SAMLDesktop Class

Properties   Methods   Events   Config Settings   Errors  

The SAMLDesktop class provides an easy way to add SAML-based SSO to your desktop application.

Syntax

class cloudsso.SAMLDesktop

Remarks

The Security Assertion Markup Language (SAML) protocol provides a standardized way to add Single Sign-on (SSO) to applications. Service Providers (i.e., your application) using SAML-based SSO can eliminate the need to store and manage user passwords. When using SAML, the responsibility of identifying a user can be shifted to the Identity Provider.

The SAMLDesktop class is intended for desktop applications that need to add web-based SAML SSO support. The class simplifies the process by building the requests, launching the browser, receiving the response, and validating the assertion for your desktop application with a few simple method calls.

Setup

To get started with the class, information about the Identity Provider is needed. Typically, this information is provided by a SAML Metadata Document that is either provided during the setup or requested from a URI. The request_identity_metadata and load_identity_metadata methods are both ways to populate the identity_provider_metadata, identity_provider_signing_cert, and identity_provider_ur_is properties.

Usage: Requesting and Reloading the Identity Provider Metadata Document

 
 Copy
saml.RequestIdentityMetadata("https://example.com/federationmetadata/federationmetadata.xml");
string raw_document = saml.IdentityProviderMetadata.Content;
//...
saml.LoadIdentityMetadata(raw_document, true);

Additionally, the class needs to be configured with the information about the Service Provider (i.e., your application). The service_provider_signing_cert, web_server_bindings, web_server_port, and web_server_ssl_enabled properties can be used to provide information about the Service Provider. These are used by the class to build a valid SAML request and to verify the SAML response and its assertions. These settings should typically be considered constant between multiple requests.

Additionally, to easily supply this information to an Identity Provider, the service_provider_metadata property can be used with the build_service_metadata method to create a SAML Metadata Document that describes your application (the Service Provider) to the Identity Provider.

Usage: Configuring Service Provider Metadata Document

 
 Copy
saml.ServiceProviderSigningCert = new Certificate(CertStoreTypes.cstPFXFile, "cert.pfx", "password", "*");

saml.WebServerBindings = WebServerBindings.cwbAutomatic;
saml.WebServerPort = 8888;
saml.WebServerEnabled = false;

saml.ServiceProviderMetadata.EntityId = "ServiceProviderId";
saml.ServiceProviderMetadata.AuthnRequestSigned = true;
saml.ServiceProviderMetadata.WantAssertionsSigned = true;

saml.BuildServiceMetadata();

Authentication

Once the service_provider_signing_cert and WebServer* properties are configured, the saml_request_settings property can be configured when the application is ready to make an authentication request by calling authenticate_user.

Issuer

The saml_request_issuer field is required and be configured to the Entity Id that was provided to the Identity Provider. If the build_service_metadata method was used to create a metadata document that was provided to the Identity Provider, this will match the service_provider_metadata_entity_id field. The saml_request_issuer field is also used to validate the SAML response once Identity Provider responds.

Binding

The saml_request_binding field is also required and controls how the class communicates the authentication request to the Identity Provider. This does not control how the Identity Provider responds to the request. The class supports two request bindings: HTTP-Redirect and HTTP-POST.

The HTTP-Redirect binding (default) sends the SAML request using an HTTP redirect and provides the parameters through a query string. Typically, this binding requires that UseDetachedSignatures is set to true as the signature causes the request to become to long if held within the actual request.

The HTTP-POST binding sends the SAML request using an HTTP form post to send the parameters through an HTTP POST instead. Internally, this is done by launching the browser to an HTML page that contains an automatic form post.

SignRequest

The saml_request_sign_request field can be set to true to have the class sign the SAML request using the service_provider_signing_cert certificate. f the build_service_metadata method was used to create a metadata document that was provided to the Identity Provider, the service_provider_signing_cert should be the same certificate that was set when the metadata document was built.

RelayState

The relay_state property can be set have the class send the RelayState parameter along with the SAML request. When the Identity Provider returns with the SAML response, it will also return a RelayState parameter with the same value.

Once the authentication request has been configured, call authenticate_user to start the authentication process.

Usage: Authenticate User

 
 Copy
saml.RequestIdentityMetadata("https://example.com/federationmetadata/federationmetadata.xml");

saml.ServiceProviderSigningCert = new Certificate(CertStoreTypes.cstPFXFile, "cert.pfx", "password", "*");

saml.WebServerBindings = WebServerBindings.cwbAutomatic;
saml.WebServerPort = 8888;
saml.WebServerEnabled = false;

saml.SAMLRequestSettings.Issuer = "ServiceProviderId"; 
saml.SAMLRequestSettings.Binding = SAMLBindings.sbHTTPRedirect;
saml.SAMLRequestSettings.SignRequest = true;

saml.RelayState = "Relay_State";

saml.AuthenticateUser;

Assertions

The SAML 2.0 specification gives Identity Providers many different options for what can be included in an assertion. In the Web SSO profile, typically the assertion will contain the Issuer, Signature, Subject, Conditions, AttributeStatement, and AuthnStatement. Information found from the Issuer, Signature, Subject, and Conditions sections of the assertion can be found in the assertion_info property. Along with providing information about the assertion, these fields are also used to verify the assertion. An important field to note is the assertion_subject_name_id property. This property provides the unique identifier for the user which can be used for authorization purposes. See below for information about the AttributeStatement and AuthnStatement sections.

Assertion Authentication Context

The AuthnStatement section is used by the Identity Provider to provide the Service Provider with information about its authentication session with the user. The statement is parsed to the assertion_authn_info property. Some commonly used information is how the user authenticated with the Identity Provider (see assertion_authn_context_class_reference) and the session identifier created by the Identity Provider for the Service Provider (see assertion_authn_session_index).

Assertion Attributes

Along with the assertion_subject_name_id, the Identity Provider may give additional information about the user in the AttributeStatement section. What exactly is provided depends on how the connection between the Identity Provider and Service Provider was configured. Since there is no defined list of attributes, the assertion_attribute_info properties will be populated with each attribute found. Each attribute has a name and one or more values. For example, take the following attribute that describes a list of emails attached to the user.

 
 Copy
<Attribute Name="verified_emails">
  <AttributeValue>email@test.com</AttributeValue>
  <AttributeValue>other@example.com</AttributeValue>
</Attribute>

In this assertion attribute statement, the user has two emails that have been verified. There are two ways to get this information through the class. First, using the collection, the application can iterate through the collection for the attribute and then iterate through the associated values. Using this method is useful if there are multiple acceptable names for the attributes that could be accepted. For example:

 
 Copy
List<string> verified_emails = new List<string>();
for (int i = 0; i < saml.AssertionAttributeInfo.Count; i++) {
  if (saml.AssertionAttributeInfo[i].Name == "verified_emails" || saml.AssertionAttributeInfo[i].Name == "verified_email") {
    for (int j = 0; j < saml.AssertionAttributeInfo[i].ValueCount; j++) {
      saml.AssertionAttributeInfo[i].ValueIndex = j;
      verified_emails.Add(saml.AssertionAttributeInfo[i].ValueData);
    }
  }
}

The other option is to use the get_assertion_attribute method. This method will search the assertion's attribute statement for the first attribute with a matching name. Like in the example above, if the attribute has multiple values, the method will return them in a semicolon-separated list. This method simplifies the process of searching the collection for a specific attribute if the name of the attribute is known ahead of time. For example:

 
 Copy
string[] verified_emails = saml.GetAssertionAttribute("verified_emails").Split(';');

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

assertion_attribute_count property

The number of records in the AssertionAttribute arrays.

Syntax

def get_assertion_attribute_count() -> int: ...
def set_assertion_attribute_count(value: int) -> None: ...

assertion_attribute_count = property(get_assertion_attribute_count, set_assertion_attribute_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• assertion_attribute_content
• assertion_attribute_friendly_name
• assertion_attribute_name
• assertion_attribute_name_format
• assertion_attribute_value_count
• assertion_attribute_value_data
• assertion_attribute_value_index

The array indices start at 0 and end at assertion_attribute_count - 1.

assertion_attribute_content property

The raw XML of the attribute.

Syntax

def get_assertion_attribute_content(assertion_attribute_idx: int) -> str: ...

Default Value

""

Remarks

The raw XML of the attribute. In cases where the content of the attribute is complex, this property can be used to do additional XML parsing.

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

This property is read-only.

assertion_attribute_friendly_name property

A human-readable version of the attribute name, if provided.

Syntax

def get_assertion_attribute_friendly_name(assertion_attribute_idx: int) -> str: ...

Default Value

""

Remarks

A human-readable version of the attribute name, if provided. This value is intended to be used for informational and logging purposes only.

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

This property is read-only.

assertion_attribute_name property

The name of the attribute.

Syntax

def get_assertion_attribute_name(assertion_attribute_idx: int) -> str: ...

Default Value

""

Remarks

The name of the attribute. The format of the name (if provided) can be found in the assertion_name_format property.

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

This property is read-only.

assertion_attribute_name_format property

A URI reference to how the Name of the attribute is formatted.

Syntax

def get_assertion_attribute_name_format(assertion_attribute_idx: int) -> str: ...

Default Value

""

Remarks

A URI reference to how the assertion_name of the attribute is formatted. If not set, Unspecified is used.

Some common values are:

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

This property is read-only.

assertion_attribute_value_count property

In cases where there are multiple values for a single attribute, this count will be updated to reflect the size of the list.

Syntax

def get_assertion_attribute_value_count(assertion_attribute_idx: int) -> int: ...

Default Value

0

Remarks

In cases where there are multiple values for a single attribute, this count will be updated to reflect the size of the list. If the value of the attribute is not a list, the count will be set to 1. See assertion_value_index for more information.

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

This property is read-only.

assertion_attribute_value_data property

The content of the attribute value selected by ValueIndex .

Syntax

def get_assertion_attribute_value_data(assertion_attribute_idx: int) -> str: ...

Default Value

""

Remarks

The content of the attribute value selected by assertion_value_index.

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

This property is read-only.

assertion_attribute_value_index property

The index of the attribute value that should be populated in the ValueData property.

Syntax

def get_assertion_attribute_value_index(assertion_attribute_idx: int) -> int: ...
def set_assertion_attribute_value_index(assertion_attribute_idx: int, value: int) -> None: ...

