diff --git a/authentik/providers/saml/processors/metadata.py b/authentik/providers/saml/processors/metadata.py index 83c1a1ee3..5aecf24f6 100644 --- a/authentik/providers/saml/processors/metadata.py +++ b/authentik/providers/saml/processors/metadata.py @@ -171,6 +171,8 @@ class MetadataProcessor: entity_descriptor, f"{{{NS_SAML_METADATA}}}IDPSSODescriptor" ) idp_sso_descriptor.attrib["protocolSupportEnumeration"] = NS_SAML_PROTOCOL + if self.provider.verification_kp: + idp_sso_descriptor.attrib["WantAuthnRequestsSigned"] = "true" signing_descriptor = self.get_signing_key_descriptor() if signing_descriptor is not None: diff --git a/authentik/providers/saml/tests/test_metadata.py b/authentik/providers/saml/tests/test_metadata.py index ffe1b2a4a..bc4156b5b 100644 --- a/authentik/providers/saml/tests/test_metadata.py +++ b/authentik/providers/saml/tests/test_metadata.py @@ -12,7 +12,7 @@ from authentik.lib.xml import lxml_from_string from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider from authentik.providers.saml.processors.metadata import MetadataProcessor from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser -from authentik.sources.saml.processors.constants import NS_MAP +from authentik.sources.saml.processors.constants import NS_MAP, NS_SAML_METADATA class TestServiceProviderMetadataParser(TestCase): @@ -55,6 +55,24 @@ class TestServiceProviderMetadataParser(TestCase): schema = etree.XMLSchema(etree.parse("schemas/saml-schema-metadata-2.0.xsd")) # nosec self.assertTrue(schema.validate(metadata)) + def test_schema_want_authn_requests_signed(self): + """Test metadata generation with WantAuthnRequestsSigned""" + cert = create_test_cert() + provider = SAMLProvider.objects.create( + name=generate_id(), + authorization_flow=self.flow, + verification_kp=cert, + ) + Application.objects.create( + name=generate_id(), + slug=generate_id(), + provider=provider, + ) + request = self.factory.get("/") + metadata = lxml_from_string(MetadataProcessor(provider, request).build_entity_descriptor()) + idp_sso_descriptor = metadata.findall(f"{{{NS_SAML_METADATA}}}IDPSSODescriptor")[0] + self.assertEqual(idp_sso_descriptor.attrib["WantAuthnRequestsSigned"], "true") + def test_simple(self): """Test simple metadata without Signing""" metadata = ServiceProviderMetadataParser().parse(load_fixture("fixtures/simple.xml"))