Skip to content

OneLogin's SAML Python Toolkit v2.2.0

Choose a tag to compare

View all tags
@pitbulk pitbulk released this 14 Oct 15:03
· 224 commits to master since this release
v2.2.0
48addfd

This version includes a security patch that contains extra validations that will prevent signature wrapping attacks.

Changelog:

  • Several security improvements:
    • Conditions element required and unique.
    • AuthnStatement element required and unique.
    • SPNameQualifier must math the SP EntityID
    • Reject saml:Attribute element with same “Name” attribute
    • Reject empty nameID
    • Require Issuer element. (Must match IdP EntityID).
    • Destination value can't be blank (if present must match ACS URL).
    • Check that the EncryptedAssertion element only contains 1 Assertion element.
  • Improve Signature validation process
  • #149 Work-around for xmlsec.initialize
  • #151 Fix flask demo error handling and improve documentation
  • #152 Update LICENSE to include MIT rather than BSD license
  • #155 Fix typographical errors in docstring
  • Fix RequestedAttribute Issue
  • Fix __build_signature method. If relay_state is null not be part of the SignQuery
  • #164 Add support for non-ascii fields in settings
Assets 2
Loading