📌(pysaml2) pin pysaml2 to avoid double-signing of AuthNRequests

jonathanperret · jonathanperret · commit 557ecc7bf73c · 2025-09-25T14:08:24.000+02:00
The current version of pysaml2 (7.5.2) has an issue where AuthNRequests are both signed in the XML and with an extra `Signature` queryparam. This was reported initially in 2021: IdentityPython/pysaml2#819 And it was fixed by a changed in SATOSA: IdentityPython/SATOSA#380 But it reappeared apparently and the original reporter has a PR open against pysaml2 that is supposed to fix it: IdentityPython/pysaml2#973 They report that the regression was introduced in pysaml2 by IdentityPython/pysaml2#834 We try here to pin pysaml2 to the last version before this PR was merged. Unfortunately this is quite an old version, but from basic testing it seems to still be compatible with the current SATOSA version. Hopefully this can be temporary.
diff --git a/src/satosa/pyproject.toml b/src/satosa/pyproject.toml
@@ -28,6 +28,10 @@ dependencies = [
     "redis==5.0.4",
     "JSON-log-formatter==1.0",
     "WhiteNoise==6.7.0",
+    # Use the most recent pysaml2 that doesn't have the recurrence of
+    # https://github.com/IdentityPython/pysaml2/issues/819
+    # (AuthNRequests signed twice)
+    "pysaml2==7.1.0",
 ]
 
 [project.urls]