Default Value

0

Remarks

The index of the attribute value that should be populated in the assertion_value_data property. Valid ranges for this property are from 0 to assertion_value_count - 1. By default, this property is set to 0. In cases where there is only a singular value, that value will be at index 0. For example:

Multi-value attribute

 
 Copy
<Attribute Name="ValueName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <AttributeValue>Value1</AttributeValue>
  <AttributeValue>Value2</AttributeValue>
</Attribute>

Iterating through each value in an attribute

 
 Copy
for (int i = 0; i < saml.AssertionAttributeInfo[0].ValueCount; i++) {
  saml.AssertionAttributeInfo[0].ValueIndex = i;
  string attribute_value = saml.AssertionAttributeInfo[0].ValueData;
  //... the rest of the processing
}

The assertion_attribute_idx parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_attribute_count property.

assertion_authn_count property

The number of records in the AssertionAuthn arrays.

Syntax

def get_assertion_authn_count() -> int: ...
def set_assertion_authn_count(value: int) -> None: ...

assertion_authn_count = property(get_assertion_authn_count, set_assertion_authn_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• assertion_authn_authenticating_authorites
• assertion_authn_content
• assertion_authn_context_class_reference
• assertion_authn_context_declaration
• assertion_authn_instant
• assertion_authn_session_expiration
• assertion_authn_session_index

The array indices start at 0 and end at assertion_authn_count - 1.

assertion_authn_authenticating_authorites property

A semicolon-separated list of authorities involved with the current authentication context.

Syntax

def get_assertion_authn_authenticating_authorites(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

A semicolon-separated list of authorities involved with the current authentication context. Typically, this list includes other parties involved with the authentication of the subject besides the issuer that issued the assertion.

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_authn_content property

The raw XML of the Authn statement.

Syntax

def get_assertion_authn_content(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

The raw XML of the Authn statement. Typically, this is used in cases to get additional information from the Authn statement that is not provided by the class.

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_authn_context_class_reference property

A predefined URI reference identifying an authentication context class that describes how authentication was provided.

Syntax

def get_assertion_authn_context_class_reference(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

A predefined URI reference identifying an authentication context class that describes how authentication was provided. For example, if the user used a password to perform authentication, this will be set to urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_authn_context_declaration property

A description or URI that describes additional information about the authentication context past the ContextClassReference .

Syntax

def get_assertion_authn_context_declaration(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

A description or URI that describes additional information about the authentication context past the assertion_context_class_reference. This provides more detail about the authentication process when provided by the Identity Provider.

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_authn_instant property

The time at which the authentication took place that was used to issue the assertion.

Syntax

def get_assertion_authn_instant(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

The time at which the authentication took place that was used to issue the assertion.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_authn_session_expiration property

The time at which the session between the principal and Identity Provider must be considered ended.

Syntax

def get_assertion_authn_session_expiration(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

The time at which the session between the principal and Identity Provider must be considered ended.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_authn_session_index property

The unique identifier for a particular session established between the user (principal) and the Service Provider (SP), as provided by the Identity Provider (IdP).

Syntax

def get_assertion_authn_session_index(assertion_authn_index: int) -> str: ...

Default Value

""

Remarks

The unique identifier for a particular session established between the user (principal) and the Service Provider (SP), as provided by the Identity Provider (IdP). It is common (but not required) to use this value as the session identifier between the user and the Service Provider (your application). Additionally, it is common practice to provide the session index when performing SLO (Single Logout) if supported.

The assertion_authn_index parameter specifies the index of the item in the array. The size of the array is controlled by the assertion_authn_count property.

This property is read-only.

assertion_content property

The raw XML of the assertion.

Syntax

def get_assertion_content() -> bytes: ...
def set_assertion_content(value: bytes) -> None: ...

assertion_content = property(get_assertion_content, set_assertion_content)

Default Value

""

Remarks

The raw XML of the assertion. This property can be set to provide the assertion to the class for the parse_assertion or validate_assertion methods to parse or validate the assertion without the SAML response.

assertion_expiration_date property

When the parsed assertion is expired.

Syntax

def get_assertion_expiration_date() -> str: ...

assertion_expiration_date = property(get_assertion_expiration_date, None)

Default Value

""

Remarks

When the parsed assertion is expired. If expired, a new assertion should be requested from the Identity Provider for the subject. This represents the NotOnOrAfter attribute of the Conditions element if the attribute is present in the assertion.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

This property is read-only.

assertion_id property

The unique Id of the assertion generated by the identity provider.

Syntax

def get_assertion_id() -> str: ...

assertion_id = property(get_assertion_id, None)

Default Value

""

Remarks

The unique Id of the assertion generated by the identity provider. This is not an Id that is tied to a user pf the SAML response, but rather to the assertion itself.

This property is read-only.

assertion_is_signed property

Whether the assertion has been signed by the identity provider.

Syntax

def get_assertion_is_signed() -> bool: ...

assertion_is_signed = property(get_assertion_is_signed, None)

Default Value

FALSE

Remarks

Whether the assertion has been signed by the identity provider. The signature is used to verify that the assertion has not been tampered with during transmission. Typically, the assertion is signed along with the SAML response that stores it. This is set to True when the Signature element is present in the assertion.

This property is read-only.

assertion_issued_time property

The time at which the assertion was issued by the Issuer (typically the identity provider).

Syntax

def get_assertion_issued_time() -> str: ...

assertion_issued_time = property(get_assertion_issued_time, None)

Default Value

""

Remarks

The time at which the assertion was issued by the assertion_issuer (typically the identity provider). This property represents the IssueInstant attribute of the Assertion element.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

This property is read-only.

assertion_issuer property

The issuer of the assertion.

Syntax

def get_assertion_issuer() -> str: ...

assertion_issuer = property(get_assertion_issuer, None)

Default Value

""

Remarks

The issuer of the assertion. Typically, this is the same as the identity provider that provided the SAML response. The issuer of the SAML response can differ if Identity Provider is an intermediary between the service provider and the final Identity Provider. This property represents the Issuer element in the Assertion element.

This property is read-only.

assertion_not_before_date property

The time at which the assertion becomes valid.

Syntax

def get_assertion_not_before_date() -> str: ...

assertion_not_before_date = property(get_assertion_not_before_date, None)

Default Value

""

Remarks

The time at which the assertion becomes valid. If the current time is before this property, then the assertion is not considered valid yet. This represents the NotBefore attribute of the Conditions element if the attribute is present in the assertion.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

This property is read-only.

assertion_one_time_use property

Whether the issuer only considers this information valid for this single instance.

Syntax

def get_assertion_one_time_use() -> bool: ...

assertion_one_time_use = property(get_assertion_one_time_use, None)

Default Value

FALSE

Remarks

Whether the issuer only considers this information valid for this single instance. The information saved here typically should not be cached or saved for future use. This represents the OneTimeUse element of the Conditions element if the element is present in the assertion.

This property is read-only.

assertion_subject_name_id property

The unique name identifier for the subject of the current assertion.

Syntax

def get_assertion_subject_name_id() -> str: ...

assertion_subject_name_id = property(get_assertion_subject_name_id, None)

Default Value

""

Remarks

The unique name identifier for the subject of the current assertion. In the SSO SAML profile, the subject is the user that is being authenticated. Since this value is unique to the user (from the Identity Provider) this value is typically used to also identify the user in an application. The format of this "name Id" can be found in the assertion_subject_name_id_format property. This represents the NameId element of the Subject element if the element is present in the assertion.

This property is read-only.

assertion_subject_name_id_format property

A URI reference to how the SubjectNameId of the element is formatted.

Syntax

def get_assertion_subject_name_id_format() -> str: ...

assertion_subject_name_id_format = property(get_assertion_subject_name_id_format, None)

Default Value

""

Remarks

A URI reference to how the assertion_subject_name_id of the element is formatted. If not set, Unspecified is used. This represents the Format attribute of the NameID element if the attribute is present in the assertion.

Some common values are:

This property is read-only.

firewall_auto_detect property

Whether to automatically detect and use firewall system settings, if available.

Syntax

def get_firewall_auto_detect() -> bool: ...
def set_firewall_auto_detect(value: bool) -> None: ...

firewall_auto_detect = property(get_firewall_auto_detect, set_firewall_auto_detect)

Default Value

FALSE

Remarks

Whether to automatically detect and use firewall system settings, if available.

firewall_type property

The type of firewall to connect through.

Syntax

def get_firewall_type() -> int: ...
def set_firewall_type(value: int) -> None: ...

firewall_type = property(get_firewall_type, set_firewall_type)

Possible Values

0   # None
1   # Tunnel
2   # SOCKS4
3   # SOCKS5
10   # SOCKS4A

Default Value

0

Remarks

The type of firewall to connect through. The applicable values are as follows:

firewall_host property

The name or IP address of the firewall (optional).

Syntax

def get_firewall_host() -> str: ...
def set_firewall_host(value: str) -> None: ...

firewall_host = property(get_firewall_host, set_firewall_host)

Default Value

""

Remarks

The name or IP address of the firewall (optional). If a firewall_host is given, the requested connections will be authenticated through the specified firewall when connecting.

If this property is set to a Domain Name, a DNS request is initiated. Upon successful termination of the request, this property is set to the corresponding address. If the search is not successful, the class fails with an error.

firewall_password property

A password if authentication is to be used when connecting through the firewall.

Syntax

def get_firewall_password() -> str: ...
def set_firewall_password(value: str) -> None: ...

firewall_password = property(get_firewall_password, set_firewall_password)

Default Value

""

Remarks

A password if authentication is to be used when connecting through the firewall. If firewall_host is specified, the firewall_user and firewall_password properties are used to connect and authenticate to the given firewall. If the authentication fails, the class fails with an error.

firewall_port property

The Transmission Control Protocol (TCP) port for the firewall Host .

Syntax

def get_firewall_port() -> int: ...
def set_firewall_port(value: int) -> None: ...

firewall_port = property(get_firewall_port, set_firewall_port)

Default Value

0

Remarks

The Transmission Control Protocol (TCP) port for the firewall firewall_host. See the description of the firewall_host property for details.

NOTE: This property is set automatically when firewall_type is set to a valid value. See the description of the firewall_type property for details.

firewall_user property

A username if authentication is to be used when connecting through a firewall.

Syntax

def get_firewall_user() -> str: ...
def set_firewall_user(value: str) -> None: ...

firewall_user = property(get_firewall_user, set_firewall_user)

Default Value

""

Remarks

A username if authentication is to be used when connecting through a firewall. If firewall_host is specified, this property and the firewall_password property are used to connect and authenticate to the given Firewall. If the authentication fails, the class fails with an error.

follow_redirects property

Determines what happens when the server issues a redirect.

