SAMLIdPServer Class
Properties Methods Events Configuration Settings Errors
The SAMLIdPServer class represents a SAML identity provider.
Syntax
class secureblackbox.SAMLIdPServer
Remarks
The identity provider in the SAML (Security Assertion Markup Language) exchange flow represents the server that issues authentication assertions for single sign-on (SSO).
Requests received by the IdP server from known service providers (SP) are processed automatically, in accordance with known SP metadata and IdP options. If the request is correct, the client is redirected to the IdP for authentication. The authentication algorithm depends on the IdP options and may be reduced to a simple IP check, X.509 certificate authentication, or login credentials check.
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| active | Tells whether the server is active and ready to process requests. |
| allow_idpsso | Specifies if IdP-initiated Single Sign-On (SSO) is allowed. |
| artifact_resolution_service | The location of the artifact resolution service. |
| attribute_query_service | The location of the AttributeQuery service. |
| auth_form_template | Defines the default authentication template (login page). |
| encrypt_assertions | Specifies whether to encrypt assertions included into the IdP response. |
| encryption_cert_bytes | Returns raw certificate data in DER format. |
| encryption_cert_handle | Allows to get or set a 'handle', a unique identifier of the underlying property object. |
| error_origin | Indicates the endpoint where the error originates from. |
| error_severity | The severity of the error that happened. |
| external_crypto_custom_params | Custom parameters to be passed to the signing service (uninterpreted). |
| external_crypto_data | Additional data to be included in the async state and mirrored back by the requestor. |
| external_crypto_external_hash_calculation | Specifies whether the message hash is to be calculated at the external endpoint. |
| external_crypto_hash_algorithm | Specifies the request's signature hash algorithm. |
| external_crypto_key_id | The ID of the pre-shared key used for DC request authentication. |
| external_crypto_key_secret | The pre-shared key used for DC request authentication. |
| external_crypto_method | Specifies the asynchronous signing method. |
| external_crypto_mode | Specifies the external cryptography mode. |
| external_crypto_public_key_algorithm | Provide public key algorithm here if the certificate is not available on the pre-signing stage. |
| host | Specifies the host address of the IdP server. |
| idpsso_page | Specifies the relative URL of the IdP-initiated SSO page. |
| idpsso_page_content | The content of the IdP-initiated SSO page. |
| login_attempts_limit | The maximum number of login attempts. |
| metadata_url | The IdP's metadata location. |
| meta_signing_cert_bytes | Returns raw certificate data in DER format. |
| meta_signing_cert_handle | Allows to get or set a 'handle', a unique identifier of the underlying property object. |
| port | The listening port number. |
| preferred_single_logout_response_binding | Specifies the preferred single logout response binding. |
| preferred_single_sign_on_response_binding | Specifies preferred SSO response binding. |
| server_cert_count | The number of records in the ServerCert arrays. |
| server_cert_bytes | Returns raw certificate data in DER format. |
| server_cert_handle | Allows to get or set a 'handle', a unique identifier of the underlying property object. |
| sign_assertions | Specifies whether the assertions included in IdP responses should be signed. |
| signing_cert_bytes | Returns raw certificate data in DER format. |
| signing_cert_handle | Allows to get or set a 'handle', a unique identifier of the underlying property object. |
| signing_chain_count | The number of records in the SigningChain arrays. |
| signing_chain_bytes | Returns raw certificate data in DER format. |
| signing_chain_handle | Allows to get or set a 'handle', a unique identifier of the underlying property object. |
| sign_metadata | Specifies whether the IdP's metadata should be signed. |
| sign_response | Specifies whether the IdP responses should be signed. |
| single_logout_service | The URL of the single logout service. |
| single_logout_service_bindings | Defines single logout service bindings. |
| single_sign_on_service | The URL of the single logout service. |
| single_sign_on_service_bindings | Defines single sign-on service bindings. |
| socket_incoming_speed_limit | The maximum number of bytes to read from the socket, per second. |
| socket_local_address | The local network interface to bind the socket to. |
| socket_local_port | The local port number to bind the socket to. |
| socket_outgoing_speed_limit | The maximum number of bytes to write to the socket, per second. |
| socket_timeout | The maximum period of waiting, in milliseconds, after which the socket operation is considered unsuccessful. |
| socket_use_i_pv6 | Enables or disables IP protocol version 6. |
| tls_auto_validate_certificates | Specifies whether server-side TLS certificates should be validated automatically using internal validation rules. |
| tls_base_configuration | Selects the base configuration for the TLS settings. |
| tls_ciphersuites | A list of ciphersuites separated with commas or semicolons. |
| tlsec_curves | Defines the elliptic curves to enable. |
| tls_force_resume_if_destination_changes | Whether to force TLS session resumption when the destination address changes. |
| tls_pre_shared_identity | Defines the identity used when the PSK (Pre-Shared Key) key-exchange mechanism is negotiated. |
| tls_pre_shared_key | Contains the pre-shared for the PSK (Pre-Shared Key) key-exchange mechanism, encoded with base16. |
| tls_pre_shared_key_ciphersuite | Defines the ciphersuite used for PSK (Pre-Shared Key) negotiation. |
| tls_renegotiation_attack_prevention_mode | Selects renegotiation attack prevention mechanism. |
| tls_revocation_check | Specifies the kind(s) of revocation check to perform. |
| tlsssl_options | Various SSL (TLS) protocol options, set of cssloExpectShutdownMessage 0x001 Wait for the close-notify message when shutting down the connection cssloOpenSSLDTLSWorkaround 0x002 (DEPRECATED) Use a DTLS version workaround when talking to very old OpenSSL versions cssloDisableKexLengthAlignment 0x004 Do not align the client-side PMS by the RSA modulus size. |
| tlstls_mode | Specifies the TLS mode to use. |
| tls_use_extended_master_secret | Enables Extended Master Secret Extension, as defined in RFC 7627. |
| tls_use_session_resumption | Enables or disables TLS session resumption capability. |
| tls_versions | Th SSL/TLS versions to enable by default. |
| url | Specifies the base URL of this IdP server. |
| use_tls | Enables or disables the secure connection requirement. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| add_id_psso_link | Adds an SSO URL to the list. |
| add_user | Registers known user credentials. |
| add_user_with_email | Registers known user credentials. |
| clear_users | Clears the database of registered users. |
| config | Sets or retrieves a configuration setting. |
| load_sp_metadata | Loads the metadata required for information exchange with the service provider. |
| remove_id_psso_link | Removes the specified SSO link. |
| remove_sp | Removes an SP from the list of trusted service providers. |
| remove_user | Unregister user credentials. |
| save_metadata | Saves the IdP configuration to a metadata file. |
| start | Starts the IdP server. |
| stop | Stops the IdP server. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| on_accept | Reports an incoming connection. |
| on_connect | Reports an accepted connection. |
| on_disconnect | Fires to report a disconnected client. |
| on_error | Information about errors during data delivery. |
| on_external_sign | Handles remote or external signing initiated by the server protocol. |
| on_notification | This event notifies the application about an underlying control flow event. |
| on_session_closed | This event is fired when the IdP server has closed a session. |
| on_session_established | This event is fired when a new session has been established. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
| AssertionsOneTimeUse | Adds a one-time use condition to the assertion. |
| AssertionsTTL | The assertions time-to-live value. |
| BoundPort | The port that was bound by the server. |
| DefaultNameIDPolicyFormat | Default name ID policy format. |
| DefaultPassiveAuthnContextClassRef | The default passive authentication context class. |
| DualStack | Allows the use of ip4 and ip6 simultaneously. |
| HandshakeTimeout | The HTTPS handshake timeout. |
| MaxIssueInstantTimeDiff | The maximum issue-instant time delta. |
| NotBeforeTimeout | The 'not-before' timeout to use. |
| PortRangeFrom | The lower bound of allowed port scope to listen on. |
| PortRangeTo | The higher bound of allowed port scope to listen on. |
| ServerName | Specifies the server name for the created responses. |
| SessionTimeout | The HTTP session timeout. |
| SessionTTL | The SAML session time-to-live value. |
| SubjectConfirmationMethod | Subject confirmation method. |
| TempPath | Path for storing temporary files. |
| CheckKeyIntegrityBeforeUse | Enables or disable private key integrity check before use. |
| CookieCaching | Specifies whether a cookie cache should be used for HTTP(S) transports. |
| Cookies | Gets or sets local cookies for the class (supported for HTTPClient, RESTClient and SOAPClient only). |
| DefDeriveKeyIterations | Specifies the default key derivation algorithm iteration count. |
| EnableClientSideSSLFFDHE | Enables or disables finite field DHE key exchange support in TLS clients. |
| GlobalCookies | Gets or sets global cookies for all the HTTP transports. |
| HttpUserAgent | Specifies the user agent name to be used by all HTTP clients. |
| LogDestination | Specifies the debug log destination. |
| LogDetails | Specifies the debug log details to dump. |
| LogFile | Specifies the debug log filename. |
| LogFilters | Specifies the debug log filters. |
| LogFlushMode | Specifies the log flush mode. |
| LogLevel | Specifies the debug log level. |
| LogMaxEventCount | Specifies the maximum number of events to cache before further action is taken. |
| LogRotationMode | Specifies the log rotation mode. |
| MaxASN1BufferLength | Specifies the maximal allowed length for ASN.1 primitive tag data. |
| MaxASN1TreeDepth | Specifies the maximal depth for processed ASN.1 trees. |
| OCSPHashAlgorithm | Specifies the hash algorithm to be used to identify certificates in OCSP requests. |
| UseOwnDNSResolver | Specifies whether the client classes should use own DNS resolver. |
| UseSharedSystemStorages | Specifies whether the validation engine should use a global per-process copy of the system certificate stores. |
| UseSystemOAEPAndPSS | Enforces or disables the use of system-driven RSA OAEP and PSS computations. |
| UseSystemRandom | Enables or disables the use of the OS PRNG. |