Fixed so it works with the SP only supporting HTTP-Redirect binding.

Author: Roland Hedberg

example/idp2/idp.py

@@ -156,10 +156,19 @@ def artifact_operation(self, saml_msg):
                 return self.do(request, BINDING_HTTP_ARTIFACT)
 
     def response(self, binding, http_args):
+        resp = None
         if binding == BINDING_HTTP_ARTIFACT:
             resp = Redirect()
-        else:
+        elif http_args["data"]:
             resp = Response(http_args["data"], headers=http_args["headers"])
+        else:
+            for header in http_args["headers"]:
+                if header[0] == "Location":
+                    resp = Redirect(header[1])
+
+        if not resp:
+            resp = ServiceError("Don't know how to return response")
+
         return resp(self.environ, self.start_response)
 
     def do(self, query, binding, relay_state="", encrypt_cert=None):
@@ -254,7 +263,7 @@ def verify_request(self, query, binding):
             self.binding_out, self.destination = IDP.pick_binding(
                 "assertion_consumer_service",
                 bindings=self.response_bindings,
-                entity_id=_authn_req.issuer.text)
+                entity_id=_authn_req.issuer.text, request=_authn_req)
         except Exception as err:
             logger.error("Couldn't find receiver endpoint: %s" % err)
             raise

example/sp-wsgi/sp.py

@@ -522,14 +522,22 @@ def _pick_idp(self, came_from):
         logger.info("Chosen IdP: '%s'" % idp_entity_id)
         return 0, idp_entity_id
 
-    def redirect_to_auth(self, _cli, entity_id, came_from, vorg_name=""):
+    def redirect_to_auth(self, _cli, entity_id, came_from):
         try:
+            # Picks a binding to use for sending the Request to the IDP
             _binding, destination = _cli.pick_binding(
                 "single_sign_on_service", self.bindings, "idpsso",
                 entity_id=entity_id)
             logger.debug("binding: %s, destination: %s" % (_binding,
                                                            destination))
-            req_id, req = _cli.create_authn_request(destination, vorg=vorg_name)
+            # Binding here is the response binding that is which binding the
+            # IDP should use to return the response.
+            acs = _cli.config.getattr("endpoints", "sp")[
+                "assertion_consumer_service"]
+            # just pick one
+            endp, return_binding = acs[0]
+            req_id, req = _cli.create_authn_request(destination,
+                                                    binding=return_binding)
             _rstate = rndstr()
             self.cache.relay_state[_rstate] = came_from
             ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
@@ -553,14 +561,6 @@ def do(self):
         came_from = geturl(self.environ)
         logger.debug("[sp.challenge] RelayState >> '%s'" % came_from)
 
-        # Am I part of a virtual organization or more than one ?
-        try:
-            vorg_name = _cli.vorg._name
-        except AttributeError:
-            vorg_name = ""
-
-        logger.debug("[sp.challenge] VO: %s" % vorg_name)
-
         # If more than one idp and if none is selected, I have to do wayf
         (done, response) = self._pick_idp(came_from)
         # Three cases: -1 something went wrong or Discovery service used
@@ -575,7 +575,7 @@ def do(self):
         else:
             entity_id = response
             # Do the AuthnRequest
-            resp = self.redirect_to_auth(_cli, entity_id, came_from, vorg_name)
+            resp = self.redirect_to_auth(_cli, entity_id, came_from)
             return resp(self.environ, self.start_response)
 
 
@@ -598,12 +598,6 @@ def main(environ, start_response, _sp):
     return _sso.do()
 
 
-#noinspection PyUnusedLocal
-def verify_login_cookie(environ, start_response, _sp):
-    _sso = SSO(_sp, environ, start_response, cache=CACHE, **ARGS)
-    return _sso.do()
-
-
 def disco(environ, start_response, _sp):
     query = parse_qs(environ["QUERY_STRING"])
     entity_id = query["entityID"][0]
@@ -624,7 +618,6 @@ def disco(environ, start_response, _sp):
     # Hmm, place holder, NOT used
     ('place', ("holder", None)),
     (r'^$', main),
-    (r'^login', verify_login_cookie),
     (r'^disco', disco)
 ]
 
@@ -655,6 +648,7 @@ def application(environ, start_response):
     path = environ.get('PATH_INFO', '').lstrip('/')
     logger.debug("<application> PATH: '%s'" % path)
 
+
     logger.debug("Finding callback to run")
     try:
         for regex, spec in urls:

src/saml2/client_base.py

@@ -530,7 +530,7 @@ def parse_authn_request_response(self, xmlstr, binding, outstanding=None,
                 "allow_unsolicited": self.allow_unsolicited,
                 "want_assertions_signed": self.want_assertions_signed,
                 "want_response_signed": self.want_response_signed,
-                "return_addrs": self.service_urls(),
+                "return_addrs": self.service_urls(binding=binding),
                 "entity_id": self.config.entityid,
                 "attribute_converters": self.config.attribute_converters,
                 "allow_unknown_attributes":

src/saml2/entity.py

@@ -228,19 +228,42 @@ def pick_binding(self, service, bindings=None, descr_type="", request=None,
         sfunc = getattr(self.metadata, service)
 
         if bindings is None:
-            bindings = self.config.preferred_binding[service]
+            if request and request.protocol_binding:
+                bindings = [request.protocol_binding]
+            else:
+                bindings = self.config.preferred_binding[service]
 
         if not descr_type:
             if self.entity_type == "sp":
                 descr_type = "idpsso"
             else:
                 descr_type = "spsso"
 
+        _url = _index = None
+        if request:
+            try:
+                _url = getattr(request, "%s_url" % service)
+            except AttributeError:
+                _url = None
+                try:
+                    _index = getattr(request, "%s_index" % service)
+                except AttributeError:
+                    pass
+
         for binding in bindings:
             try:
                 srvs = sfunc(entity_id, binding, descr_type)
                 if srvs:
-                    return binding, destinations(srvs)[0]
+                    if _url:
+                        for srv in srvs:
+                            if srv["location"] == _url:
+                                return binding, _url
+                    elif _index:
+                        for srv in srvs:
+                            if srv["index"] == _index:
+                                return binding, srv["location"]
+                    else:
+                        return binding, destinations(srvs)[0]
             except UnsupportedBinding:
                 pass