make both sign response and assertion configurable but with saml2int as a baseline for default settings

leifj · leifj · commit 2aedfa0b4a61 · 2017-05-31T09:36:24.000+02:00
diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -6,6 +6,7 @@
 import json
 import logging
 from urllib.parse import urlparse
+from distutils.util import strtobool
 
 from saml2 import SAMLError, xmldsig
 from saml2.config import IdPConfig
@@ -287,13 +288,28 @@ def _handle_authn_response(self, context, internal_response, idp):
 
         satosa_logging(logger, logging.DEBUG, "returning attributes %s" % json.dumps(ava), context.state)
 
+        # assume saml2int defaults: sign response but not the assertion & allow override
+        sign_assertion = False
+        try:
+            sign_assertion = strtobool(self.config['idp_config']['service']['idp']['policy']['default']['sign_assertion'])
+            sign_assertion = strtobool(self.config['idp_config']['service']['idp']['policy'][resp_args['sp_entity_id']]['sign_assertion'])
+        except (KeyError, AttributeError, ValueError):
+            pass
+
+        sign_response = True
+        try:
+            sign_response = strtobool(self.config['idp_config']['service']['idp']['policy']['default']['sign_response'])
+            sign_response = strtobool(self.config['idp_config']['service']['idp']['policy'][resp_args['sp_entity_id']]['sign_response'])
+        except (KeyError, AttributeError, ValueError):
+            pass
+
         # Construct arguments for method create_authn_response on IdP Server instance
         args = {
                 'identity'      : ava,
                 'name_id'       : name_id,
                 'authn'         : auth_info,
-                'sign_response' : True,
-                'sign_assertion': True
+                'sign_response' : sign_response,
+                'sign_assertion': sign_assertion
                 }
 
         # Add the SP details
