IdentityProvider¶
-
class
flask_saml2.idp.
IdentityProvider
¶ Developers should subclass
IdentityProvider
and provide methods to interoperate with their specific environment. All user interactions are performed through methods on this class.Every subclass should implement
is_user_logged_in()
,login_required()
,logout()
, andget_current_user()
as a minimum. Other methods can be overridden as required.-
idp_digester_class
¶ alias of
flask_saml2.signing.Sha1Digester
-
idp_signer_class
¶ alias of
flask_saml2.signing.RsaSha1Signer
-
get_idp_config
()¶ Get the configuration for this IdP. Defaults to
SAML2_IDP
fromflask.Flask.config
. The configuration should be a dict like:{ # Should the IdP automatically redirect the user back to the # Service Provider once authenticated. 'autosubmit': True, # The X509 certificate and private key this IdP uses to # encrypt, validate, and sign payloads. 'certificate': ..., 'private_key': ..., }
To load the
certificate
andprivate_key
values, see- Return type
-
get_idp_entity_id
()¶ The unique identifier for this Identity Provider. By default, this uses the metadata URL for this IdP.
See
get_metadata_url()
.- Return type
-
get_idp_certificate
()¶ Get the public certificate for this IdP. If this IdP does not sign its requests, returns None.
- Return type
Optional
[X509
]
-
get_idp_private_key
()¶ Get the private key for this IdP. If this IdP does not sign its requests, returns None.
- Return type
Optional
[PKey
]
-
get_service_providers
()¶ Get an iterable of service provider
config
dicts.config
should be a dict specifying a SPHandler subclass and optionally any constructor arguments:>>> list(idp.get_service_providers()) [{ 'CLASS': 'my_app.service_providers.MySPSPHandler', 'OPTIONS': { 'acs_url': 'https://service.example.com/auth/acs/', }, }]
Defaults to
current_app.config['SAML2_SERVICE_PROVIDERS']
.
-
get_sso_url
()¶ Get the URL for the Single Sign On endpoint for this IdP.
-
get_slo_url
()¶ Get the URL for the Single Log Out endpoint for this IdP.
-
get_metadata_url
()¶ Get the URL for the metadata XML document for this IdP.
-
login_required
()¶ Check if a user is currently logged in to this session, and
flask.abort()
with a redirect to the login page if not. It is suggested to useis_user_logged_in()
.
-
is_user_logged_in
()¶ Return True if a user is currently logged in. Subclasses should implement this method
- Return type
-
logout
()¶ Terminate the session for a logged in user. Subclasses should implement this method.
-
get_current_user
()¶ Get the user that is currently logged in.
- Return type
~User
-
get_user_nameid
(user, attribute)¶ Get the requested name or identifier from the user.
attribute
will be aurn:oasis:names:tc:SAML:2.0:nameid-format
-style urn.Subclasses can override this to allow more attributes to be extracted. By default, only email addresses are extracted using
get_user_email()
.
-
get_user_email
(user)¶ Get the email address for a user.
-
get_sp_handlers
()¶ Get the SPHandler for each service provider defined.
- Return type
Iterable
[SPHandler
]
-
render_template
(template, **context)¶ Render an HTML template. This method can be overridden to inject more context variables if required.
- Return type
-
get_metadata_context
()¶ Get any extra context for the metadata template. Suggested extra context variables include ‘org’ and ‘contacts’.
- Return type
-
is_valid_redirect
(url)¶ Check if a URL is a valid and safe URL to redirect to, according to any of the SPHandlers. Only used from the non-standard logout page, for non-compliant Service Providers such as Salesforce.
- Return type
-
create_blueprint
()¶ Create a blueprint for this IdP. This blueprint needs to be registered with a Flask application to expose the IdP functionality.
-