OneLogin saml2 Module

auth Class

class onelogin.saml2.auth.OneLogin_Saml2_Auth(request_data, old_settings=None)[source]

Bases: object

build_request_signature(saml_request, relay_state)[source]

Builds the Signature of the SAML Request.

Parameters:
  • saml_request (string) – The SAML Request
  • relay_state (string) – The target URL the user should be redirected to
build_response_signature(saml_response, relay_state)[source]

Builds the Signature of the SAML Response. :param saml_request: The SAML Response :type saml_request: string

Parameters:relay_state (string) – The target URL the user should be redirected to
get_attribute(name)[source]

Returns the requested SAML attribute.

Parameters:name (string) – Name of the attribute
Returns:Attribute value if exists or None
Return type:string
get_attributes()[source]

Returns the set of SAML attributes.

Returns:SAML attributes
Return type:dict
get_errors()[source]

Returns a list with code errors if something went wrong

Returns:List of errors
Return type:list
get_nameid()[source]

Returns the nameID.

Returns:NameID
Return type:string
get_settings()[source]

Returns the settings info :return: Setting info :rtype: OneLogin_Saml2_Setting object

get_slo_url()[source]

Gets the SLO url.

Returns:An URL, the SLO endpoint of the IdP
Return type:string
get_sso_url()[source]

Gets the SSO url.

Returns:An URL, the SSO endpoint of the IdP
Return type:string
is_authenticated()[source]

Checks if the user is authenticated or not.

Returns:True if is authenticated, False if not
Return type:bool
login(return_to=None)[source]

Initiates the SSO process.

Parameters:return_to (string) – Optional argument. The target URL the user should be redirected to after login.
Returns:Redirection url
logout(return_to=None)[source]

Initiates the SLO process.

Parameters:return_to (string) – Optional argument. The target URL the user should be redirected to after logout.
Returns:Redirection url
process_response(request_id=None)[source]

Process the SAML Response sent by the IdP.

Parameters:request_id (string) – Is an optional argumen. Is the ID of the AuthNRequest sent by this SP to the IdP.
Raises :OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
process_slo(keep_local_session=False, request_id=None, delete_session_cb=None)[source]

Process the SAML Logout Response / Logout Request sent by the IdP.

Parameters:
  • keep_local_session (bool) – When false will destroy the local session, otherwise will destroy it
  • request_id (string) – The ID of the LogoutRequest sent by this SP to the IdP
Returns:

Redirection url

redirect_to(url=None, parameters={})[source]

Redirects the user to the url past by parameter or to the url that we defined in our SSO Request.

Parameters:
  • url (string) – The target URL to redirect the user
  • parameters (dict) – Extra parameters to be passed as part of the url
Returns:

Redirection url

set_strict(value)[source]

Set the strict mode active/disable

Parameters:value (bool) –

authn_request Class

class onelogin.saml2.authn_request.OneLogin_Saml2_Authn_Request(settings)[source]
get_request()[source]

Returns unsigned AuthnRequest. :return: Unsigned AuthnRequest :rtype: str object

constants Class

class onelogin.saml2.constants.OneLogin_Saml2_Constants[source]
AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'
AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'
AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'
AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'
ALOWED_CLOCK_DRIFT = 180
ATTRNAME_FORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
ATTRNAME_FORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'
ATTRNAME_FORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
BINDING_DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE'
BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
CM_HOLDER_KEY = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'
CM_SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'
NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'
NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'
NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'
NSMAP = {'xenc': 'http://www.w3.org/2001/04/xmlenc#', 'samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', 'ds': 'http://www.w3.org/2000/09/xmldsig#', 'saml': 'urn:oasis:names:tc:SAML:2.0:assertion'}
NS_DS = 'http://www.w3.org/2000/09/xmldsig#'
NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata'
NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion'
NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol'
NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/'
NS_XENC = 'http://www.w3.org/2001/04/xmlenc#'
NS_XS = 'http://www.w3.org/2001/XMLSchema'
NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive'
STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'
STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'
STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester'
STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder'
STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success'
STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'

errors Class

exception onelogin.saml2.errors.OneLogin_Saml2_Error(message, code=0, errors=None)[source]

