authentik.enterprise.providers.ws_federation.processors.metadata 

 1from django.urls import reverse
 2from lxml.etree import SubElement, _Element  # nosec
 3
 4from authentik.common.saml.constants import NS_SAML_METADATA
 5from authentik.enterprise.providers.ws_federation.processors.constants import (
 6    NS_ADDRESSING,
 7    NS_MAP,
 8    NS_WS_FED_PROTOCOL,
 9    NS_WSI,
10)
11from authentik.providers.saml.processors.metadata import MetadataProcessor as BaseMetadataProcessor
12
13
14class MetadataProcessor(BaseMetadataProcessor):
15    def add_children(self, entity_descriptor: _Element):
16        self.add_role_descriptor_sts(entity_descriptor)
17        super().add_children(entity_descriptor)
18
19    def add_endpoint(self, parent: _Element, name: str):
20        endpoint = SubElement(parent, f"{{{NS_WS_FED_PROTOCOL}}}{name}", nsmap=NS_MAP)
21        endpoint_ref = SubElement(endpoint, f"{{{NS_ADDRESSING}}}EndpointReference", nsmap=NS_MAP)
22
23        address = SubElement(endpoint_ref, f"{{{NS_ADDRESSING}}}Address", nsmap=NS_MAP)
24        address.text = self.http_request.build_absolute_uri(
25            reverse("authentik_providers_ws_federation:wsfed")
26        )
27
28    def add_role_descriptor_sts(self, entity_descriptor: _Element):
29        role_descriptor = SubElement(
30            entity_descriptor, f"{{{NS_SAML_METADATA}}}RoleDescriptor", nsmap=NS_MAP
31        )
32        role_descriptor.attrib[f"{{{NS_WSI}}}type"] = "fed:SecurityTokenServiceType"
33        role_descriptor.attrib["protocolSupportEnumeration"] = NS_WS_FED_PROTOCOL
34
35        signing_descriptor = self.get_signing_key_descriptor()
36        if signing_descriptor is not None:
37            role_descriptor.append(signing_descriptor)
38
39        self.add_endpoint(role_descriptor, "SecurityTokenServiceEndpoint")
40        self.add_endpoint(role_descriptor, "PassiveRequestorEndpoint")
class MetadataProcessor(authentik.providers.saml.processors.metadata.MetadataProcessor): 
15class MetadataProcessor(BaseMetadataProcessor):
16    def add_children(self, entity_descriptor: _Element):
17        self.add_role_descriptor_sts(entity_descriptor)
18        super().add_children(entity_descriptor)
19
20    def add_endpoint(self, parent: _Element, name: str):
21        endpoint = SubElement(parent, f"{{{NS_WS_FED_PROTOCOL}}}{name}", nsmap=NS_MAP)
22        endpoint_ref = SubElement(endpoint, f"{{{NS_ADDRESSING}}}EndpointReference", nsmap=NS_MAP)
23
24        address = SubElement(endpoint_ref, f"{{{NS_ADDRESSING}}}Address", nsmap=NS_MAP)
25        address.text = self.http_request.build_absolute_uri(
26            reverse("authentik_providers_ws_federation:wsfed")
27        )
28
29    def add_role_descriptor_sts(self, entity_descriptor: _Element):
30        role_descriptor = SubElement(
31            entity_descriptor, f"{{{NS_SAML_METADATA}}}RoleDescriptor", nsmap=NS_MAP
32        )
33        role_descriptor.attrib[f"{{{NS_WSI}}}type"] = "fed:SecurityTokenServiceType"
34        role_descriptor.attrib["protocolSupportEnumeration"] = NS_WS_FED_PROTOCOL
35
36        signing_descriptor = self.get_signing_key_descriptor()
37        if signing_descriptor is not None:
38            role_descriptor.append(signing_descriptor)
39
40        self.add_endpoint(role_descriptor, "SecurityTokenServiceEndpoint")
41        self.add_endpoint(role_descriptor, "PassiveRequestorEndpoint")

SAML Identity Provider Metadata Processor

def add_children(self, entity_descriptor: lxml.etree._Element): 
16    def add_children(self, entity_descriptor: _Element):
17        self.add_role_descriptor_sts(entity_descriptor)
18        super().add_children(entity_descriptor)
def add_endpoint(self, parent: lxml.etree._Element, name: str): 
20    def add_endpoint(self, parent: _Element, name: str):
21        endpoint = SubElement(parent, f"{{{NS_WS_FED_PROTOCOL}}}{name}", nsmap=NS_MAP)
22        endpoint_ref = SubElement(endpoint, f"{{{NS_ADDRESSING}}}EndpointReference", nsmap=NS_MAP)
23
24        address = SubElement(endpoint_ref, f"{{{NS_ADDRESSING}}}Address", nsmap=NS_MAP)
25        address.text = self.http_request.build_absolute_uri(
26            reverse("authentik_providers_ws_federation:wsfed")
27        )
def add_role_descriptor_sts(self, entity_descriptor: lxml.etree._Element): 
29    def add_role_descriptor_sts(self, entity_descriptor: _Element):
30        role_descriptor = SubElement(
31            entity_descriptor, f"{{{NS_SAML_METADATA}}}RoleDescriptor", nsmap=NS_MAP
32        )
33        role_descriptor.attrib[f"{{{NS_WSI}}}type"] = "fed:SecurityTokenServiceType"
34        role_descriptor.attrib["protocolSupportEnumeration"] = NS_WS_FED_PROTOCOL
35
36        signing_descriptor = self.get_signing_key_descriptor()
37        if signing_descriptor is not None:
38            role_descriptor.append(signing_descriptor)
39
40        self.add_endpoint(role_descriptor, "SecurityTokenServiceEndpoint")
41        self.add_endpoint(role_descriptor, "PassiveRequestorEndpoint")
Inherited Members
authentik.providers.saml.processors.metadata.MetadataProcessor
MetadataProcessor
provider
http_request
force_binding
xml_id
get_signing_key_descriptor
get_name_id_formats
get_sso_bindings
get_slo_bindings
add_idp_sso
build_entity_descriptor