From 412f5b9210c3861bdfb1d39dbaea3d152892a65b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 30 Dec 2020 22:07:30 +0100
Subject: [PATCH] providers/saml: fix signing and verification kp not being set
 correctly

---
 authentik/providers/saml/processors/metadata_parser.py | 9 ++++++---
 authentik/providers/saml/tests/test_metadata.py        | 4 +++-
 authentik/providers/saml/views.py                      | 2 +-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/authentik/providers/saml/processors/metadata_parser.py b/authentik/providers/saml/processors/metadata_parser.py
index dc7c494e8..9e32ccf8c 100644
--- a/authentik/providers/saml/processors/metadata_parser.py
+++ b/authentik/providers/saml/processors/metadata_parser.py
@@ -10,7 +10,6 @@ from lxml import etree  # nosec
 from structlog import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
-from authentik.flows.models import Flow, FlowDesignation
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.utils.encoding import PEM_FOOTER, PEM_HEADER
 from authentik.sources.saml.processors.constants import (
@@ -56,10 +55,14 @@ class ServiceProviderMetadata:
         provider.issuer = self.entity_id
         provider.sp_binding = self.acs_binding
         provider.acs_url = self.acs_location
-        if self.signing_keypair:
+        if self.signing_keypair and self.auth_n_request_signed:
             self.signing_keypair.name = f"Provider {name} - SAML Signing Certificate"
             self.signing_keypair.save()
-            provider.signing_kp = self.signing_keypair
+            provider.verification_kp = self.signing_keypair
+        if self.assertion_signed:
+            provider.signing_kp = CertificateKeyPair.objects.exclude(
+                key_data__iexact=""
+            ).first()
         return provider
 
 
diff --git a/authentik/providers/saml/tests/test_metadata.py b/authentik/providers/saml/tests/test_metadata.py
index 29e403e50..bb50901cb 100644
--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@@ -84,7 +84,9 @@ class TestServiceProviderMetadataParser(TestCase):
             provider.issuer, "http://localhost:8080/apps/user_saml/saml/metadata"
         )
         self.assertEqual(provider.sp_binding, SAMLBindings.POST)
-        self.assertEqual(provider.signing_kp.certificate_data, CERT)
+        self.assertEqual(provider.verification_kp.certificate_data, CERT)
+        self.assertIsNotNone(provider.signing_kp)
+        self.assertEqual(provider.audience, "")
 
     def test_with_signing_cert_invalid_signature(self):
         """Test Metadata with signing cert (invalid signature)"""
diff --git a/authentik/providers/saml/views.py b/authentik/providers/saml/views.py
index 82047b62a..57cf0d9a8 100644
--- a/authentik/providers/saml/views.py
+++ b/authentik/providers/saml/views.py
@@ -277,7 +277,7 @@ class MetadataImportView(LoginRequiredMixin, FormView):
             LOGGER.warning(exc)
             messages.error(
                 self.request,
-                _("Failed to import Metadata: %(message)s", {"message": str(exc)}),
+                _("Failed to import Metadata: %(message)s" % {"message": str(exc)}),
             )
             return super().form_invalid(form)
         return super().form_valid(form)