providers/saml: allow audience to be empty

2020-12-30 22:15:28 +01:00 · 2020-12-30 22:15:28 +01:00 · 4fde1b7365
parent 412f5b9210
commit 4fde1b7365
5 changed files with 43 additions and 12 deletions
--- a/authentik/providers/saml/forms.py
+++ b/authentik/providers/saml/forms.py
@ -36,17 +36,17 @@ class SAMLProviderForm(forms.ModelForm):
            "name",
            "authorization_flow",
            "acs_url",
-            "audience",
            "issuer",
            "sp_binding",
+            "audience",
+            "signing_kp",
+            "verification_kp",
+            "property_mappings",
            "assertion_valid_not_before",
            "assertion_valid_not_on_or_after",
            "session_valid_not_on_or_after",
            "digest_algorithm",
            "signature_algorithm",
-            "signing_kp",
-            "verification_kp",
-            "property_mappings",
        ]
        widgets = {
            "name": forms.TextInput(),
--- a/authentik/providers/saml/migrations/0010_auto_20201230_2112.py
+++ b/authentik/providers/saml/migrations/0010_auto_20201230_2112.py
@ -0,0 +1,22 @@
+# Generated by Django 3.1.4 on 2020-12-30 21:12
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_saml", "0009_auto_20201112_2016"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="samlprovider",
+            name="audience",
+            field=models.TextField(
+                blank=True,
+                default="",
+                help_text="Value of the audience restriction field of the asseration. When left empty, no audience restriction will be added.",
+            ),
+        ),
+    ]
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -42,7 +42,13 @@ class SAMLProvider(Provider):
    acs_url = models.URLField(verbose_name=_("ACS URL"))
    audience = models.TextField(
        default="",
-        help_text=_("Value of the audience restriction field of the asseration."),
+        blank=True,
+        help_text=_(
+            (
+                "Value of the audience restriction field of the asseration. When left empty, "
+                "no audience restriction will be added."
+            )
+        ),
    )
    issuer = models.TextField(
        help_text=_("Also known as EntityID"), default="authentik"
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -127,11 +127,14 @@ class AssertionProcessor:
        conditions = Element(f"{{{NS_SAML_ASSERTION}}}Conditions")
        conditions.attrib["NotBefore"] = self._valid_not_before
        conditions.attrib["NotOnOrAfter"] = self._valid_not_on_or_after
-        audience_restriction = SubElement(
-            conditions, f"{{{NS_SAML_ASSERTION}}}AudienceRestriction"
-        )
-        audience = SubElement(audience_restriction, f"{{{NS_SAML_ASSERTION}}}Audience")
-        audience.text = self.provider.audience
+        if self.provider.audience != "":
+            audience_restriction = SubElement(
+                conditions, f"{{{NS_SAML_ASSERTION}}}AudienceRestriction"
+            )
+            audience = SubElement(
+                audience_restriction, f"{{{NS_SAML_ASSERTION}}}Audience"
+            )
+            audience.text = self.provider.audience
        return conditions

    def get_name_id(self) -> Element:
--- a/swagger.yaml
+++ b/swagger.yaml
@ -8004,9 +8004,9 @@ definitions:
        minLength: 1
      audience:
        title: Audience
-        description: Value of the audience restriction field of the asseration.
+        description: Value of the audience restriction field of the asseration. When
+          left empty, no audience restriction will be added.
        type: string
-        minLength: 1
      issuer:
        title: Issuer
        description: Also known as EntityID