flask-appbuilder 5.0.2rc2__py3-none-any.whl → 5.1.0__py3-none-any.whl

flask_appbuilder/__init__.py

@@ -1,5 +1,5 @@
 __author__ = "Daniel Vaz Gaspar"
-__version__ = "5.0.2rc2"
+__version__ = "5.1.0"
 
 from .actions import action  # noqa: F401
 from .api import ModelRestApi  # noqa: F401

flask_appbuilder/const.py

@@ -130,6 +130,7 @@ AUTH_DB = 1
 AUTH_LDAP = 2
 AUTH_REMOTE_USER = 3
 AUTH_OAUTH = 4
+AUTH_SAML = 5
 """ Constants for supported authentication types """
 
 # -----------------------------------

flask_appbuilder/security/manager.py

@@ -4,9 +4,9 @@ import datetime
 import importlib
 import logging
 import re
-from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Union
+from typing import Any, Callable, Dict, List, Optional, Set, Tuple, TYPE_CHECKING, Union
 
-from flask import current_app, Flask, g, session, url_for
+from flask import current_app, Flask, g, request, session, url_for
 from flask_appbuilder.exceptions import InvalidLoginAttempt, OAuthProviderUnknown
 from flask_babel import lazy_gettext as _
 from flask_jwt_extended import current_user as current_user_jwt
@@ -28,6 +28,7 @@ from .views import (
     AuthLDAPView,
     AuthOAuthView,
     AuthRemoteUserView,
+    AuthSAMLView,
     PermissionModelView,
     PermissionViewModelView,
     RegisterUserModelView,
@@ -40,6 +41,7 @@ from .views import (
     UserLDAPModelView,
     UserOAuthModelView,
     UserRemoteUserModelView,
+    UserSAMLModelView,
     UserStatsChartView,
     ViewMenuModelView,
 )
@@ -49,6 +51,7 @@ from ..const import (
     AUTH_LDAP,
     AUTH_OAUTH,
     AUTH_REMOTE_USER,
+    AUTH_SAML,
     LOGMSG_ERR_SEC_ADD_REGISTER_USER,
     LOGMSG_ERR_SEC_AUTH_LDAP,
     LOGMSG_ERR_SEC_AUTH_LDAP_TLS,
@@ -59,6 +62,9 @@ from ..const import (
     PERMISSION_PREFIX,
 )
 
+if TYPE_CHECKING:
+    from flask_appbuilder.security.saml.types import SAMLConfig, SAMLProvider
+
 log = logging.getLogger(__name__)
 
 
@@ -186,6 +192,11 @@ class BaseSecurityManager(AbstractSecurityManager):
     """ Override if you want your own Authentication OAuth view """
     authremoteuserview = AuthRemoteUserView
     """ Override if you want your own Authentication REMOTE_USER view """
+    authsamlview = AuthSAMLView
+    """ Override if you want your own Authentication SAML view """
+
+    usersamlmodelview = UserSAMLModelView
+    """ Override if you want your own user SAML view """
 
     registeruserdbview = RegisterUserDBView
     """ Override if you want your own register user db view """
@@ -519,6 +530,41 @@ class BaseSecurityManager(AbstractSecurityManager):
     def oauth_providers(self):
         return current_app.config["OAUTH_PROVIDERS"]
 
+    @property
+    def saml_providers(self) -> List["SAMLProvider"]:
+        return current_app.config.get("SAML_PROVIDERS", [])
+
+    @property
+    def saml_config(self) -> "SAMLConfig":
+        return current_app.config.get("SAML_CONFIG", {})
+
+    def get_saml_provider(self, name: str) -> Optional["SAMLProvider"]:
+        """Return a specific SAML provider by name."""
+        for provider in self.saml_providers:
+            if provider["name"] == name:
+                return provider
+        return None
+
+    def get_saml_settings(self, provider_name: str) -> "SAMLConfig":
+        """Build the python3-saml settings dict for a given provider.
+
+        Merges the global SAML_CONFIG with the provider-specific IdP config.
+        """
+        import copy
+
+        provider = self.get_saml_provider(provider_name)
+        if not provider:
+            raise ValueError(
+                f"SAML provider '{provider_name}' not found in configuration"
+            )
+
+        base_config = copy.deepcopy(self.saml_config)
+
+        if "idp" in provider:
+            base_config["idp"] = provider["idp"]
+
+        return base_config
+
     @property
     def is_auth_limited(self) -> bool:
         return current_app.config["AUTH_RATE_LIMITED"]
@@ -807,6 +853,9 @@ class BaseSecurityManager(AbstractSecurityManager):
         elif self.auth_type == AUTH_REMOTE_USER:
             self.user_view = self.userremoteusermodelview
             self.auth_view = self.authremoteuserview()
+        elif self.auth_type == AUTH_SAML:
+            self.user_view = self.usersamlmodelview
+            self.auth_view = self.authsamlview()
         self.appbuilder.add_view_no_menu(self.auth_view)
 