Syntax

def get_follow_redirects() -> int: ...
def set_follow_redirects(value: int) -> None: ...

follow_redirects = property(get_follow_redirects, set_follow_redirects)

Possible Values

0   # Never
1   # Always
2   # SameScheme

Default Value

0

Remarks

This property determines what happens when the server issues a redirect. Normally, the class returns an error if the server responds with an "Object Moved" message. If this property is set to frAlways (1), the new url for the object is retrieved automatically every time.

If this property is set to frSameScheme (2), the new url is retrieved automatically only if the url_scheme is the same; otherwise, the class fails with an error.

NOTE: Following the HTTP specification, unless this property is set to frAlways (1), automatic redirects will be performed only for GET or HEAD requests. Other methods potentially could change the conditions of the initial request and create security vulnerabilities.

Furthermore, if either the new URL server or port are different from the existing one, user and password are also reset to empty. If, however, this property is set to frAlways (1), the same credentials are used to connect to the new server.

A on_redirect event is fired for every URL the product is redirected to. In the case of automatic redirections, the on_redirect event is a good place to set properties related to the new connection (e.g., new authentication parameters).

The default value is frNever (0). In this case, redirects are never followed, and the class fails with an error instead.

identity_provider_encrypting_cert_effective_date property

The date on which this certificate becomes valid.

Syntax

def get_identity_provider_encrypting_cert_effective_date() -> str: ...

identity_provider_encrypting_cert_effective_date = property(get_identity_provider_encrypting_cert_effective_date, None)

Default Value

""

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

identity_provider_encrypting_cert_expiration_date property

The date on which the certificate expires.

Syntax

def get_identity_provider_encrypting_cert_expiration_date() -> str: ...

identity_provider_encrypting_cert_expiration_date = property(get_identity_provider_encrypting_cert_expiration_date, None)

Default Value

""

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

identity_provider_encrypting_cert_extended_key_usage property

A comma-delimited list of extended key usage identifiers.

Syntax

def get_identity_provider_encrypting_cert_extended_key_usage() -> str: ...

identity_provider_encrypting_cert_extended_key_usage = property(get_identity_provider_encrypting_cert_extended_key_usage, None)

Default Value

""

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

identity_provider_encrypting_cert_fingerprint property

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Syntax

def get_identity_provider_encrypting_cert_fingerprint() -> str: ...

identity_provider_encrypting_cert_fingerprint = property(get_identity_provider_encrypting_cert_fingerprint, None)

Default Value

""

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

identity_provider_encrypting_cert_fingerprint_sha1 property

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Syntax

def get_identity_provider_encrypting_cert_fingerprint_sha1() -> str: ...

identity_provider_encrypting_cert_fingerprint_sha1 = property(get_identity_provider_encrypting_cert_fingerprint_sha1, None)

Default Value

""

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

identity_provider_encrypting_cert_fingerprint_sha256 property

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Syntax

def get_identity_provider_encrypting_cert_fingerprint_sha256() -> str: ...

identity_provider_encrypting_cert_fingerprint_sha256 = property(get_identity_provider_encrypting_cert_fingerprint_sha256, None)

Default Value

""

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

identity_provider_encrypting_cert_issuer property

The issuer of the certificate.

Syntax

def get_identity_provider_encrypting_cert_issuer() -> str: ...

identity_provider_encrypting_cert_issuer = property(get_identity_provider_encrypting_cert_issuer, None)

Default Value

""

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

identity_provider_encrypting_cert_private_key property

The private key of the certificate (if available).

Syntax

def get_identity_provider_encrypting_cert_private_key() -> str: ...

identity_provider_encrypting_cert_private_key = property(get_identity_provider_encrypting_cert_private_key, None)

Default Value

""

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

NOTE: The identity_provider_encrypting_cert_private_key may be available but not exportable. In this case, identity_provider_encrypting_cert_private_key returns an empty string.

This property is read-only.

identity_provider_encrypting_cert_private_key_available property

Whether a PrivateKey is available for the selected certificate.

Syntax

def get_identity_provider_encrypting_cert_private_key_available() -> bool: ...

identity_provider_encrypting_cert_private_key_available = property(get_identity_provider_encrypting_cert_private_key_available, None)

Default Value

FALSE

Remarks

Whether a identity_provider_encrypting_cert_private_key is available for the selected certificate. If identity_provider_encrypting_cert_private_key_available is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

identity_provider_encrypting_cert_private_key_container property

The name of the PrivateKey container for the certificate (if available).

Syntax

def get_identity_provider_encrypting_cert_private_key_container() -> str: ...

identity_provider_encrypting_cert_private_key_container = property(get_identity_provider_encrypting_cert_private_key_container, None)

Default Value

""

Remarks

The name of the identity_provider_encrypting_cert_private_key container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

identity_provider_encrypting_cert_public_key property

The public key of the certificate.

Syntax

def get_identity_provider_encrypting_cert_public_key() -> str: ...

identity_provider_encrypting_cert_public_key = property(get_identity_provider_encrypting_cert_public_key, None)

Default Value

""

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

identity_provider_encrypting_cert_public_key_algorithm property

The textual description of the certificate's public key algorithm.

Syntax

def get_identity_provider_encrypting_cert_public_key_algorithm() -> str: ...

identity_provider_encrypting_cert_public_key_algorithm = property(get_identity_provider_encrypting_cert_public_key_algorithm, None)

Default Value

""

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

identity_provider_encrypting_cert_public_key_length property

The length of the certificate's public key (in bits).

Syntax

def get_identity_provider_encrypting_cert_public_key_length() -> int: ...

identity_provider_encrypting_cert_public_key_length = property(get_identity_provider_encrypting_cert_public_key_length, None)

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

identity_provider_encrypting_cert_serial_number property

The serial number of the certificate encoded as a string.

Syntax

def get_identity_provider_encrypting_cert_serial_number() -> str: ...

identity_provider_encrypting_cert_serial_number = property(get_identity_provider_encrypting_cert_serial_number, None)

Default Value

""

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

identity_provider_encrypting_cert_signature_algorithm property

The text description of the certificate's signature algorithm.

Syntax

def get_identity_provider_encrypting_cert_signature_algorithm() -> str: ...

identity_provider_encrypting_cert_signature_algorithm = property(get_identity_provider_encrypting_cert_signature_algorithm, None)

Default Value

""

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

identity_provider_encrypting_cert_store property

The name of the certificate store for the client certificate.

Syntax

def get_identity_provider_encrypting_cert_store() -> bytes: ...
def set_identity_provider_encrypting_cert_store(value: bytes) -> None: ...

identity_provider_encrypting_cert_store = property(get_identity_provider_encrypting_cert_store, set_identity_provider_encrypting_cert_store)

Default Value

"MY"

Remarks

The name of the certificate store for the client certificate.

The identity_provider_encrypting_cert_store_type property denotes the type of the certificate store specified by identity_provider_encrypting_cert_store. If the store is password-protected, specify the password in identity_provider_encrypting_cert_store_password.

identity_provider_encrypting_cert_store is used in conjunction with the identity_provider_encrypting_cert_subject property to specify client certificates. If identity_provider_encrypting_cert_store has a value, and identity_provider_encrypting_cert_subject or identity_provider_encrypting_cert_encoded is set, a search for a certificate is initiated. Please see the identity_provider_encrypting_cert_subject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

identity_provider_encrypting_cert_store_password property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_identity_provider_encrypting_cert_store_password() -> str: ...
def set_identity_provider_encrypting_cert_store_password(value: str) -> None: ...

identity_provider_encrypting_cert_store_password = property(get_identity_provider_encrypting_cert_store_password, set_identity_provider_encrypting_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

identity_provider_encrypting_cert_store_type property

The type of certificate store for this certificate.

Syntax

def get_identity_provider_encrypting_cert_store_type() -> int: ...
def set_identity_provider_encrypting_cert_store_type(value: int) -> None: ...

identity_provider_encrypting_cert_store_type = property(get_identity_provider_encrypting_cert_store_type, set_identity_provider_encrypting_cert_store_type)

Possible Values

0   # User
1   # Machine
2   # PFXFile
3   # PFXBlob
4   # JKSFile
5   # JKSBlob
6   # PEMKeyFile
7   # PEMKeyBlob
8   # PublicKeyFile
9   # PublicKeyBlob
10   # SSHPublicKeyBlob
11   # P7BFile
12   # P7BBlob
13   # SSHPublicKeyFile
14   # PPKFile
15   # PPKBlob
16   # XMLFile
17   # XMLBlob
18   # JWKFile
19   # JWKBlob
20   # SecurityKey
21   # BCFKSFile
22   # BCFKSBlob
23   # PKCS11
99   # Auto

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

C#
 Copy
certmgr.CertStoreType = CertStoreTypes.cstPKCS11;
certmgr.OnCertList += (s, e) => {
  secKeyBlob = e.CertEncoded;
};
certmgr.CertStore = @"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll";
certmgr.CertStorePassword = "123456"; //PIN
certmgr.ListStoreCertificates();

sftp.SSHCert = new Certificate(CertStoreTypes.cstPKCS11, secKeyBlob, "123456", "*");
sftp.SSHUser = "test";
sftp.SSHLogon("myhost", 22);

identity_provider_encrypting_cert_subject_alt_names property

Comma-separated lists of alternative subject names for the certificate.

Syntax

def get_identity_provider_encrypting_cert_subject_alt_names() -> str: ...

identity_provider_encrypting_cert_subject_alt_names = property(get_identity_provider_encrypting_cert_subject_alt_names, None)

Default Value

""

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

identity_provider_encrypting_cert_thumbprint_md5 property

The MD5 hash of the certificate.

Syntax

def get_identity_provider_encrypting_cert_thumbprint_md5() -> str: ...

identity_provider_encrypting_cert_thumbprint_md5 = property(get_identity_provider_encrypting_cert_thumbprint_md5, None)

Default Value

""

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

identity_provider_encrypting_cert_thumbprint_sha1 property

The SHA-1 hash of the certificate.

Syntax

def get_identity_provider_encrypting_cert_thumbprint_sha1() -> str: ...

identity_provider_encrypting_cert_thumbprint_sha1 = property(get_identity_provider_encrypting_cert_thumbprint_sha1, None)

Default Value

""

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

identity_provider_encrypting_cert_thumbprint_sha256 property

The SHA-256 hash of the certificate.

