Skip to content

Minor SAML/Django-CSP fixes #129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tymees wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Minor SAML/Django-CSP fixes #129

tymees wants to merge 3 commits into from

Conversation

@tymees
Copy link
Member

@tymees tymees commented Jul 23, 2025

As promised, I looked into the possible Django-CSP and DjangoSAML2 issues. Turns out, nothing is broken!

So this PR is limited to a few minor changes related to all this:

  • Updated the dev-project to use Django CSP 4
  • Fixed an issue in DjangoSAML2 in which it could forget it's session locally
  • Updated the requirements to explicitly require a DjangoSAML2 version compatible with Django-CSP 4

tymees
tymees commented Jul 23, 2025
View reviewed changes
dev/dev_project/settings.py
Comment on lines +249 to +251
if not SESSION_COOKIE_SECURE:
# Needed on dev
SAML_SESSION_COOKIE_SAMESITE = 'Lax'
Copy link
Member Author

@tymees tymees Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is the fix about forgetting sessions I talked about.

If this is not here, the SAML library doesn't set it's session cookie in local dev environments. (Because by default this requires the session-cookie secure flag to be set).

I would recommend apps to set something similar

@tymees tymees requested a review from miggol July 23, 2025 10:32
@tymees
Copy link
Member Author

tymees commented Jul 23, 2025

Oh, btw, the new version of DjangoSAML2 is compatible with Django CSP < 4 as well. So the mandatory upgrade should not break apps with a < 4 constraint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miggol miggol Awaiting requested review from miggol

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tymees