         # this needs to be done after the view is added, otherwise the blueprint
@@ -1448,6 +1497,238 @@ class BaseSecurityManager(AbstractSecurityManager):
         else:
             return None
 
+    @staticmethod
+    def _prepare_saml_request() -> Dict[str, Any]:
+        """Prepare Flask request data in the format expected by python3-saml."""
+        return {
+            "https": "on" if request.scheme == "https" else "off",
+            "http_host": request.host,
+            "server_port": request.environ.get("SERVER_PORT", "443"),
+            "script_name": request.path,
+            "get_data": request.args.copy(),
+            "post_data": request.form.copy(),
+            "query_string": request.query_string.decode("utf-8"),
+        }
+
+    def _get_saml_auth(self, idp: str):
+        """Create a OneLogin_Saml2_Auth instance for the given IdP."""
+        from onelogin.saml2.auth import OneLogin_Saml2_Auth
+
+        return OneLogin_Saml2_Auth(
+            self._prepare_saml_request(), self.get_saml_settings(idp)
+        )
+
+    def get_saml_login_redirect_url(self, idp: str) -> str:
+        """Create a SAML authentication request and return the redirect URL.
+
+        :param idp: The SAML identity provider name.
+        :returns: The IdP redirect URL for SSO.
+        """
+        return self._get_saml_auth(idp).login()
+
+    def get_saml_userinfo(self, idp: str) -> Optional[Dict[str, Any]]:
+        """Process a SAML ACS response and return mapped user info.
+
+        :param idp: The SAML identity provider name.
+        :returns: A dict with mapped user info, session_index, and name_id,
+                  or None if authentication failed.
+        """
+        from flask_appbuilder.security.saml.utils import map_saml_attributes
+
+        auth = self._get_saml_auth(idp)
+        auth.process_response()
+        errors = auth.get_errors()
+
+        if errors:
+            error_reason = auth.get_last_error_reason() or ""
+            # Check for issuer mismatch (multi-tab / wrong IdP scenario)
+            if "issuer" in error_reason.lower():
+                log.error(
+                    "SAML Issuer mismatch for IdP '%s'. This may happen if you "
+                    "initiated login with a different IdP in another tab. "
+                    "Error: %s",
+                    idp,
+                    error_reason,
+                )
+            else:
+                log.error(
+                    "SAML ACS errors for IdP '%s': %s (reason: %s)",
+                    idp,
+                    errors,
+                    error_reason,
+                )
+            return None
+
+        if not auth.is_authenticated():
+            return None
+
+        saml_attributes = auth.get_attributes()
+        name_id = auth.get_nameid()
+        log.debug(
+            "SAML attributes from IdP '%s': %s, NameID: %s",
+            idp,
+            saml_attributes,
+            name_id,
+        )
+
+        provider = self.get_saml_provider(idp)
+        attribute_mapping = provider.get("attribute_mapping", {})
+        userinfo = map_saml_attributes(saml_attributes, attribute_mapping, name_id)
+
+        # Include session data needed for SLO
+        userinfo["saml_name_id"] = name_id
+        userinfo["saml_session_index"] = auth.get_session_index()
+
+        log.debug("Mapped SAML userinfo: %s", userinfo)
+        return userinfo
+
+    def get_saml_logout_redirect_url(
+        self,
+        idp: str,
+        name_id: Optional[str] = None,
+        session_index: Optional[str] = None,
+    ) -> Tuple[Optional[str], bool]:
+        """Process SAML SLO or initiate a logout request.
+
+        Handles three cases:
+        - Incoming SLO request from IdP (SAMLRequest)
+        - SLO response from IdP (SAMLResponse)
+        - SP-initiated logout (returns redirect URL to IdP)
+
+        :param idp: The SAML identity provider name.
+        :param name_id: The SAML NameID for the session.
+        :param session_index: The SAML session index.
+        :returns: Tuple of (redirect URL or None, should_logout flag).
+                  The caller should call logout_user() if should_logout is True.
+        """
+        auth = self._get_saml_auth(idp)
+        should_logout = False
+
+        def mark_logout():
+            nonlocal should_logout
+            should_logout = True
+
+        # Incoming SLO request from IdP
+        if "SAMLRequest" in request.form or "SAMLRequest" in request.args:
+            url = auth.process_slo(delete_session_cb=mark_logout)
+            return url, should_logout
+
+        # SLO response from IdP
+        if "SAMLResponse" in request.form or "SAMLResponse" in request.args:
+            auth.process_slo(delete_session_cb=mark_logout)
+            return None, should_logout
+
+        # SP-initiated logout
+        return auth.logout(name_id=name_id, session_index=session_index), True
+
+    def _saml_calculate_user_roles(self, userinfo) -> List[str]:
+        user_role_objects = set()
+
+        # apply AUTH_ROLES_MAPPING
+        if len(self.auth_roles_mapping) > 0:
+            user_role_keys = userinfo.get("role_keys", [])
+            user_role_objects.update(self.get_roles_from_keys(user_role_keys))
+
+        # apply AUTH_USER_REGISTRATION_ROLE
+        if self.auth_user_registration:
+            registration_role_name = self.auth_user_registration_role
+
+            if self.auth_user_registration_role_jmespath:
+                import jmespath
+
+                registration_role_name = jmespath.search(
+                    self.auth_user_registration_role_jmespath, userinfo
+                )
+
+            fab_role = self.find_role(registration_role_name)
+            if fab_role:
+                user_role_objects.add(fab_role)
+            else:
+                log.warning(
+                    "Can't find AUTH_USER_REGISTRATION role: %s", registration_role_name
+                )
+
+        return list(user_role_objects)
+
+    def auth_user_saml(self, userinfo):
+        """
+        Method for authenticating user with SAML.
+
+        :param userinfo: dict with user information extracted from SAML assertion
+                         (keys are the same as User model columns)
+        """
+        # extract the username from userinfo
+        if "username" in userinfo:
+            username = userinfo["username"]
+        elif "email" in userinfo:
+            username = userinfo["email"]
+        else:
+            log.error("SAML userinfo does not have username or email %s", userinfo)
+            return None
+
+        if (username is None) or username == "":
+            return None
+
+        # Search the DB for this user by username or email
+        user = self.find_user(username=username)
+        if not user and userinfo.get("email"):
+            user = self.find_user(email=userinfo["email"])
+
+        # If user is not active, go away
+        if user and (not user.is_active):
+            return None
+
+        # If user is not registered, and not self-registration, go away
+        if (not user) and (not self.auth_user_registration):
+            return None
+
+        # Sync the user's roles and info
+        if user:
+            updated = False
+
+            if self.auth_roles_sync_at_login:
+                new_roles = self._saml_calculate_user_roles(userinfo)
+                if new_roles:
+                    user.roles = new_roles
+                    updated = True
+                    log.debug(
+                        "Calculated new roles for user='%s' as: %s",
+                        username,
+                        user.roles,
+                    )
+
+            # Update user info from SAML assertion
+            for field in ("first_name", "last_name", "email"):
+                new_val = userinfo.get(field)
+                if new_val and getattr(user, field) != new_val:
+                    setattr(user, field, new_val)
+                    updated = True
+
+            if updated:
+                self.update_user(user)
+
+        # If the user is new, register them
+        if (not user) and self.auth_user_registration:
+            user = self.add_user(
+                username=username,
+                first_name=userinfo.get("first_name", ""),
+                last_name=userinfo.get("last_name", ""),
+                email=userinfo.get("email", "") or f"{username}@email.notfound",
+                role=self._saml_calculate_user_roles(userinfo),
+            )
+            log.debug("New SAML user registered: %s", user)
+
+            if not user:
+                log.error("Error creating a new SAML user %s", username)
+                return None
+
+        # LOGIN SUCCESS
+        if user:
+            self.update_user_auth_stat(user)
+            return user
+        else:
+            return None
+
     """
         ----------------------------------------
             PERMISSION ACCESS CHECK

