saml: Sign LogoutRequests and LogoutResponses if certs are set up.

This commit is contained in:
Mateusz Mandera 2021-11-05 12:17:54 +01:00 committed by Tim Abbott
parent 0bb0220ebb
commit e8f3b87b17
1 changed files with 9 additions and 0 deletions

View File

@ -1109,6 +1109,15 @@ if PRODUCTION:
"/etc/zulip/saml/zulip-private-key.key" "/etc/zulip/saml/zulip-private-key.key"
) )
if SOCIAL_AUTH_SAML_SP_PUBLIC_CERT and SOCIAL_AUTH_SAML_SP_PRIVATE_KEY:
# If the certificates are set up, it's certainly desirable to sign
# LogoutRequests and LogoutResponses unless explicitly specified otherwise
# in the configuration.
if "logoutRequestSigned" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG:
SOCIAL_AUTH_SAML_SECURITY_CONFIG["logoutRequestSigned"] = True
if "logoutResponseSigned" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG:
SOCIAL_AUTH_SAML_SECURITY_CONFIG["logoutResponseSigned"] = True
if "signatureAlgorithm" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG: if "signatureAlgorithm" not in SOCIAL_AUTH_SAML_SECURITY_CONFIG:
# If the configuration doesn't explicitly specify the algorithm, # If the configuration doesn't explicitly specify the algorithm,
# we set RSA1 with SHA256 to override the python3-saml default, which uses # we set RSA1 with SHA256 to override the python3-saml default, which uses