pygamlastan

pygamlastan is a Python binding for gamlastan 0.5.0, a pure-Rust SAML 2.0 library. It exposes gamlastan’s types, XML parsing, cryptography (including PKCS#11/HSM signing), metadata handling, protocol bindings, security validation, and the Web Browser SSO profiles to Python.

The binding mirrors gamlastan’s modules as Python submodules:

Submodule	Purpose
pygamlastan.core	Owned SAML 2.0 types (Assertion, Response, NameId, …) and constants.
pygamlastan.xml	Parse SAML XML into owned core objects.
pygamlastan.crypto	Sign, verify, encrypt, decrypt, canonicalize; file keys and PKCS#11.
pygamlastan.bindings	HTTP-Redirect / HTTP-POST / Artifact encode and decode.
pygamlastan.metadata	Parse and inspect SAML metadata; serialize it back.
pygamlastan.security	The validation suite, its configuration, and the replay cache.
pygamlastan.profiles	Web Browser SSO: build requests/responses, process them.
pygamlastan.attribute_map	Wire to local attribute-name conversion.
pygamlastan.idp	IdP infrastructure: targeted IDs, authn broker, assertion store.

Design in one sentence: parsing converts gamlastan’s zero-copy *Ref views to owned values at the boundary, so the Python objects you hold never borrow from a Rust document and are safe to keep, pass around, and store.

Getting started

• Installation
  • Requirements
  • From a wheel
  • From source
  • Type checking
• Quickstart
  • Service Provider: process a response
  • Identity Provider: build a response
  • A full round trip
  • Where to go next

Guides

• Service Provider integration
  • Resolving the IdP’s metadata
  • Building an AuthnRequest
  • Sending the request
  • Processing the response
  • Why pass verified_signed_ids?
• Identity Provider integration
  • Processing an incoming AuthnRequest
  • Resolving the SP’s metadata
  • Building the response
  • Releasing attributes
  • IdP-initiated (unsolicited) responses
  • Targeted identifiers and the authn broker
  • A complete worked example
• Signing, verification, and encryption
  • Key management
  • Enveloped signatures
  • Verifying signatures
  • PKCS#11 / HSM signing
  • Redirect (detached) signatures
  • Encryption and decryption
  • Canonicalization
• Protocol bindings
  • HTTP-Redirect
  • HTTP-POST
  • RelayState
  • Artifact
• Metadata
  • Parsing
  • Endpoints
  • Keys
  • Validation and serialization
• Attribute mapping
  • Converting received attributes to local names
  • Converting local attributes back to the wire
  • A single map
  • eduPersonTargetedID
• Validation and replay protection
  • Configuration
  • Inspecting the result
  • Replay protection
• Writing a new SAML profile
  • The three tiers
  • Tier 1 - compose the primitives
  • Tier 2 - custom security policy and extra checks
  • Tier 3 - profiles that need unbound machinery
  • A checklist for a new profile
• Worked example: a Service Provider login profile
  • A reusable profile object
  • Step 1 - resolve the IdP
  • Step 2 - build and send the AuthnRequest
  • Step 3 - receive, verify, and validate the Response
  • Step 4 - use the identity
  • Adding a profile rule
  • Where to go from here

API reference

• pygamlastan.core
  • Functions
  • Build-side types
  • Parsed types
  • Constants
• pygamlastan.xml
  • parse_response()
  • parse_authn_request()
  • parse_assertion()
  • parse_logout_request()
  • parse_logout_response()
• pygamlastan.crypto
  • Keys
  • Signing
  • Verification
  • Encryption
  • Canonicalization
  • PKCS#11 / HSM
• pygamlastan.bindings
  • RELAY_STATE_MAX_BYTES
  • Redirect
  • POST
  • RelayState
  • Artifact
• pygamlastan.metadata
  • parse_entity()
  • parse_entities()
  • validate_entity()
  • EntityDescriptor
  • EndpointInfo
• pygamlastan.security
  • SecurityConfig
  • validate_response()
  • ValidationResult
  • ValidationCheck
  • Replay cache
• pygamlastan.profiles
  • Service Provider
  • Identity Provider
  • Sessions
• pygamlastan.attribute_map
  • EPTID_OID
  • AttributeConverterSet
  • AttributeConverter
  • LocalAttribute
  • eptid_attribute()
  • eptid_name_ids()
• pygamlastan.idp
  • eduPersonTargetedID
  • Authentication broker
  • Assertion store
  • NameID storage coding

Reference

• Exceptions

Indices

• Index

• Search Page