Syntax

def get_identity_provider_encrypting_cert_thumbprint_sha256() -> str: ...

identity_provider_encrypting_cert_thumbprint_sha256 = property(get_identity_provider_encrypting_cert_thumbprint_sha256, None)

Default Value

""

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

identity_provider_encrypting_cert_usage property

The text description of UsageFlags .

Syntax

def get_identity_provider_encrypting_cert_usage() -> str: ...

identity_provider_encrypting_cert_usage = property(get_identity_provider_encrypting_cert_usage, None)

Default Value

""

Remarks

The text description of identity_provider_encrypting_cert_usage_flags.

This value will be one or more of the following strings and will be separated by commas:

• Digital Signature
• Non-Repudiation
• Key Encipherment
• Data Encipherment
• Key Agreement
• Certificate Signing
• CRL Signing
• Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

identity_provider_encrypting_cert_usage_flags property

The flags that show intended use for the certificate.

Syntax

def get_identity_provider_encrypting_cert_usage_flags() -> int: ...

identity_provider_encrypting_cert_usage_flags = property(get_identity_provider_encrypting_cert_usage_flags, None)

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of identity_provider_encrypting_cert_usage_flags is a combination of the following flags:

Please see the identity_provider_encrypting_cert_usage property for a text representation of identity_provider_encrypting_cert_usage_flags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

identity_provider_encrypting_cert_version property

The certificate's version number.

Syntax

def get_identity_provider_encrypting_cert_version() -> str: ...

identity_provider_encrypting_cert_version = property(get_identity_provider_encrypting_cert_version, None)

Default Value

""

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

identity_provider_encrypting_cert_subject property

The subject of the certificate used for client authentication.

Syntax

def get_identity_provider_encrypting_cert_subject() -> str: ...
def set_identity_provider_encrypting_cert_subject(value: str) -> None: ...

identity_provider_encrypting_cert_subject = property(get_identity_provider_encrypting_cert_subject, set_identity_provider_encrypting_cert_subject)

Default Value

""

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=example@email.com". Common fields and their meanings are as follows:

If a field value contains a comma, it must be quoted.

identity_provider_encrypting_cert_encoded property

The certificate (PEM/Base64 encoded).

Syntax

def get_identity_provider_encrypting_cert_encoded() -> bytes: ...
def set_identity_provider_encrypting_cert_encoded(value: bytes) -> None: ...

identity_provider_encrypting_cert_encoded = property(get_identity_provider_encrypting_cert_encoded, set_identity_provider_encrypting_cert_encoded)

Default Value

""

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The identity_provider_encrypting_cert_store and identity_provider_encrypting_cert_subject properties also may be used to specify a certificate.

When identity_provider_encrypting_cert_encoded is set, a search is initiated in the current identity_provider_encrypting_cert_store for the private key of the certificate. If the key is found, identity_provider_encrypting_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, identity_provider_encrypting_cert_subject is set to an empty string.

identity_provider_metadata_content property

The raw metadata for the identity provider.

Syntax

def get_identity_provider_metadata_content() -> bytes: ...
def set_identity_provider_metadata_content(value: bytes) -> None: ...

identity_provider_metadata_content = property(get_identity_provider_metadata_content, set_identity_provider_metadata_content)

Default Value

""

Remarks

The raw metadata for the identity provider. To avoid repeated requests to the Identity Provider, this value can be saved for later to be used with the load_identity_metadata method.

identity_provider_metadata_entity_id property

The unique Id for the identity provider that is being described.

Syntax

def get_identity_provider_metadata_entity_id() -> str: ...
def set_identity_provider_metadata_entity_id(value: str) -> None: ...

identity_provider_metadata_entity_id = property(get_identity_provider_metadata_entity_id, set_identity_provider_metadata_entity_id)

Default Value

""

Remarks

The unique Id for the identity provider that is being described. This is used for verification purposes when verifying the issuer of an SAML response or assertion.

identity_provider_metadata_expiration_date property

The expiration date of the Identity Provider description provided by the metadata document.

Syntax

def get_identity_provider_metadata_expiration_date() -> str: ...

identity_provider_metadata_expiration_date = property(get_identity_provider_metadata_expiration_date, None)

Default Value

""

Remarks

The expiration date of the Identity Provider description provided by the metadata document. This represents the valid attribute of the IDPSSODescriptor element if the attribute is present in the document.

This property is read-only.

identity_provider_metadata_requests_signed_authn_requests property

Whether the identity provider requests that authentication (Authn) requests are signed.

Syntax

def get_identity_provider_metadata_requests_signed_authn_requests() -> bool: ...
def set_identity_provider_metadata_requests_signed_authn_requests(value: bool) -> None: ...

identity_provider_metadata_requests_signed_authn_requests = property(get_identity_provider_metadata_requests_signed_authn_requests, set_identity_provider_metadata_requests_signed_authn_requests)

Default Value

FALSE

Remarks

Whether the identity provider requests that authentication (Authn) requests are signed. If True, the SignRequest setting should be set to true before initiating authentication.

identity_provider_metadata_signed_metadata property

Whether the identity provider's parsed metadata is signed.

Syntax

def get_identity_provider_metadata_signed_metadata() -> bool: ...

identity_provider_metadata_signed_metadata = property(get_identity_provider_metadata_signed_metadata, None)

Default Value

FALSE

Remarks

Whether the identity provider's parsed metadata is signed. This signature is used to insure that the metadata was not tampered with during transit.

This property is read-only.

identity_provider_metadata_supported_attribute_profiles property

A semicolon-separated list of attribute profiles supported by the identity provider.

Syntax

def get_identity_provider_metadata_supported_attribute_profiles() -> str: ...

identity_provider_metadata_supported_attribute_profiles = property(get_identity_provider_metadata_supported_attribute_profiles, None)

Default Value

""

Remarks

A semicolon-separated list of attribute profiles supported by the identity provider.

Some common attribute profiles are:

• urn:oasis:names:tc:SAML:2.0:profiles:attribute:basic
• urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500
• urn:oasis:names:tc:SAML:2.0:profiles:attribute:UUID
• urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE
• urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML

This property is read-only.

identity_provider_metadata_supported_attributes property

A semicolon-separated list of attributes supported by the identity provider as presented by the Identity Provider's metadata document.

Syntax

def get_identity_provider_metadata_supported_attributes() -> str: ...

identity_provider_metadata_supported_attributes = property(get_identity_provider_metadata_supported_attributes, None)

Default Value

""

Remarks

A semicolon-separated list of attributes supported by the identity provider as presented by the Identity Provider's metadata document. This is a list of attributes that are explicitly supported by the Identity Provider but is not a full list of all the supported attributes. The list will contain the Name of each attribute found in the IDPSSODescriptor element.

This property is read-only.

identity_provider_metadata_supported_name_id_formats property

The name identifier formats supported by the identity provider if provided by the metadata document.

Syntax

def get_identity_provider_metadata_supported_name_id_formats() -> str: ...

identity_provider_metadata_supported_name_id_formats = property(get_identity_provider_metadata_supported_name_id_formats, None)

Default Value

""

Remarks

The name identifier formats supported by the identity provider if provided by the metadata document. Some common values are:

• Unspecified - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• Email Address - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• Windows Domain Qualified Name - urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

This property is read-only.

identity_provider_signing_cert_effective_date property

The date on which this certificate becomes valid.

Syntax

def get_identity_provider_signing_cert_effective_date() -> str: ...

identity_provider_signing_cert_effective_date = property(get_identity_provider_signing_cert_effective_date, None)

Default Value

""

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

identity_provider_signing_cert_expiration_date property

The date on which the certificate expires.

Syntax

def get_identity_provider_signing_cert_expiration_date() -> str: ...

identity_provider_signing_cert_expiration_date = property(get_identity_provider_signing_cert_expiration_date, None)

Default Value

""

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

identity_provider_signing_cert_extended_key_usage property

A comma-delimited list of extended key usage identifiers.

Syntax

def get_identity_provider_signing_cert_extended_key_usage() -> str: ...

identity_provider_signing_cert_extended_key_usage = property(get_identity_provider_signing_cert_extended_key_usage, None)

Default Value

""

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

identity_provider_signing_cert_fingerprint property

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Syntax

def get_identity_provider_signing_cert_fingerprint() -> str: ...

identity_provider_signing_cert_fingerprint = property(get_identity_provider_signing_cert_fingerprint, None)

Default Value

""

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

identity_provider_signing_cert_fingerprint_sha1 property

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Syntax

def get_identity_provider_signing_cert_fingerprint_sha1() -> str: ...

identity_provider_signing_cert_fingerprint_sha1 = property(get_identity_provider_signing_cert_fingerprint_sha1, None)

Default Value

""

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

identity_provider_signing_cert_fingerprint_sha256 property

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Syntax

def get_identity_provider_signing_cert_fingerprint_sha256() -> str: ...

identity_provider_signing_cert_fingerprint_sha256 = property(get_identity_provider_signing_cert_fingerprint_sha256, None)

Default Value

""

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

identity_provider_signing_cert_issuer property

The issuer of the certificate.

Syntax

def get_identity_provider_signing_cert_issuer() -> str: ...

identity_provider_signing_cert_issuer = property(get_identity_provider_signing_cert_issuer, None)

Default Value

""

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

identity_provider_signing_cert_private_key property

The private key of the certificate (if available).

Syntax

def get_identity_provider_signing_cert_private_key() -> str: ...

identity_provider_signing_cert_private_key = property(get_identity_provider_signing_cert_private_key, None)

Default Value

""

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

NOTE: The identity_provider_signing_cert_private_key may be available but not exportable. In this case, identity_provider_signing_cert_private_key returns an empty string.

This property is read-only.

identity_provider_signing_cert_private_key_available property

Whether a PrivateKey is available for the selected certificate.

Syntax

def get_identity_provider_signing_cert_private_key_available() -> bool: ...

identity_provider_signing_cert_private_key_available = property(get_identity_provider_signing_cert_private_key_available, None)

Default Value

FALSE

Remarks

Whether a identity_provider_signing_cert_private_key is available for the selected certificate. If identity_provider_signing_cert_private_key_available is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

identity_provider_signing_cert_private_key_container property

The name of the PrivateKey container for the certificate (if available).

Syntax

def get_identity_provider_signing_cert_private_key_container() -> str: ...

identity_provider_signing_cert_private_key_container = property(get_identity_provider_signing_cert_private_key_container, None)

Default Value

""

Remarks

The name of the identity_provider_signing_cert_private_key container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

identity_provider_signing_cert_public_key property

The public key of the certificate.

