No shared state IdP with external user directory

  • We start with the SAML 2.0 IdP
  • We first added a deterministic NameID generation mode, by adding a new NameID format setting, called eduPersonTargetedId. In this mode the NameID is computed as hex(sha1(username+entity_id+django_secret_key)).
  • Next step is to define a a deterministic way of generating Session Indexes as hex(sha1(NameID+django_session_key)). Lasso is automatically generating a session index when the service provider has a logout endpoint, a session should be generated using the deterministic algorimth (after the call to lasso_login_build_assertion) only if Lasso has also set one.
  • Final step will be to store the list of SP for which a session is open in the django session and not in models, method to modify are saml.common.load_session and saml.common.save_session. Session index should only be saved if there is one.

Also available in: PDF HTML TXT