Skip to content

Commit 726c07b

Browse files
author
Diego Nadares
committed
Add error page and fix SAML assertion handling for 0.3.5
- Fix AttributeError when Attribute element has no AttributeValue child - Log CannotHandleAssertion reason instead of silently swallowing it - Render user_not_authorized.html on UserNotAuthorized instead of 500 - Add get_login_page_url() to ServiceProvider for configurable back-link - Bump version to 0.3.5
1 parent 75e4964 commit 726c07b

5 files changed

Lines changed: 34 additions & 5 deletions

File tree

flask_saml2/sp/parser.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,11 @@ def nameid_format(self) -> str:
5353
@cached_property
5454
def attributes(self) -> Mapping[str, str]:
5555
attributes = self._xpath(self.assertion, 'saml:AttributeStatement/saml:Attribute')
56-
return {el.get('Name'): self._xpath(el, 'saml:AttributeValue')[0].text
57-
for el in attributes}
56+
result = {}
57+
for el in attributes:
58+
values = self._xpath(el, 'saml:AttributeValue')
59+
result[el.get('Name')] = values[0].text if values else None
60+
return result
5861

5962
@cached_property
6063
def conditions(self) -> Optional[XmlNode]:

flask_saml2/sp/sp.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,12 @@ def get_login_return_url(self) -> Optional[str]:
174174

175175
return None
176176

177+
def get_login_page_url(self) -> str:
178+
"""The URL of the application login page, used in error pages to let
179+
users navigate back. Override in subclasses to point to your login UI.
180+
"""
181+
return '/'
182+
177183
def get_logout_return_url(self) -> Optional[str]:
178184
"""The URL to redirect users to once they have logged out.
179185
"""
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{% extends 'flask_saml2_sp/base.html' %}
2+
3+
{% block content %}
4+
<h1>Login failed</h1>
5+
<p>Access could not be granted. This may be caused by a misconfiguration in your Identity Provider or insufficient permissions.</p>
6+
<p>Please contact your administrator to verify the SAML configuration. You can also refer to the <a href="https://docs.faradaysec.com/SAML/#saml-single-sign-on-sso">SAML documentation</a> for setup instructions.</p>
7+
<p><a href="{{ return_url }}">Back to login</a></p>
8+
{% endblock %}

flask_saml2/sp/views.py

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -86,10 +86,22 @@ def post(self):
8686
response = handler.get_response_parser(saml_request)
8787
auth_data = handler.get_auth_data(response)
8888
return self.sp.login_successful(auth_data, relay_state)
89-
except CannotHandleAssertion:
89+
except CannotHandleAssertion as e:
90+
logger.debug("Handler %s cannot handle assertion: %s", handler, e)
9091
continue
9192
except UserNotAuthorized:
92-
return self.sp.render_template('flask_saml2_sp/user_not_authorized.html')
93+
return self.sp.render_template(
94+
'flask_saml2_sp/user_not_authorized.html',
95+
return_url=self.sp.get_login_page_url(),
96+
)
97+
except (CannotHandleAssertion, UserNotAuthorized):
98+
raise
99+
except Exception:
100+
logger.exception("Unexpected error handling SAML assertion from handler %s", handler)
101+
return self.sp.render_template(
102+
'flask_saml2_sp/user_not_authorized.html',
103+
return_url=self.sp.get_login_page_url(),
104+
)
93105

94106

95107
class Metadata(SAML2View):

flask_saml2/version.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,5 +30,5 @@ def make_version_string(version_info):
3030
return version_str
3131

3232

33-
version_info = (0, 3, 4)
33+
version_info = (0, 3, 5)
3434
version_str = make_version_string(version_info)

0 commit comments

Comments
 (0)