Canonical SSO provider

lp:canonical-identity-provider

Created by Danny Tamez on 2010-04-21 and last modified on 2017-12-13
Get this branch:
bzr branch lp:canonical-identity-provider
Members of Canonical ISD hackers can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Asankanet (Undefined)

Branch information

Owner:
Canonical ISD hackers
Project:
Canonical SSO provider
Review team:
Ubuntu One hackers
Status:
Development

Recent revisions

1589. By Daniel Manrique on 2017-12-13

Use the SAML remote's configured certificate, if present.

This allows setting a custom certificate per RP. RPs for which this
field is empty fall back to the global certificate configured in settings.

All certificates must be generated from the global private key in settings,
which is a single setting for all RPs.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/pass-custom-cert-to-django-saml2-idp/+merge/334984

1588. By Daniel Manrique on 2017-12-11

Add "certificate" field to SAMLConfig model.

This allows setting a custom certificate per RP. RPs for which this
field is empty fall back to the global certificate configured in settings.

All certificates must be generated from the global private key in settings,
which is a single setting for all RPs.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/samlconfig-certificate-field/+merge/334784

1587. By Daniel Manrique on 2017-12-04

Revert r1586 because it broke non-Canonical logins to support.canonical.com

Mechanical revert by bzr merge -r 1586..1585 ./

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/revert-r1586/+merge/334679

1586. By Daniel Manrique on 2017-11-22

Properly apply a SAML remote's email_pattern even if the user's email address is not @canonical.com.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/fix-no-email-pattern-non-canonical-addresses/+merge/333482

1585. By Daniel Manrique on 2017-11-07

- Validate SAML responses
- Update django-saml2-idp so it spits out valid SAML

This was spotted by a couple of newly-very-strict SPs which were actually running our assertions against the SAML XSD and rejecting us.

These remotes used the onelogin SAML library https://github.com/onelogin/python-saml.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/validate-saml-xml/+merge/333276

1584. By Daniel Manrique on 2017-10-26

Fix the "'AnonymousUser' object has no attribute 'person_in_any_team'" oops when a non-logged-in user tries to access a SAML remote with group restrictions.

This was fixed at Ricardo's suggestion by moving the group membership test to a _validate_user method (which is actually what django_saml2idp recommends, had I bothered to read the documentation), and it's my understanding in this method one should *never* get a non-logged-in user. But I left the check that protects against a User not having person_in_any_team anyway.

The test I wrote with the user checks in _validate_request reproduced the oops perfectly, even if moving it to _validate_user later changed the behavior (sending the user to the login page).

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/fix-saml-team-snafu/+merge/332868

1583. By Daniel Manrique on 2017-10-25

Restrict access to SAML services to people in teams listed in a SAML SP's allowed_teams.

This is a comma-separated list of (Launchpad) teams. If blank, it allows access to everyone (old behavior).

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/saml-teams/+merge/332675

1582. By Daniel Manrique on 2017-10-24

Add allowed_teams field to SAMLConfig.

The default is '' which is a special "allow all teams" behavior.

It's expected to contain a comma-separated list of (Launchpad) team names, only members of which will be allowed access to the SAML service provider.

Note that none of those behaviors are implemented in this code, this only adds the field itself, so it can be deployed without affecting running code and the code implementing this can be deployed once the DB has been migrated.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/add-saml-teams-field/+merge/332674

1581. By Daniel Manrique on 2017-10-06

Bump isd-configs/sso revno to 310 (GTM update)

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/update-isd-configs/+merge/331952

1580. By Ricardo Kirkner on 2017-10-05

fixed failing tests due to non-met preconditions

Tests didn't set the value of the TWOFACTOR switch but expected it to be enabled.

Merged from https://code.launchpad.net/~ricardokirkner/canonical-identity-provider/fix-failing-tests-due-to-ordering/+merge/331816

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.