redirect binding MUST NOT be used,",
+                        "as the response will typically exceed the URL length",
+                        "permitted by most user agents.",
+                    ]
+                )
+                _warnings.warn(msg, DeprecationWarning)
 
         if self.discosrv:
             for endp, binding in sp_endpoints["discovery_response"]:
