Define PAOS AssertionConsumerService in ipsilon-client-install

[cascardo/ipsilon.git] / ipsilon / tools / saml2metadata.py

diff --git a/ipsilon/tools/saml2metadata.py b/ipsilon/tools/saml2metadata.py
index 99857bf..d1b8e46 100755 (executable)
--- a/ipsilon/tools/saml2metadata.py
+++ b/ipsilon/tools/saml2metadata.py
@@ -29,8 +29,12 @@ SAML2_SERVICE_MAP = {
                  lasso.SAML2_METADATA_BINDING_SOAP),
     'logout-redirect': ('SingleLogoutService',
                         lasso.SAML2_METADATA_BINDING_REDIRECT),
+    'slo-soap': ('SingleLogoutService',
+                 lasso.SAML2_METADATA_BINDING_SOAP),
     'response-post': ('AssertionConsumerService',
-                      lasso.SAML2_METADATA_BINDING_POST)
+                      lasso.SAML2_METADATA_BINDING_POST),
+    'response-paos': ('AssertionConsumerService',
+                      lasso.SAML2_METADATA_BINDING_PAOS),
 }
 
 EDESC = '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF
@@ -84,6 +88,8 @@ class Metadata(object):
             raise ValueError('invalid role: %s' % role)
         self.role = mdElement(self.root, description)
         self.role.set('protocolSupportEnumeration', lasso.SAML2_PROTOCOL_HREF)
+        if role == IDP_ROLE:
+            self.role.set('WantAuthnRequestsSigned', 'true')
         return self.role
 
     def set_expiration(self, exp):
@@ -95,11 +101,11 @@ class Metadata(object):
         elif isinstance(exp, datetime.datetime):
             d = exp
         elif isinstance(exp, datetime.timedelta):
-            d = datetime.datetime.now() + exp
+            d = datetime.datetime.utcnow() + exp
         else:
             raise TypeError('Invalid expiration date type')
 
-        self.root.set('validUntil', d.isoformat())
+        self.root.set('validUntil', d.isoformat() + 'Z')
 
     def add_cert(self, certdata, use):
         desc = mdElement(self.role, 'KeyDescriptor')