Syntax

def get_identity_provider_signing_cert_public_key() -> str: ...

identity_provider_signing_cert_public_key = property(get_identity_provider_signing_cert_public_key, None)

Default Value

""

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

identity_provider_signing_cert_public_key_algorithm property

The textual description of the certificate's public key algorithm.

Syntax

def get_identity_provider_signing_cert_public_key_algorithm() -> str: ...

identity_provider_signing_cert_public_key_algorithm = property(get_identity_provider_signing_cert_public_key_algorithm, None)

Default Value

""

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

identity_provider_signing_cert_public_key_length property

The length of the certificate's public key (in bits).

Syntax

def get_identity_provider_signing_cert_public_key_length() -> int: ...

identity_provider_signing_cert_public_key_length = property(get_identity_provider_signing_cert_public_key_length, None)

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

identity_provider_signing_cert_serial_number property

The serial number of the certificate encoded as a string.

Syntax

def get_identity_provider_signing_cert_serial_number() -> str: ...

identity_provider_signing_cert_serial_number = property(get_identity_provider_signing_cert_serial_number, None)

Default Value

""

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

identity_provider_signing_cert_signature_algorithm property

The text description of the certificate's signature algorithm.

Syntax

def get_identity_provider_signing_cert_signature_algorithm() -> str: ...

identity_provider_signing_cert_signature_algorithm = property(get_identity_provider_signing_cert_signature_algorithm, None)

Default Value

""

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

identity_provider_signing_cert_store property

The name of the certificate store for the client certificate.

Syntax

def get_identity_provider_signing_cert_store() -> bytes: ...
def set_identity_provider_signing_cert_store(value: bytes) -> None: ...

identity_provider_signing_cert_store = property(get_identity_provider_signing_cert_store, set_identity_provider_signing_cert_store)

Default Value

"MY"

Remarks

The name of the certificate store for the client certificate.

The identity_provider_signing_cert_store_type property denotes the type of the certificate store specified by identity_provider_signing_cert_store. If the store is password-protected, specify the password in identity_provider_signing_cert_store_password.

identity_provider_signing_cert_store is used in conjunction with the identity_provider_signing_cert_subject property to specify client certificates. If identity_provider_signing_cert_store has a value, and identity_provider_signing_cert_subject or identity_provider_signing_cert_encoded is set, a search for a certificate is initiated. Please see the identity_provider_signing_cert_subject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

identity_provider_signing_cert_store_password property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_identity_provider_signing_cert_store_password() -> str: ...
def set_identity_provider_signing_cert_store_password(value: str) -> None: ...

identity_provider_signing_cert_store_password = property(get_identity_provider_signing_cert_store_password, set_identity_provider_signing_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

identity_provider_signing_cert_store_type property

The type of certificate store for this certificate.

Syntax

def get_identity_provider_signing_cert_store_type() -> int: ...
def set_identity_provider_signing_cert_store_type(value: int) -> None: ...

identity_provider_signing_cert_store_type = property(get_identity_provider_signing_cert_store_type, set_identity_provider_signing_cert_store_type)

Possible Values

0   # User
1   # Machine
2   # PFXFile
3   # PFXBlob
4   # JKSFile
5   # JKSBlob
6   # PEMKeyFile
7   # PEMKeyBlob
8   # PublicKeyFile
9   # PublicKeyBlob
10   # SSHPublicKeyBlob
11   # P7BFile
12   # P7BBlob
13   # SSHPublicKeyFile
14   # PPKFile
15   # PPKBlob
16   # XMLFile
17   # XMLBlob
18   # JWKFile
19   # JWKBlob
20   # SecurityKey
21   # BCFKSFile
22   # BCFKSBlob
23   # PKCS11
99   # Auto

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

C#
 Copy
certmgr.CertStoreType = CertStoreTypes.cstPKCS11;
certmgr.OnCertList += (s, e) => {
  secKeyBlob = e.CertEncoded;
};
certmgr.CertStore = @"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll";
certmgr.CertStorePassword = "123456"; //PIN
certmgr.ListStoreCertificates();

sftp.SSHCert = new Certificate(CertStoreTypes.cstPKCS11, secKeyBlob, "123456", "*");
sftp.SSHUser = "test";
sftp.SSHLogon("myhost", 22);

identity_provider_signing_cert_subject_alt_names property

Comma-separated lists of alternative subject names for the certificate.

Syntax

def get_identity_provider_signing_cert_subject_alt_names() -> str: ...

identity_provider_signing_cert_subject_alt_names = property(get_identity_provider_signing_cert_subject_alt_names, None)

Default Value

""

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

identity_provider_signing_cert_thumbprint_md5 property

The MD5 hash of the certificate.

Syntax

def get_identity_provider_signing_cert_thumbprint_md5() -> str: ...

identity_provider_signing_cert_thumbprint_md5 = property(get_identity_provider_signing_cert_thumbprint_md5, None)

Default Value

""

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

identity_provider_signing_cert_thumbprint_sha1 property

The SHA-1 hash of the certificate.

Syntax

def get_identity_provider_signing_cert_thumbprint_sha1() -> str: ...

identity_provider_signing_cert_thumbprint_sha1 = property(get_identity_provider_signing_cert_thumbprint_sha1, None)

Default Value

""

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

identity_provider_signing_cert_thumbprint_sha256 property

The SHA-256 hash of the certificate.

Syntax

def get_identity_provider_signing_cert_thumbprint_sha256() -> str: ...

identity_provider_signing_cert_thumbprint_sha256 = property(get_identity_provider_signing_cert_thumbprint_sha256, None)

Default Value

""

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

identity_provider_signing_cert_usage property

The text description of UsageFlags .

Syntax

def get_identity_provider_signing_cert_usage() -> str: ...

identity_provider_signing_cert_usage = property(get_identity_provider_signing_cert_usage, None)

Default Value

""

Remarks

The text description of identity_provider_signing_cert_usage_flags.

This value will be one or more of the following strings and will be separated by commas:

• Digital Signature
• Non-Repudiation
• Key Encipherment
• Data Encipherment
• Key Agreement
• Certificate Signing
• CRL Signing
• Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

identity_provider_signing_cert_usage_flags property

The flags that show intended use for the certificate.

Syntax

def get_identity_provider_signing_cert_usage_flags() -> int: ...

identity_provider_signing_cert_usage_flags = property(get_identity_provider_signing_cert_usage_flags, None)

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of identity_provider_signing_cert_usage_flags is a combination of the following flags:

Please see the identity_provider_signing_cert_usage property for a text representation of identity_provider_signing_cert_usage_flags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

identity_provider_signing_cert_version property

The certificate's version number.

Syntax

def get_identity_provider_signing_cert_version() -> str: ...

identity_provider_signing_cert_version = property(get_identity_provider_signing_cert_version, None)

Default Value

""

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

identity_provider_signing_cert_subject property

The subject of the certificate used for client authentication.

Syntax

def get_identity_provider_signing_cert_subject() -> str: ...
def set_identity_provider_signing_cert_subject(value: str) -> None: ...

identity_provider_signing_cert_subject = property(get_identity_provider_signing_cert_subject, set_identity_provider_signing_cert_subject)

Default Value

""

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=example@email.com". Common fields and their meanings are as follows:

If a field value contains a comma, it must be quoted.

identity_provider_signing_cert_encoded property

The certificate (PEM/Base64 encoded).

Syntax

def get_identity_provider_signing_cert_encoded() -> bytes: ...
def set_identity_provider_signing_cert_encoded(value: bytes) -> None: ...

identity_provider_signing_cert_encoded = property(get_identity_provider_signing_cert_encoded, set_identity_provider_signing_cert_encoded)

Default Value

""

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The identity_provider_signing_cert_store and identity_provider_signing_cert_subject properties also may be used to specify a certificate.

When identity_provider_signing_cert_encoded is set, a search is initiated in the current identity_provider_signing_cert_store for the private key of the certificate. If the key is found, identity_provider_signing_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, identity_provider_signing_cert_subject is set to an empty string.

identity_provider_uri_count property

The number of records in the IdentityProviderURI arrays.

Syntax

def get_identity_provider_uri_count() -> int: ...
def set_identity_provider_uri_count(value: int) -> None: ...

identity_provider_uri_count = property(get_identity_provider_uri_count, set_identity_provider_uri_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• identity_provider_uri_binding_ref
• identity_provider_uri_binding_type
• identity_provider_uri_index
• identity_provider_uri_is_default
• identity_provider_uri_location
• identity_provider_uri_type

The array indices start at 0 and end at identity_provider_uri_count - 1.

identity_provider_uri_binding_ref property

The URI reference for the set BindingType .

Syntax

def get_identity_provider_uri_binding_ref(identity_provider_uri_idx: int) -> str: ...
def set_identity_provider_uri_binding_ref(identity_provider_uri_idx: int, value: str) -> None: ...

Default Value

"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Remarks

The URI reference for the set identity_provider_uri_binding_type. When the identity_provider_uri_binding_type is set, this property will be updated to match. The exception is the subCustom value, which allows for any value to be placed in this property.

If this property is set instead, the class will attempt to set the identity_provider_uri_binding_type property to match. If it can't, subCustom will also be used.

When parsing a metadata document, the class will also use the subCustom value for any binding types that are not recognized by the class.

The identity_provider_uri_idx parameter specifies the index of the item in the array. The size of the array is controlled by the identity_provider_uri_count property.

identity_provider_uri_binding_type property

The type of binding that is supported for this URI.

Syntax

def get_identity_provider_uri_binding_type(identity_provider_uri_idx: int) -> int: ...
def set_identity_provider_uri_binding_type(identity_provider_uri_idx: int, value: int) -> None: ...

Possible Values

0   # Redirect
1   # Post
2   # Artifact
3   # Custom

Default Value

0

Remarks

The type of binding that is supported for this URI. The class only supports using the HTTP Redirect and HTTP POST bindings. The HTTP Artifact and other bindings are informational, and support for them must be implemented directly.

When setting this property, the identity_provider_uri_binding_ref property will also be updated with the matching URI. The exception is the subCustom value, which allows for any value to be placed in the identity_provider_uri_binding_ref property.

If the identity_provider_uri_binding_ref property is set, during the processing of a metadata document the class will attempt to set this property as well with the matching value. If it can't, subCustom will be used instead.

The identity_provider_uri_idx parameter specifies the index of the item in the array. The size of the array is controlled by the identity_provider_uri_count property.

identity_provider_uri_is_default property

Whether this URI is the default URI that should be used for the specific URIType and BindingType combination.

Syntax

def get_identity_provider_uri_is_default(identity_provider_uri_idx: int) -> bool: ...
def set_identity_provider_uri_is_default(identity_provider_uri_idx: int, value: bool) -> None: ...

Default Value

FALSE

Remarks

Whether this URI is the default URI that should be used for the specific identity_provider_uriuri_type and identity_provider_uri_binding_type combination.

The identity_provider_uri_idx parameter specifies the index of the item in the array. The size of the array is controlled by the identity_provider_uri_count property.

identity_provider_uri_location property

The address of the URI.

Syntax

def get_identity_provider_uri_location(identity_provider_uri_idx: int) -> str: ...
def set_identity_provider_uri_location(identity_provider_uri_idx: int, value: str) -> None: ...

Default Value

""

Remarks

The address of the URI.

The identity_provider_uri_idx parameter specifies the index of the item in the array. The size of the array is controlled by the identity_provider_uri_count property.

identity_provider_uri_index property

The index for the URI that can be optionally used if multiple URIs of the same URIType and BindingType are provided.

Syntax

def get_identity_provider_uri_index(identity_provider_uri_idx: int) -> int: ...
def set_identity_provider_uri_index(identity_provider_uri_idx: int, value: int) -> None: ...

Default Value

0

Remarks

The index for the URI that can be optionally used if multiple URIs of the same identity_provider_uriuri_type and identity_provider_uri_binding_type are provided.

The identity_provider_uri_idx parameter specifies the index of the item in the array. The size of the array is controlled by the identity_provider_uri_count property.

identity_provider_uri_type property

The purpose of the URI.

Syntax

def get_identity_provider_uri_type(identity_provider_uri_idx: int) -> int: ...
def set_identity_provider_uri_type(identity_provider_uri_idx: int, value: int) -> None: ...

Possible Values

0   # Signon
1   # Logout
2   # ACS

Default Value

0

Remarks

The purpose of the URI.

Possible values are:

The identity_provider_uri_idx parameter specifies the index of the item in the array. The size of the array is controlled by the identity_provider_uri_count property.

proxy_auth_scheme property

The type of authorization to perform when connecting to the proxy.

Syntax

def get_proxy_auth_scheme() -> int: ...
def set_proxy_auth_scheme(value: int) -> None: ...

proxy_auth_scheme = property(get_proxy_auth_scheme, set_proxy_auth_scheme)

Possible Values

0   # Basic
1   # Digest
2   # Proprietary
3   # None
4   # Ntlm
5   # Negotiate

Default Value

0

Remarks

The type of authorization to perform when connecting to the proxy. This is used only when the proxy_user and proxy_password properties are set.

proxy_auth_scheme should be set to authNone (3) when no authentication is expected.

By default, proxy_auth_scheme is authBasic (0), and if the proxy_user and proxy_password properties are set, the class will attempt basic authentication.

If proxy_auth_scheme is set to authDigest (1), digest authentication will be attempted instead.

If proxy_auth_scheme is set to authProprietary (2), then the authorization token will not be generated by the class. Look at the configuration file for the class being used to find more information about manually setting this token.

If proxy_auth_scheme is set to authNtlm (4), NTLM authentication will be used.

For security reasons, setting this property will clear the values of proxy_user and proxy_password.

proxy_auto_detect property

Whether to automatically detect and use proxy system settings, if available.

Syntax

def get_proxy_auto_detect() -> bool: ...
def set_proxy_auto_detect(value: bool) -> None: ...

proxy_auto_detect = property(get_proxy_auto_detect, set_proxy_auto_detect)

Default Value

FALSE

Remarks

Whether to automatically detect and use proxy system settings, if available. The default value is False.

proxy_password property

A password if authentication is to be used for the proxy.

Syntax

def get_proxy_password() -> str: ...
def set_proxy_password(value: str) -> None: ...

proxy_password = property(get_proxy_password, set_proxy_password)

Default Value

""

Remarks

A password if authentication is to be used for the proxy.

If proxy_auth_scheme is set to Basic Authentication, the proxy_user and proxy_password properties are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If proxy_auth_scheme is set to Digest Authentication, the proxy_user and proxy_password properties are used to respond to the Digest Authentication challenge from the server.

If proxy_auth_scheme is set to NTLM Authentication, the proxy_user and proxy_password properties are used to authenticate through NTLM negotiation.

proxy_port property

The Transmission Control Protocol (TCP) port for the proxy Server (default 80).

Syntax

def get_proxy_port() -> int: ...
def set_proxy_port(value: int) -> None: ...

proxy_port = property(get_proxy_port, set_proxy_port)

Default Value

80

Remarks

The Transmission Control Protocol (TCP) port for the proxy proxy_server (default 80). See the description of the proxy_server property for details.

proxy_server property

If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

Syntax

def get_proxy_server() -> str: ...
def set_proxy_server(value: str) -> None: ...

proxy_server = property(get_proxy_server, set_proxy_server)

Default Value

""

Remarks

If a proxy proxy_server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

If the proxy_server property is set to a domain name, a DNS request is initiated. Upon successful termination of the request, the proxy_server property is set to the corresponding address. If the search is not successful, an error is returned.

proxy_ssl property

When to use a Secure Sockets Layer (SSL) for the connection to the proxy.

Syntax

def get_proxy_ssl() -> int: ...
def set_proxy_ssl(value: int) -> None: ...

proxy_ssl = property(get_proxy_ssl, set_proxy_ssl)

Possible Values

0   # Automatic
1   # Always
2   # Never
3   # Tunnel

Default Value

0

Remarks

When to use a Secure Sockets Layer (SSL) for the connection to the proxy. The applicable values are as follows:

proxy_user property

A username if authentication is to be used for the proxy.

Syntax

def get_proxy_user() -> str: ...
def set_proxy_user(value: str) -> None: ...

proxy_user = property(get_proxy_user, set_proxy_user)

Default Value

""

Remarks

A username if authentication is to be used for the proxy.

If proxy_auth_scheme is set to Basic Authentication, the proxy_user and proxy_password properties are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If proxy_auth_scheme is set to Digest Authentication, the proxy_user and proxy_password properties are used to respond to the Digest Authentication challenge from the server.

If proxy_auth_scheme is set to NTLM Authentication, the proxy_user and proxy_password properties are used to authenticate through NTLM negotiation.

relay_state property

The RelayState for a SAML request or response.

Syntax

def get_relay_state() -> str: ...
def set_relay_state(value: str) -> None: ...

relay_state = property(get_relay_state, set_relay_state)

Default Value

""

Remarks

When set before building a request using the authenticate_user method, this property will set the RelayState parameter that is provided with the SAML request. Any value may be specified here and it will be returned exactly as it was sent. This can be used to maintain state within the application, and also may be used for security purposes. The contents of this property are treated as an opaque value.

After receiving the response from the Identity Provider, this setting will then be set to match the RelayState parameter if it was provided by the Identity Provider. This does not work if the SAML response was provided directly to the methods using the saml_response_info property.

return_url property

The URL where the user (browser) returns after authenticating with the Identity Provider.

Syntax

def get_return_url() -> str: ...
def set_return_url(value: str) -> None: ...

return_url = property(get_return_url, set_return_url)

Default Value

""

Remarks

Typically this property will be automatically set by the component when calling authenticate_user or build_service_metadata based on how the web_server_bindings, web_server_port, and web_server_ssl_enabled properties are configured. Additionally, the WebServerHost configuration setting can be specify the domain which is localhost by default. For example, some service prefer the use of 127.0.0.1.

When manually validating a SAML response or assertion, this setting will need to be set for validation to succeeded.

Can be set to override the URL that is provided in the authenticate request or metadata if needed. For example, if using a relay server to pass information from the Identity Provider to the application, return_url should be set to the location of the relay server. The relay server should then pass the information to the embedded web server.

saml_request_allow_create property

This setting is only used for authentication requests.

Syntax

def get_saml_request_allow_create() -> bool: ...
def set_saml_request_allow_create(value: bool) -> None: ...

saml_request_allow_create = property(get_saml_request_allow_create, set_saml_request_allow_create)

Default Value

FALSE

Remarks

This setting is only used for authentication requests. It controls whether the class will set the AllowCreate attribute in the NameIDPolicy element that is specific to the AuthnRequest element. When set to True, this will inform the Identity Provider that it is allowed to create a new identifier to represent the principal. When set to False (default), the Identity Provider should only issue an assertion if an acceptable identifier is already created.

saml_request_binding property

This setting controls the binding that will be used to make the request.

Syntax

def get_saml_request_binding() -> int: ...
def set_saml_request_binding(value: int) -> None: ...

saml_request_binding = property(get_saml_request_binding, set_saml_request_binding)

Possible Values

0   # HTTPRedirect
1   # HTTPPost

Default Value

0

Remarks

This setting controls the binding that will be used to make the request.

By default, the class will use the sbHTTPRedirect binding which provides the SAMLRequest value through a query parameter. The sbHTTPRedirect binding will set just the saml_request_url property.

If set to the sbHTTPPost binding, the SAMLRequest value is provided in an HTML body that should be used to make a form post request. This will set both the saml_request_url and saml_request_body properties.

Note: This setting does not control the binding of the response, just how the request will be made.

saml_request_consent property

This setting specifies whether consent from a principal was provided when this request was sent.

Syntax

def get_saml_request_consent() -> int: ...
def set_saml_request_consent(value: int) -> None: ...

saml_request_consent = property(get_saml_request_consent, set_saml_request_consent)

Possible Values

0   # Unspecified
1   # Obtained
2   # Prior
3   # Implicit
4   # Explicit
5   # Unavailable
6   # Inapplicable
7   # Custom

Default Value

0

Remarks

This setting specifies whether consent from a principal was provided when this request was sent. This typically is set to some URI reference that was used by the application to obtain consent from the principal (user). This setting specifically sets the Consent attribute in the AuthnRequest or LogoutRequest elements in a SAML request.

By default, the scidUnspecified value is used. If a format needs to be used that is not listed here, the snidCustom value can be used instead. When set, the CustomConsent configuration setting will be used instead.

saml_request_destination property

This setting specifies a URI reference for the intended destination for the SAML request.

Syntax

def get_saml_request_destination() -> str: ...
def set_saml_request_destination(value: str) -> None: ...

saml_request_destination = property(get_saml_request_destination, set_saml_request_destination)

Default Value

""

Remarks

This setting specifies a URI reference for the intended destination for the SAML request. This is useful to prevent malicious forwarding of responses to unintended recipients. If left blank the class will set this to match the endpoint selected by the class. See saml_request_use_default_endpoint and saml_request_selected_endpoint for more information.

saml_request_id property

This setting specifies the unique Id of the SAML request.

Syntax

def get_saml_request_id() -> str: ...
def set_saml_request_id(value: str) -> None: ...

saml_request_id = property(get_saml_request_id, set_saml_request_id)

Default Value

""

Remarks

This setting specifies the unique Id of the SAML request.

When building a SAML request using the build_authn_request or build_logout_request methods, the class will use this value for the Id attribute in the request. If left empty before building the request, the class will generate a new one.

When validating a SAML response or assertion, this property is used to provide the Id of the request to the class. The SAML response and assertion both have an InResponseTo attribute that needs to match this property. See saml_request_in_response_to for more information. This is important, to check to ensure that the SAML response or assertion was in response to a request that was made by this application.

Due to needing the value for validation purposes this setting, (along with the saml_request_issuer property) should be cached in a secure location for later. This Id should match the Id of the InResponseTo attribute of the matching SAMLResponse . Due to this, after build_authn_request or build_logout_request is used to create a request, this setting

saml_request_issued_time property

This setting sets the time at which the SAML request was issued.

Syntax

def get_saml_request_issued_time() -> str: ...
def set_saml_request_issued_time(value: str) -> None: ...

saml_request_issued_time = property(get_saml_request_issued_time, set_saml_request_issued_time)

Default Value

""

Remarks

This setting sets the time at which the SAML request was issued. If not set, the class will use the current time.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

saml_request_issuer property

The issuer for the SAML request.

Syntax

def get_saml_request_issuer() -> str: ...
def set_saml_request_issuer(value: str) -> None: ...

saml_request_issuer = property(get_saml_request_issuer, set_saml_request_issuer)

Default Value

""

Remarks

The issuer for the SAML request. Typically, this should be set to the Entity Id configured for the Identity Provider.

saml_request_name_id_format property

This setting is only used for authentication requests.

Syntax

def get_saml_request_name_id_format() -> int: ...
def set_saml_request_name_id_format(value: int) -> None: ...

saml_request_name_id_format = property(get_saml_request_name_id_format, set_saml_request_name_id_format)

Possible Values

0   # Unspecified
1   # Email
2   # X509
3   # WindowsDQ
4   # Kerberos
5   # Entity
6   # Persistent
7   # Transitent
8   # Custom

Default Value

0

Remarks

This setting is only used for authentication requests. If supported by the Identity Provider, this setting can be used to tailor the name identifier for the subject in the response to an authentication request.

By default, the snidUnspecified format will be used, which informs the Identity Provider to use whatever name identifier format they prefer. This setting specifically sets the Format attribute in the NameIDPolicy element in an authentication request. If a format needs to be used that is not listed here, the snidCustom value can be used instead. When set, the CustomNameIdFormat configuration setting will be used instead.

saml_request_selected_endpoint property

This setting only applies to Authn Requests since there can be multiple Assertion Consumer Service (ACS) endpoints per service provider.

Syntax

def get_saml_request_selected_endpoint() -> int: ...
def set_saml_request_selected_endpoint(value: int) -> None: ...

saml_request_selected_endpoint = property(get_saml_request_selected_endpoint, set_saml_request_selected_endpoint)

Default Value

-1

Remarks

This setting only applies to Authn Requests since there can be multiple Assertion Consumer Service (ACS) endpoints per service provider. When building an Authn Request, the class will select the the ACS endpoint depending on how saml_request_settings is configured. If saml_request_use_default_endpoint is set to True, the request will specify that the Identity Provider should use the URI that is configured as the default. If saml_request_selected_endpoint is set, the class will use that index in the request. Otherwise, the class will select the first URI available in the service_provider_ur_is properties.

saml_request_session_index property

This setting only applies when building SAML logout requests.

Syntax

def get_saml_request_session_index() -> str: ...
def set_saml_request_session_index(value: str) -> None: ...

saml_request_session_index = property(get_saml_request_session_index, set_saml_request_session_index)

Default Value

""

Remarks

This setting only applies when building SAML logout requests. saml_request_session_index identifies the current session of the user that is being ended when the build_logout_request method is called. When the process_saml_response or parse_assertion methods are called, the saml_request_session_index property will be set to the session index from the Identity Provider. Providing the session index with the logout request will typically cause the Identity Provider to send logout requests to all participating services that are also part of the session.

saml_request_sign_request property

This setting controls whether the SAML request should be signed when using the BuildAuthnRequest or BuildLogoutRequest methods.

Syntax

def get_saml_request_sign_request() -> bool: ...
def set_saml_request_sign_request(value: bool) -> None: ...

saml_request_sign_request = property(get_saml_request_sign_request, set_saml_request_sign_request)

Default Value

FALSE

Remarks

This setting controls whether the SAML request should be signed when using the build_authn_request or build_logout_request methods. The class will use the certificate set in the service_provider_signing_cert property to sign the request.

saml_request_use_default_endpoint property

This setting only applies to Authn Requests since there can be multiple Assertion Consumer Service (ACS) endpoints per service provider.

Syntax

def get_saml_request_use_default_endpoint() -> bool: ...
def set_saml_request_use_default_endpoint(value: bool) -> None: ...

saml_request_use_default_endpoint = property(get_saml_request_use_default_endpoint, set_saml_request_use_default_endpoint)

Default Value

FALSE

Remarks

This setting only applies to Authn Requests since there can be multiple Assertion Consumer Service (ACS) endpoints per service provider. When multiple ACS endpoints are available, a single endpoint can be selected as the default endpoint. When building an Authn Request, the class will select the the ACS endpoint depending on how saml_request_settings is configured. If saml_request_use_default_endpoint is set to True, the request will specify that the Identity Provider should use the URI that is configured as the default. If saml_request_selected_endpoint is set, then the class will use that index in the request. Otherwise, the class will select the first URI available in the service_provider_ur_is properties.

saml_response_consent property

Whether consent from a principal was provided when this response was sent.

Syntax

def get_saml_response_consent() -> str: ...

saml_response_consent = property(get_saml_response_consent, None)

Default Value

""

Remarks

Whether consent from a principal was provided when this response was sent. This typically is set to some URI reference that matches the method that was used by the application to obtain consent from the principal (user).

Some common URI values are:

• Unspecified - urn:oasis:names:tc:SAML:2.0:consent:unspecified
• Obtained - urn:oasis:names:tc:SAML:2.0:consent:obtained
• Prior - urn:oasis:names:tc:SAML:2.0:consent:prior
• Implicit - urn:oasis:names:tc:SAML:2.0:consent:current-implicit
• Explicit - urn:oasis:names:tc:SAML:2.0:consent:current-explicit
• Unavailable - urn:oasis:names:tc:SAML:2.0:consent:unavailable
• Inapplicable - urn:oasis:names:tc:SAML:2.0:consent:inapplicable

This property is read-only.

saml_response_content property

The full XML of the SAML response after being parsed or processed by the class.

Syntax

def get_saml_response_content() -> bytes: ...
def set_saml_response_content(value: bytes) -> None: ...

saml_response_content = property(get_saml_response_content, set_saml_response_content)

Default Value

""

Remarks

The full XML of the SAML response after being parsed or processed by the class. Optionally, this setting can be set to provide a SAML response directly to the class to be parsed or processed.

saml_response_destination property

A URI reference for the intended destination for the SAML response.

Syntax

def get_saml_response_destination() -> str: ...

saml_response_destination = property(get_saml_response_destination, None)

Default Value

""

Remarks

A URI reference for the intended destination for the SAML response. This is useful to prevent malicious forwarding of responses to unintended recipients.

This property is read-only.

saml_response_id property

The unique Id for the SAML response that was created by the Issuer .

Syntax

def get_saml_response_id() -> str: ...

saml_response_id = property(get_saml_response_id, None)

Default Value

""

Remarks

The unique Id for the SAML response that was created by the saml_response_issuer.

This property is read-only.

saml_response_in_response_to property

The Id of the SAML request that requested the Identity Provider to issue this SAML response.

Syntax

def get_saml_response_in_response_to() -> str: ...

saml_response_in_response_to = property(get_saml_response_in_response_to, None)

Default Value

""

Remarks

The Id of the SAML request that requested the Identity Provider to issue this SAML response. The class validates this property against the original Id of the SAML request which saml_response_id should be set to.

This property is read-only.

saml_response_issued_time property

The time at which the SAML response was issued by the Issuer .

Syntax

def get_saml_response_issued_time() -> str: ...

saml_response_issued_time = property(get_saml_response_issued_time, None)

Default Value

""

Remarks

The time at which the SAML response was issued by the saml_response_issuer.

Time-based values are specified by the SAML specification to be in UTC in the following format: YYYY-MM-DDTHH:mm:ss.sssZ

This property is read-only.

saml_response_issuer property

The Entity Id of the issuer of the SAML response.

Syntax

def get_saml_response_issuer() -> str: ...

saml_response_issuer = property(get_saml_response_issuer, None)

Default Value

""

Remarks

The Entity Id of the issuer of the SAML response. Typically, this will be the saml_response_entity_id of the Identity Provider.

This property is read-only.

saml_response_type property

The type of SAML response that was parsed or processed.

Syntax

def get_saml_response_type() -> int: ...

saml_response_type = property(get_saml_response_type, None)

Possible Values

0   # Unknown
1   # Authn
2   # Logout

Default Value

0

Remarks

The type of SAML response that was parsed or processed.

This property is read-only.

saml_response_signed property

Whether the SAML response is signed.

Syntax

def get_saml_response_signed() -> bool: ...

saml_response_signed = property(get_saml_response_signed, None)

Default Value

FALSE

Remarks

Whether the SAML response is signed. If the SAML response contains no signatures, or only the assertion is signed, then this property will be set to False.

This property is read-only.

saml_response_status_codes property

A semicolon-separated list of status codes found in the SAML response.

Syntax

def get_saml_response_status_codes() -> str: ...

saml_response_status_codes = property(get_saml_response_status_codes, None)

Default Value

""

Remarks

A semicolon-separated list of status codes found in the SAML response. A compliant SAML response will always contain a top-level response with one of the following values.

urn:oasis:names:tc:SAML:2.0:status:Responder;urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

Sometimes, a message is also provided with the Status. See saml_response_status_message for more information.

