IdentityProvider¶
-
class
flask_saml2.idp.IdentityProvider¶ Developers should subclass
IdentityProviderand provide methods to interoperate with their specific environment. All user interactions are performed through methods on this class.Every subclass should implement
is_user_logged_in(),login_required(),logout(), andget_current_user()as a minimum. Other methods can be overridden as required.-
idp_digester_class¶ alias of
flask_saml2.signing.Sha1Digester
-
idp_signer_class¶ alias of
flask_saml2.signing.RsaSha1Signer
-
get_idp_config()¶ Get the configuration for this IdP. Defaults to
SAML2_IDPfromflask.Flask.config. The configuration should be a dict like:{ # Should the IdP automatically redirect the user back to the # Service Provider once authenticated. 'autosubmit': True, # The X509 certificate and private key this IdP uses to # encrypt, validate, and sign payloads. 'certificate': ..., 'private_key': ..., }
To load the
certificateandprivate_keyvalues, see- Return type
-
get_idp_entity_id()¶ The unique identifier for this Identity Provider. By default, this uses the metadata URL for this IdP.
See
get_metadata_url().- Return type
-
get_idp_certificate()¶ Get the public certificate for this IdP. If this IdP does not sign its requests, returns None.
- Return type
Optional[X509]
-
get_idp_private_key()¶ Get the private key for this IdP. If this IdP does not sign its requests, returns None.
- Return type
Optional[PKey]
-
get_service_providers()¶ Get an iterable of service provider
configdicts.configshould be a dict specifying a SPHandler subclass and optionally any constructor arguments:>>> list(idp.get_service_providers()) [{ 'CLASS': 'my_app.service_providers.MySPSPHandler', 'OPTIONS': { 'acs_url': 'https://service.example.com/auth/acs/', }, }]
Defaults to
current_app.config['SAML2_SERVICE_PROVIDERS'].
-
get_sso_url()¶ Get the URL for the Single Sign On endpoint for this IdP.
-
get_slo_url()¶ Get the URL for the Single Log Out endpoint for this IdP.
-
get_metadata_url()¶ Get the URL for the metadata XML document for this IdP.
-
login_required()¶ Check if a user is currently logged in to this session, and
flask.abort()with a redirect to the login page if not. It is suggested to useis_user_logged_in().
-
is_user_logged_in()¶ Return True if a user is currently logged in. Subclasses should implement this method
- Return type
-
logout()¶ Terminate the session for a logged in user. Subclasses should implement this method.
-
get_current_user()¶ Get the user that is currently logged in.
- Return type
~User
-
get_user_nameid(user, attribute)¶ Get the requested name or identifier from the user.
attributewill be aurn:oasis:names:tc:SAML:2.0:nameid-format-style urn.Subclasses can override this to allow more attributes to be extracted. By default, only email addresses are extracted using
get_user_email().
-
get_user_email(user)¶ Get the email address for a user.
-
get_sp_handlers()¶ Get the SPHandler for each service provider defined.
- Return type
Iterable[SPHandler]
-
render_template(template, **context)¶ Render an HTML template. This method can be overridden to inject more context variables if required.
- Return type
-
get_metadata_context()¶ Get any extra context for the metadata template. Suggested extra context variables include ‘org’ and ‘contacts’.
- Return type
-
is_valid_redirect(url)¶ Check if a URL is a valid and safe URL to redirect to, according to any of the SPHandlers. Only used from the non-standard logout page, for non-compliant Service Providers such as Salesforce.
- Return type
-
create_blueprint()¶ Create a blueprint for this IdP. This blueprint needs to be registered with a Flask application to expose the IdP functionality.
-