Bases: exceptions.Exception

METADATA_SP_INVALID = 3
PRIVATE_KEY_FILE_NOT_FOUND = 7
PUBLIC_CERT_FILE_NOT_FOUND = 6
REDIRECT_INVALID_URL = 5
SAML_LOGOUTMESSAGE_NOT_FOUND = 9
SAML_LOGOUTREQUEST_INVALID = 10
SAML_LOGOUTRESPONSE_INVALID = 11
SAML_RESPONSE_NOT_FOUND = 8
SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12
SETTINGS_FILE_NOT_FOUND = 0
SETTINGS_INVALID = 2
SETTINGS_INVALID_SYNTAX = 1
SP_CERTS_NOT_FOUND = 4

logout_request Class

class onelogin.saml2.logout_request.OneLogin_Saml2_Logout_Request(settings)[source]
static get_id(request)[source]

Returns the ID of the Logout Request :param request: Logout Request Message :type request: string|DOMDocument :return: string ID :rtype: str object

static get_issuer(request)[source]

Gets the Issuer of the Logout Request Message :param request: Logout Request Message :type request: string|DOMDocument :return: The Issuer :rtype: string

static get_name_id(request, key=None)[source]

Gets the NameID of the Logout Request Message :param request: Logout Request Message :type request: string|DOMDocument :param key: The SP key :type key: string :return: Name ID Value :rtype: string

static get_name_id_data(request, key=None)[source]

Gets the NameID Data of the the Logout Request :param request: Logout Request Message :type request: string|DOMDocument :param key: The SP key :type key: string :return: Name ID Data (Value, Format, NameQualifier, SPNameQualifier) :rtype: dict

get_request()[source]

Returns the Logout Request defated, base64encoded :return: Deflated base64 encoded Logout Request :rtype: str object

static get_session_indexes(request)[source]

Gets the SessionIndexes from the Logout Request :param request: Logout Request Message :type request: string|DOMDocument :return: The SessionIndex value :rtype: list

static is_valid(settings, request, get_data, debug=False)[source]

Checks if the Logout Request recieved is valid :param settings: Settings :type settings: OneLogin_Saml2_Settings :param request: Logout Request Message :type request: string|DOMDocument :return: If the Logout Request is or not valid :rtype: boolean

logout_response Class

class onelogin.saml2.logout_response.OneLogin_Saml2_Logout_Response(settings, response=None)[source]
build(in_response_to)[source]

Creates a Logout Response object. :param in_response_to: InResponseTo value for the Logout Response. :type in_response_to: string

get_issuer()[source]

Gets the Issuer of the Logout Response Message :return: The Issuer :rtype: string

get_response()[source]

Returns a Logout Response object. :return: Logout Response deflated and base64 encoded :rtype: string

get_status()[source]

Gets the Status :return: The Status :rtype: string

is_valid(request_data, request_id=None)[source]

Determines if the SAML LogoutResponse is valid :param request_id: The ID of the LogoutRequest sent by this SP to the IdP :type request_id: string :return: Returns if the SAML LogoutResponse is or not valid :rtype: boolean

metadata Class

class onelogin.saml2.metadata.OneLogin_Saml2_Metadata[source]
TIME_CACHED = 604800
TIME_VALID = 172800
static add_x509_key_descriptors(metadata, cert)[source]

Add the x509 descriptors (sign/encriptation to the metadata The same cert will be used for sign/encrypt

Parameters:
  • metadata (string) – SAML Metadata XML
  • cert (string) – x509 cert
Returns:

Metadata with KeyDescriptors

Return type:

string

static builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None)[source]

Build the metadata of the SP

Parameters:
  • sp (string) – The SP data
  • authnsign (string) – authnRequestsSigned attribute
  • wsign (string) – wantAssertionsSigned attribute
  • valid_until (DateTime) – Metadata’s valid time
  • cache_duration (Timestamp) – Duration of the cache in seconds
  • contacts (dict) – Contacts info
  • organization (dict) – Organization ingo
static sign_metadata(metadata, key, cert)[source]

Sign the metadata with the key/cert provided

Parameters:
  • metadata (string) – SAML Metadata XML
  • key (string) – x509 key
  • cert (string) – x509 cert
Returns:

Signed Metadata

Return type:

string

response Class

class onelogin.saml2.response.OneLogin_Saml2_Response(settings, response)[source]

Bases: object

check_status()[source]

Check if the status of the response is success or not

Raises :Exception. If the status is not success
get_attributes()[source]

Gets the Attributes from the AttributeStatement element. EncryptedAttributes are not supported

get_audiences()[source]

Gets the audiences

Returns:The valid audiences for the SAML Response
Return type:list
get_issuers()[source]

Gets the issuers (from message and from assertion)

Returns:The issuers
Return type:list
get_nameid()[source]