This property is read-only.

saml_response_status_message property

The message that was provided in the status of the SAML response.

Syntax

def get_saml_response_status_message() -> str: ...

saml_response_status_message = property(get_saml_response_status_message, None)

Default Value

""

Remarks

The message that was provided in the status of the SAML response. This property is set alongside the saml_response_status_codes and can be used to provide more information about the status.

This property is read-only.

service_provider_metadata_authn_request_signed property

Whether the generated metadata document will inform the identity provider that this service provider will be sending signed requests.

Syntax

def get_service_provider_metadata_authn_request_signed() -> bool: ...
def set_service_provider_metadata_authn_request_signed(value: bool) -> None: ...

service_provider_metadata_authn_request_signed = property(get_service_provider_metadata_authn_request_signed, set_service_provider_metadata_authn_request_signed)

Default Value

FALSE

Remarks

Whether the generated metadata document will inform the identity provider that this service provider will be sending signed requests.

service_provider_metadata_content property

The raw XML document that represents the metadata document for the configured service provider.

Syntax

def get_service_provider_metadata_content() -> bytes: ...
def set_service_provider_metadata_content(value: bytes) -> None: ...

service_provider_metadata_content = property(get_service_provider_metadata_content, set_service_provider_metadata_content)

Default Value

""

Remarks

The raw XML document that represents the metadata document for the configured service provider. This property is populated when the build_service_metadata method is used to generate a new document.

service_provider_metadata_entity_id property

The Entity Id for this service provider.

Syntax

def get_service_provider_metadata_entity_id() -> str: ...
def set_service_provider_metadata_entity_id(value: str) -> None: ...

service_provider_metadata_entity_id = property(get_service_provider_metadata_entity_id, set_service_provider_metadata_entity_id)

Default Value

""

Remarks

The Entity Id for this service provider. This is the unique Id that will be used by the Identity Provider and should be unique to this service provider.

service_provider_metadata_signed_metadata property

Whether the class will sign the metadata document when it is being generated.

Syntax

def get_service_provider_metadata_signed_metadata() -> bool: ...
def set_service_provider_metadata_signed_metadata(value: bool) -> None: ...

service_provider_metadata_signed_metadata = property(get_service_provider_metadata_signed_metadata, set_service_provider_metadata_signed_metadata)

Default Value

FALSE

Remarks

Whether the class will sign the metadata document when it is being generated. When the build_service_metadata method is used to generate the metadata document, the class will use the service_provider_signing_cert property to sign the document.

service_provider_metadata_supported_name_id_formats property

A semicolon-separated list of NameId formats that are supported by this service provider.

Syntax

def get_service_provider_metadata_supported_name_id_formats() -> str: ...
def set_service_provider_metadata_supported_name_id_formats(value: str) -> None: ...

service_provider_metadata_supported_name_id_formats = property(get_service_provider_metadata_supported_name_id_formats, set_service_provider_metadata_supported_name_id_formats)

Default Value

""

Remarks

A semicolon-separated list of NameId formats that are supported by this service provider.

Some common values are:

To support both email addresses and Windows domain qualified name, this property would be set to:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress;urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

service_provider_metadata_want_assertions_signed property

Whether the metadata document will inform the identity provider that this service provider wants issued assertions to be signed.

Syntax

def get_service_provider_metadata_want_assertions_signed() -> bool: ...
def set_service_provider_metadata_want_assertions_signed(value: bool) -> None: ...

service_provider_metadata_want_assertions_signed = property(get_service_provider_metadata_want_assertions_signed, set_service_provider_metadata_want_assertions_signed)

Default Value

FALSE

Remarks

Whether the metadata document will inform the identity provider that this service provider wants issued assertions to be signed.

service_provider_signing_cert_effective_date property

The date on which this certificate becomes valid.

Syntax

def get_service_provider_signing_cert_effective_date() -> str: ...

service_provider_signing_cert_effective_date = property(get_service_provider_signing_cert_effective_date, None)

Default Value

""

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

service_provider_signing_cert_expiration_date property

The date on which the certificate expires.

Syntax

def get_service_provider_signing_cert_expiration_date() -> str: ...

service_provider_signing_cert_expiration_date = property(get_service_provider_signing_cert_expiration_date, None)

Default Value

""

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

service_provider_signing_cert_extended_key_usage property

A comma-delimited list of extended key usage identifiers.

Syntax

def get_service_provider_signing_cert_extended_key_usage() -> str: ...

service_provider_signing_cert_extended_key_usage = property(get_service_provider_signing_cert_extended_key_usage, None)

Default Value

""

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

service_provider_signing_cert_fingerprint property

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Syntax

def get_service_provider_signing_cert_fingerprint() -> str: ...

service_provider_signing_cert_fingerprint = property(get_service_provider_signing_cert_fingerprint, None)

Default Value

""

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

service_provider_signing_cert_fingerprint_sha1 property

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Syntax

def get_service_provider_signing_cert_fingerprint_sha1() -> str: ...

service_provider_signing_cert_fingerprint_sha1 = property(get_service_provider_signing_cert_fingerprint_sha1, None)

Default Value

""

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

service_provider_signing_cert_fingerprint_sha256 property

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Syntax

def get_service_provider_signing_cert_fingerprint_sha256() -> str: ...

service_provider_signing_cert_fingerprint_sha256 = property(get_service_provider_signing_cert_fingerprint_sha256, None)

Default Value

""

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

service_provider_signing_cert_issuer property

The issuer of the certificate.

Syntax

def get_service_provider_signing_cert_issuer() -> str: ...

service_provider_signing_cert_issuer = property(get_service_provider_signing_cert_issuer, None)

Default Value

""

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

service_provider_signing_cert_private_key property

The private key of the certificate (if available).

Syntax

def get_service_provider_signing_cert_private_key() -> str: ...

service_provider_signing_cert_private_key = property(get_service_provider_signing_cert_private_key, None)

Default Value

""

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

NOTE: The service_provider_signing_cert_private_key may be available but not exportable. In this case, service_provider_signing_cert_private_key returns an empty string.

This property is read-only.

service_provider_signing_cert_private_key_available property

Whether a PrivateKey is available for the selected certificate.

Syntax

def get_service_provider_signing_cert_private_key_available() -> bool: ...

service_provider_signing_cert_private_key_available = property(get_service_provider_signing_cert_private_key_available, None)

Default Value

FALSE

Remarks

Whether a service_provider_signing_cert_private_key is available for the selected certificate. If service_provider_signing_cert_private_key_available is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

service_provider_signing_cert_private_key_container property

The name of the PrivateKey container for the certificate (if available).

Syntax

def get_service_provider_signing_cert_private_key_container() -> str: ...

service_provider_signing_cert_private_key_container = property(get_service_provider_signing_cert_private_key_container, None)

Default Value

""

Remarks

The name of the service_provider_signing_cert_private_key container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

service_provider_signing_cert_public_key property

The public key of the certificate.

Syntax

def get_service_provider_signing_cert_public_key() -> str: ...

service_provider_signing_cert_public_key = property(get_service_provider_signing_cert_public_key, None)

Default Value

""

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

service_provider_signing_cert_public_key_algorithm property

The textual description of the certificate's public key algorithm.

Syntax

def get_service_provider_signing_cert_public_key_algorithm() -> str: ...

service_provider_signing_cert_public_key_algorithm = property(get_service_provider_signing_cert_public_key_algorithm, None)

Default Value

""

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

service_provider_signing_cert_public_key_length property

The length of the certificate's public key (in bits).

Syntax

def get_service_provider_signing_cert_public_key_length() -> int: ...

service_provider_signing_cert_public_key_length = property(get_service_provider_signing_cert_public_key_length, None)

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

service_provider_signing_cert_serial_number property

The serial number of the certificate encoded as a string.

Syntax

def get_service_provider_signing_cert_serial_number() -> str: ...

service_provider_signing_cert_serial_number = property(get_service_provider_signing_cert_serial_number, None)

Default Value

""

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

service_provider_signing_cert_signature_algorithm property

The text description of the certificate's signature algorithm.

Syntax

def get_service_provider_signing_cert_signature_algorithm() -> str: ...

service_provider_signing_cert_signature_algorithm = property(get_service_provider_signing_cert_signature_algorithm, None)

Default Value

""

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

service_provider_signing_cert_store property

The name of the certificate store for the client certificate.

Syntax

def get_service_provider_signing_cert_store() -> bytes: ...
def set_service_provider_signing_cert_store(value: bytes) -> None: ...

service_provider_signing_cert_store = property(get_service_provider_signing_cert_store, set_service_provider_signing_cert_store)

Default Value

"MY"

Remarks

The name of the certificate store for the client certificate.

The service_provider_signing_cert_store_type property denotes the type of the certificate store specified by service_provider_signing_cert_store. If the store is password-protected, specify the password in service_provider_signing_cert_store_password.

service_provider_signing_cert_store is used in conjunction with the service_provider_signing_cert_subject property to specify client certificates. If service_provider_signing_cert_store has a value, and service_provider_signing_cert_subject or service_provider_signing_cert_encoded is set, a search for a certificate is initiated. Please see the service_provider_signing_cert_subject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

service_provider_signing_cert_store_password property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_service_provider_signing_cert_store_password() -> str: ...
def set_service_provider_signing_cert_store_password(value: str) -> None: ...

service_provider_signing_cert_store_password = property(get_service_provider_signing_cert_store_password, set_service_provider_signing_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

service_provider_signing_cert_store_type property

The type of certificate store for this certificate.

Syntax

def get_service_provider_signing_cert_store_type() -> int: ...
def set_service_provider_signing_cert_store_type(value: int) -> None: ...

service_provider_signing_cert_store_type = property(get_service_provider_signing_cert_store_type, set_service_provider_signing_cert_store_type)

Possible Values

0   # User
1   # Machine
2   # PFXFile
3   # PFXBlob
4   # JKSFile
5   # JKSBlob
6   # PEMKeyFile
7   # PEMKeyBlob
8   # PublicKeyFile
9   # PublicKeyBlob
10   # SSHPublicKeyBlob
11   # P7BFile
12   # P7BBlob
13   # SSHPublicKeyFile
14   # PPKFile
15   # PPKBlob
16   # XMLFile
17   # XMLBlob
18   # JWKFile
19   # JWKBlob
20   # SecurityKey
21   # BCFKSFile
22   # BCFKSBlob
23   # PKCS11
99   # Auto