sources/saml: improve error handing of invalid signatures

passbook/sources/saml/forms.py

@@ -16,6 +16,7 @@ class SAMLSourceForm(forms.ModelForm):
         model = SAMLSource
         fields = SOURCE_FORM_FIELDS + [
             "issuer",
+            "binding_type",
             "idp_url",
             "idp_logout_url",
             "auto_logout",

passbook/sources/saml/processors/base.py

@@ -68,8 +68,9 @@ class Processor:
 
         <saml:Subject>
                 <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-                            SPNameQualifier=""
+                            SPNameQualifier="">
-                            >email@example.com</saml:NameID>
+                    email@example.com
+                </saml:NameID>
         """
         assertion = self._root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
         subject = assertion.find("{urn:oasis:names:tc:SAML:2.0:assertion}Subject")

passbook/sources/saml/views.py

@@ -6,6 +6,7 @@ from django.utils.decorators import method_decorator
 from django.utils.http import urlencode
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
+from signxml import InvalidSignature
 from signxml.util import strip_pem_header
 
 from passbook.lib.views import bad_request_message
@@ -71,6 +72,8 @@ class ACSView(View):
             processor.parse(request)
         except MissingSAMLResponse as exc:
             return bad_request_message(request, str(exc))
+        except InvalidSignature as exc:
+            return bad_request_message(request, str(exc))
 
         try:
             return processor.prepare_flow(request)