Gets the NameID provided by the SAML Response from the IdP

Returns:NameID (value)
Return type:string
get_nameid_data()[source]

Gets the NameID Data provided by the SAML Response from the IdP

Returns:Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
Return type:dict
get_session_index()[source]

Gets the SessionIndex from the AuthnStatement Could be used to be stored in the local session in order to be used in a future Logout Request that the SP could send to the SP, to set what specific session must be deleted

Returns:The SessionIndex value
Return type:string|None
get_session_not_on_or_after()[source]

Gets the SessionNotOnOrAfter from the AuthnStatement Could be used to set the local session expiration

Returns:The SessionNotOnOrAfter value
Return type:time|None
is_valid(request_data, request_id=None)[source]

Constructs the response object.

Parameters:request_id (string) – Optional argument. The ID of the AuthNRequest sent by this SP to the IdP
Returns:True if the SAML Response is valid, False if not
Return type:bool
validate_num_assertions()[source]

Verifies that the document only contains a single Assertion (encrypted or not)

Returns:True if only 1 assertion encrypted or not
Return type:bool
validate_timestamps()[source]

Verifies that the document is valid according to Conditions Element

Returns:True if the condition is valid, False otherwise
Return type:bool

settings Class

class onelogin.saml2.settings.OneLogin_Saml2_Settings(settings=None, custom_base_path=None)[source]
check_settings(settings)[source]

Checks the settings info.

Parameters:settings (dict) – Dict with settings data
Returns:Errors found on the settings data
Return type:list
check_sp_certs()[source]

Checks if the x509 certs of the SP exists and are valid.

Returns:If the x509 certs of the SP exists and are valid
Return type:boolean
format_idp_cert()[source]

Formats the IdP cert.

get_base_path()[source]

Returns base path

Returns:The base toolkit folder path
Return type:string
get_cert_path()[source]

Returns cert path

Returns:The cert folder path
Return type:string
get_contacts()[source]

Gets contact data.

Returns:Contacts info
Return type:dict
get_errors()[source]

Returns an array with the errors, the array is empty when the settings is ok.

Returns:Errors
Return type:list
get_ext_lib_path()[source]

Returns external lib path

Returns:The external library folder path
Return type:string
get_idp_data()[source]

Gets the IdP data.

Returns:IdP info
Return type:dict
get_lib_path()[source]

Returns lib path

Returns:The library folder path
Return type:string
get_organization()[source]

Gets organization data.

Returns:Organization info
Return type:dict
get_schemas_path()[source]

Returns schema path

Returns:The schema folder path
Return type:string
get_security_data()[source]

Gets security data.

Returns:Security info
Return type:dict
get_sp_cert()[source]

Returns the x509 public cert of the SP.

Returns:SP public cert
Return type:string
get_sp_data()[source]

Gets the SP data.

Returns:SP info
Return type:dict
get_sp_key()[source]

Returns the x509 private key of the SP.

Returns:SP private key
Return type:string
get_sp_metadata()[source]

Gets the SP metadata. The XML representation.

Returns:SP metadata (xml)
Return type:string
is_debug_active()[source]

Returns if the debug is active.

Returns:Debug parameter
Return type:boolean
is_strict()[source]

Returns if the ‘strict’ mode is active.

Returns:Strict parameter
Return type:boolean
set_strict(value)[source]

Activates or deactivates the strict mode.

Parameters:xml (boolean) – Strict parameter
validate_metadata(xml)[source]

Validates an XML SP Metadata.

Parameters:xml (string) – Metadata’s XML that will be validate
Returns:The list of found errors
Return type:list
onelogin.saml2.settings.validate_url(url)[source]

utils Class

class onelogin.saml2.utils.OneLogin_Saml2_Utils[source]
static add_sign(xml, key, cert)[source]

Adds signature key and senders certificate to an element (Message or Assertion).

Parameters:
  • xml – The element we should sign
  • key – The private key
  • cert – The public
Type :

string | Document

Type :

string

Type :

string

static calculate_x509_fingerprint(x509_cert)[source]

Calculates the fingerprint of a x509cert.

Parameters:x509_cert – x509 cert
Type :string
Returns:Formated fingerprint
Return type:string
static decode_base64_and_inflate(value)[source]

base64 decodes and then inflates according to RFC1951 :param value: a deflated and encoded string :return: the string after decoding and inflating

static decrypt_element(encrypted_data, enc_ctx)[source]

Decrypts an encrypted element.

Parameters:
  • encrypted_data – The encrypted data.
  • enc_ctx – The encryption context.
Type :

DOMElement

Type :

Encryption Context

Returns:

The decrypted element.

