Enable idp blacklisting for SAML backends

Ioannis Kakavas · Ioannis Kakavas · commit ab079b9f87d1 · 2017-08-23T15:36:39.000+03:00
diff --git a/example/plugins/backends/saml2_backend.yaml.example b/example/plugins/backends/saml2_backend.yaml.example
@@ -13,6 +13,8 @@ config:
       local: [idp.xml]
 
     entityid: <base_url>/<name>/proxy_saml2_backend.xml
+    idp_blacklist_enabled: true
+    idp_blacklist_file: /path/to/blacklist.json
     service:
       sp:
         want_response_signed: true
diff --git a/src/satosa/backends/saml2.py b/src/satosa/backends/saml2.py
@@ -149,6 +149,17 @@ def authn_request(self, context, entity_id):
         :param entity_id: Target IDP entity id
         :return: response to the user agent
         """
+
+        # If IDP blacklisting is enabled and the selected IDP is blacklisted,
+        # stop here
+        if self.config["sp_config"]["idp_blacklist_enabled"]:
+            with open(self.config["sp_config"]["idp_blacklist_file"]) as blacklist_file:
+                blacklist_array = json.load(blacklist_file)['blacklist']
+                if entity_id in blacklist_array:
+            satosa_logging(logger, logging.DEBUG, "IdP with EntityID {} is blacklisted".format(entity_id), context.state,
+                           exc_info=False)
+            raise SATOSAAuthenticationError(context.state, "Selected IdP is blacklisted for this backend")
+
         kwargs = {}
         authn_context = self.construct_requested_authn_context(entity_id)
         if authn_context:
