📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests

The current version of pysaml2 (7.5.2) has an issue where AuthNRequests
are both signed in the XML and with an extra `Signature` queryparam.
This was reported initially in 2021:
    https://github.com/IdentityPython/pysaml2/issues/819
And it was fixed by a changed in SATOSA:
    https://github.com/IdentityPython/SATOSA/pull/380
But it reappeared apparently and the original reporter has a PR open
against pysaml2 that is supposed to fix it:
    https://github.com/IdentityPython/pysaml2/pull/973
They report that the regression was introduced in pysaml2 by
   https://github.com/IdentityPython/pysaml2/pull/834
We try here to pin pysaml2 to the last version before this PR was
merged. Unfortunately this is quite an old version, but from basic
testing it seems to still be compatible with the current SATOSA
version.
This in turn forces us to also pin xmlschema to avoid
    https://github.com/IdentityPython/pysaml2/issues/947

Hopefully this can be temporary.
This commit is contained in:
Jonathan Perret
2025-09-18 19:29:54 +02:00
parent fbb190b455
commit 138bc431fd
+7
View File
@@ -28,6 +28,13 @@ dependencies = [
"redis==5.0.4",
"JSON-log-formatter==1.0",
"WhiteNoise==6.7.0",
# Use the most recent pysaml2 that doesn't have the recurrence of
# https://github.com/IdentityPython/pysaml2/issues/819
# (AuthNRequests signed twice)
"pysaml2==7.1.0",
# Pin xmlschema like pysaml2 did in release 7.5.1, see
# https://github.com/IdentityPython/pysaml2/issues/947#issuecomment-1916767026
"xmlschema==2.5.1",
]
[project.urls]