Return type:

DOMElement

static deflate_and_base64_encode(value)[source]

Deflates and the base64 encodes a string :param value: The string to deflate and encode :return: The deflated and encoded string

static delete_local_session(callback=None)[source]

Deletes the local session.

static format_cert(cert, heads=True)[source]

Returns a x509 cert (adding header & footer if required).

Parameters:
  • cert – A x509 unformated cert
  • heads – True if we want to include head and footer
Type :

string

Type :

boolean

Returns:

Formated cert

Return type:

string

static format_finger_print(fingerprint)[source]

Formates a fingerprint.

Parameters:fingerprint – fingerprint
Type :string
Returns:Formated fingerprint
Return type:string
static generate_name_id(value, sp_nq, sp_format, key=None)[source]

Generates a nameID.

Parameters:
  • value – fingerprint
  • sp_nq – SP Name Qualifier
  • sp_format – SP Format
  • key – SP Key to encrypt the nameID
Type :

string

Type :

string

Type :

string

Type :

string

Returns:

DOMElement | XMLSec nameID

Return type:

string

static generate_unique_id()[source]

Generates an unique string (used for example as ID for assertions).

Returns:A unique string
Return type:string
static get_expire_time(cache_duration=None, valid_until=None)[source]

Compares 2 dates and returns the earliest.

Parameters:
  • cache_duration – The duration, as a string.
  • valid_until – The valid until date, as a string or as a timestamp
Type :

string

Type :

string

Returns:

The expiration time.

Return type:

int

static get_self_host(request_data)[source]

Returns the current host.

Parameters:request_data – The request as a dict
Type :dict
Returns:The current host
Return type:string
static get_self_url(request_data)[source]

Returns the URL of the current host + current view + query.

Parameters:request_data – The request as a dict
Type :dict
Returns:The url of current host + current view + query
Return type:string
static get_self_url_host(request_data)[source]

Returns the protocol + the current host + the port (if different than common ports).

Parameters:request_data – The request as a dict
Type :dict
Returns:Url
Return type:string
static get_self_url_no_query(request_data)[source]

Returns the URL of the current host + current view.

Parameters:request_data – The request as a dict
Type :dict
Returns:The url of current host + current view
Return type:string
static get_status(dom)[source]

Gets Status from a Response.

Parameters:dom – The Response as XML
Type :Document
Returns:The Status, an array with the code and a message.
Return type:dict
static is_https(request_data)[source]

Checks if https or http.

Parameters:request_data – The request as a dict
Type :dict
Returns:False if https is not active
Return type:boolean
static parse_SAML_to_time(timestr)[source]

Converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp. The sub-second part is ignored.

Parameters:time – The time we should convert (SAML Timestamp).
Type :string
Returns:Converted to a unix timestamp.
Return type:int
static parse_duration(duration, timestamp=None)[source]

Interprets a ISO8601 duration value relative to a given timestamp.

Parameters:
  • duration – The duration, as a string.
  • timestamp – The unix timestamp we should apply the duration to. Optional, default to the current time.
Type :

string

Type :

string

Returns:

The new timestamp, after the duration is applied.

Return type:

int

static parse_time_to_SAML(time)[source]

Converts a UNIX timestamp to SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z.

Parameters:time – The time we should convert (DateTime).
Type :string
Returns:SAML2 timestamp.
Return type:string
static query(dom, query, context=None)[source]

Extracts nodes that match the query from the Element

Parameters:
  • dom – The root of the lxml objet
  • query – Xpath Expresion
  • context – Context Node
Type :

Element

Type :

string

Type :

DOMElement

Returns:

The queried nodes

Return type:

list

static redirect(url, parameters={}, request_data={})[source]

Executes a redirection to the provided url (or return the target url).

Parameters:
  • url – The target url
  • parameters – Extra parameters to be passed as part of the url
  • request_data – The request as a dict
Type :

string

Type :

dict

Type :

dict

Returns:

Url

Return type:

string

static validate_sign(xml, cert=None, fingerprint=None)[source]

Validates a signature (Message or Assertion).

Parameters:
  • xml – The element we should validate
  • cert – The pubic cert
  • fingerprint – The fingerprint of the public cert
Type :

string | Document

Type :

string

Type :

string

static validate_xml(xml, schema, debug=False)[source]
static write_temp_file(content)[source]

Writes some content into a temporary file and returns it.

Parameters:content – The file content
Type :string
Returns:The temporary file
Return type:file-like object