diff --git a/ssoauth/app_settings/__init__.py b/ssoauth/app_settings/__init__.py index f8b66c874716f5fe1bff06cb29524c47b699704c..b00d50eaf9b3853e144669ce5484cbb681f2a2c3 100644 --- a/ssoauth/app_settings/__init__.py +++ b/ssoauth/app_settings/__init__.py @@ -1,6 +1,7 @@ from onelogin.saml2 import settings as onelogin_settings from .defaults import * from django import conf +from datetime import datetime, timedelta # merge defaults with customized user settings @@ -87,7 +88,8 @@ ONELOGIN_SETTINGS_TEMPLATE = { "wantNameIdEncrypted": False, "wantAssertionsEncrypted": True, "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", - "metadataCacheDuration": SP_METADATA_LIFETIME, + "metadataCacheDuration": "P{n}D".format(n=SP_METADATA_LIFETIME_DAYS), + "metadataValidUntil": (datetime.now() + timedelta(days=SP_METADATA_LIFETIME_DAYS)).strftime('%Y-%m-%dT%H:%M:%S.%fZ') }, "contactPerson": SP_CONTACTS, "organization": SP_ORGANIZATION, diff --git a/ssoauth/app_settings/defaults.py b/ssoauth/app_settings/defaults.py index e4f2b197fa938a841c7b5a0d948d0ea4f086045c..b62f97dd1e56a64262b61f140b73e3e6ac858fda 100644 --- a/ssoauth/app_settings/defaults.py +++ b/ssoauth/app_settings/defaults.py @@ -9,7 +9,7 @@ If you want to change something: """ -Settings you want to change: +Settings you may want to change: """ # host and port, not what Django thinks, but what nginx serves @@ -18,6 +18,8 @@ SP_PORT = 443 IDP_META_URL = "https://idp.hs-hannover.de/idp/shibboleth" # test is "https://idp-test.it.hs-hannover.de/idp/shibboleth" +SP_KEY = "{project_settings}/cert/sp.key" +SP_CERT = "{project_settings}/cert/sp.pem" """ Settings you DON'T want to change (in fact, you want to avoid even thinking about them): @@ -25,10 +27,7 @@ Settings you DON'T want to change (in fact, you want to avoid even thinking abou IDP_REQUIRED = True # die on start if cannot find IDP or parse its meta -SP_KEY = "{project_settings}/cert/sp.key" -SP_CERT = "{project_settings}/cert/sp.pem" - -SP_METADATA_LIFETIME = "P20Y" # "P7D"-like (https://www.w3.org/TR/xmlschema-2/#duration) +SP_METADATA_LIFETIME_DAYS = 365 * 20 # if you really really need to add/modify something in OneLogin settings, add it to ONELOGIN_OVERRIDES ONELOGIN_OVERRIDES = {} # e.g.: ONELOGIN_OVERRIDES = { "strict": False }