OneLogin's SAML Python Toolkit v2.4.2

• Update dm.xmlsec.binding dependency to 1.3.7
• Update pylint dependency to 1.9.1
• Update Django demo to use LTS version of Django

OneLogin's SAML Python Toolkit v2.4.1

• Add ID to EntityDescriptor before sign it on add_sign method. Improve the way ds namespace is handled in add_sign method
• Update defusedxml, coveralls and coverage dependencies
• Update copyright and license reference

OneLogin's SAML Python Toolkit v2.4.0

Changelog:

• Fix vulnerability CVE-2017-11427. Process text of nodes properly, ignoring comments
• Improve how fingerprint is calcultated
• Fix issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute
• Be able to invalidate a SAMLResponse if it contains InResponseTo value but no RequestId parameter provided at the is_valid method. See rejectUnsolicitedResponsesWithInResponseTo security parameter (By default deactivated)
• Fix signature position in the SP metadata
• Redefine NSMAP constant

OneLogin's SAML Python Toolkit v2.3.0

• #205 Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption.
• #204 On a LogoutRequest if the NameIdFormat is entity, NameQualifier and SPNameQualifier will be ommited. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added.
• Be able to get at the auth object the last processed ID (response/assertion) and the last generated ID.
• Reset errorReason attribute of the auth object before each Process method
• Fix issue on getting multiple certs when only sign or encryption certs
• Allow empty nameid if setting wantNameId is false. Only raise Exceptions when strict mode is enabled

OneLogin's SAML Python Toolkit v2.2.3

• Replace some etree.tostring calls, that were introduced recfently, by the sanitized call provided by defusedxml
• Update dm.xmlsec.binding requirement to 1.3.3 version

OneLogin's SAML Python Toolkit v2.2.2

Changelog:

• Be able to relax SSL Certificate verification when retrieving idp metadata
• #195 Be able to register future SP x509cert on the settings and publish it on SP metadata
• #195 Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption
• #195 Allow metadata to be retrieved from source containing data of multiple entities
• #195 Adapt IdP XML metadata parser to take care of multiple IdP certtificates and be able to inject the data obtained on the settings.
• #194 Publish KeyDescriptor[use=encryption] only when required
• #190 Checking the status of response before assertion count
• Add Pyramid demo example
• Allows underscores in URL hosts
• NameID Format improvements
• #184 Be able to provide a NameIDFormat to LogoutRequest
• #180 Add DigestMethod support. (Add sign_algorithm and digest_algorithm parameters to sign_metadata and add_sign)
• Validate serial number as string to work around libxml2 limitation
• Make the Issuer on the Response Optional

OneLogin's SAML Python Toolkit v2.2.1

This version includes improvements oriented to help the developer to debug.

Changelog:

• #175 Optionally raise detailed exceptions vs. returning False.
  Implement a more specific exception class for handling some validation errors. Improve/Fix tests
• #171 Add hooks to retrieve last-sent and last-received requests and responses
• Improved inResponse validation on Responses
• #173 Fix attributeConsumingService serviceName format in README

OneLogin's SAML Python Toolkit v2.2.0

This version includes a security patch that contains extra validations that will prevent signature wrapping attacks.

Changelog:

• Several security improvements:
  • Conditions element required and unique.
  • AuthnStatement element required and unique.
  • SPNameQualifier must math the SP EntityID
  • Reject saml:Attribute element with same “Name” attribute
  • Reject empty nameID
  • Require Issuer element. (Must match IdP EntityID).
  • Destination value can't be blank (if present must match ACS URL).
  • Check that the EncryptedAssertion element only contains 1 Assertion element.
• Improve Signature validation process
• #149 Work-around for xmlsec.initialize
• #151 Fix flask demo error handling and improve documentation
• #152 Update LICENSE to include MIT rather than BSD license
• #155 Fix typographical errors in docstring
• Fix RequestedAttribute Issue
• Fix __build_signature method. If relay_state is null not be part of the SignQuery
• #164 Add support for non-ascii fields in settings

OneLogin's SAML Python Toolkit v2.1.9

Changelog:

• Change the decrypt assertion process.
• Add 2 extra validations to prevent Signature wrapping attacks.

OneLogin's SAML Python Toolkit v2.1.8

Changelog:

• Fix Metadata XML (RequestedAttribute)
• Fix Windows specific Unix date formatting bug.
• Docs for OSx instlltion of libsecxml1
• Fix SHA384 Constant URI
• #142 Refactor of settings.py to make it a little more readable.
• Bugfix for ADFS lowercase signatures
• READMEs suggested wrong cert name