Implement IdP Scoping parameter for SPs suggesting an entityID to a proxy (#272)

pauldekkers · web-flow · commit 035aa3cb4736 · 2021-05-14T00:04:35.000+02:00
* Document IdP Scoping parameter for SPs

* Implement IdP Scoping parameter for SPs suggesting an entityID to a proxy
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
@@ -43,7 +43,7 @@
                             UnsolicitedResponse)
 from saml2.s_utils import UnsupportedBinding
 from saml2.saml import SCM_BEARER
-from saml2.samlp import AuthnRequest
+from saml2.samlp import AuthnRequest, IDPEntry, IDPList, Scoping
 from saml2.sigver import MissingKey
 from saml2.validate import ResponseLifetimeExceed, ToEarly
 from saml2.xmldsig import (  # support for SHA1 is required by spec
@@ -192,6 +192,13 @@ def get(self, request, *args, **kwargs):
         if selected_idp is None:
             selected_idp = list(configured_idps.keys())[0]
 
+        # perform IdP Scoping if scoping param is present
+        idp_scoping = Scoping()
+        idp_scoping_param = request.GET.get('scoping', None)
+        if idp_scoping_param:
+            idp_scoping.idp_list = IDPList()
+            idp_scoping.idp_list.idp_entry.append(IDPEntry(provider_id = idp_scoping_param))
+
         # choose a binding to try first
         binding = getattr(settings, 'SAML_DEFAULT_BINDING', saml2.BINDING_HTTP_POST)
         logger.debug(f'Trying binding {binding} for IDP {selected_idp}')
@@ -253,7 +260,7 @@ def get(self, request, *args, **kwargs):
             try:
                 session_id, result = client.prepare_for_authenticate(
                     entityid=selected_idp, relay_state=next_path,
-                    binding=binding, sign=sign_requests,
+                    binding=binding, sign=sign_requests, scoping=idp_scoping,
                     **sso_kwargs)
             except TypeError as e:
                 logger.error(f'{_msg}: {e}')
@@ -294,7 +301,7 @@ def get(self, request, *args, **kwargs):
                 try:
                     session_id, result = client.prepare_for_authenticate(
                         entityid=selected_idp, relay_state=next_path,
-                        binding=binding)
+                        binding=binding, scoping=idp_scoping)
                 except TypeError as e:
                     _msg = f"Can't prepare the authentication for {selected_idp}"
                     logger.error(f'{_msg}: {e}')
diff --git a/docs/source/contents/setup.rst b/docs/source/contents/setup.rst
@@ -206,6 +206,20 @@ For example::
 
 see AARC Blueprint specs `here <https://zenodo.org/record/4596667/files/AARC-G061-A_specification_for_IdP_hinting.pdf>`_.
 
+
+IdP scoping
+===========
+The SP can suggest an IdP to a proxy by using the Scoping and IDPList elements in a SAML AuthnRequest. This is done using the `scoping` parameter to the login URL.
+
+``https://sp.example.org/saml2/login/?scoping=https://idp.example.org``
+
+This parameter can be combined with the IdP parameter if multiple IdPs are present in the metadata, otherwise the first is used.
+
+``https://sp.example.org/saml2/login/?scoping=https://idp.example.org&idp=https://proxy.example.com/metadata``
+
+Currently there is support for a single IDPEntry in the IDPList.
+
+
 Custom and dynamic configuration loading
 ========================================
 
