Pysaml2 and Xmlsec1 compatability

Question

Pysaml2 and Xmlsec1 compatability

akila122 opened this issue a year ago · 4 comments

akila122 commented a year ago

Add compatibility notes on xmlsec1 and pysaml2

Code Version

OsX 13.4
Xmlsec 1.3
Python 3.7
PySaml2 7.1

Expected Behavior

Verifying the XML document.

Current Behavior

Using this combination of versions results in many KEY-NOT-FOUND xmlsex1 errors while trying to verify the document which ultimately boils down to saml2.sigver.SecurityContext.verify_signature function raising SignatureError due to the --lax-key-search xmlsec1 parameter not being passed by PySaml2 which was a breaking change in xmlsec1's 1.3 release:

(API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.

Possible Solution

Could you please at least put some notes on these compatibility issues between PySaml2 and xmlsec1 versions. My workaround was to manually install xmlsec1 < 1.3 from the source.

Steps to Reproduce

Try verifying any document with a key not referenced in KeyInfo.

Answer 1 · 2023-06-14T10:36:27.000Z

The (current) latest release v7.4.2 adds support for xmlsec1 1.3.

You can see the release notes here: https://github.com/IdentityPython/pysaml2/releases

I can add some more notes on the README so that it is more visible.

Answer 2 · 2023-06-15T09:26:21.000Z

Yeah would be great if you could explicitly state that pysaml2<7.4.2 is NOT compatible with xmlsec1 >=1.3

Answer 3 · 2023-06-15T12:27:26.000Z

Could this be an alternative #913 ?

Answer 4 · 2023-09-26T11:41:41.000Z

closed by 023fc4a