flask_appbuilder/security/saml/metadata.py

@@ -0,0 +1,26 @@
+"""SP metadata generation for SAML authentication."""
+
+from __future__ import annotations
+
+import logging
+from typing import Any, Dict
+
+log = logging.getLogger(__name__)
+
+
+def get_sp_metadata(saml_settings: Dict[str, Any]) -> str:
+    """
+    Generate SP metadata XML from SAML settings.
+
+    :param saml_settings: The python3-saml settings dict
+    :return: SP metadata XML string
+    """
+    from onelogin.saml2.settings import OneLogin_Saml2_Settings
+
+    settings = OneLogin_Saml2_Settings(saml_settings, sp_validation_only=True)
+    metadata = settings.get_sp_metadata()
+    errors = settings.validate_metadata(metadata)
+    if errors:
+        log.error("SP Metadata validation errors: %s", errors)
+        raise ValueError(f"SP Metadata validation errors: {errors}")
+    return metadata

flask_appbuilder/security/saml/types.py

@@ -0,0 +1,73 @@
+"""SAML TypedDict definitions for Flask-AppBuilder."""
+
+from __future__ import annotations
+
+from typing import Any, Dict, List, TypedDict
+
+
+class SAMLServiceBinding(TypedDict):
+    url: str
+    binding: str
+
+
+class SAMLIdPConfig(TypedDict, total=False):
+    entityId: str
+    singleSignOnService: SAMLServiceBinding
+    singleLogoutService: SAMLServiceBinding
+    x509cert: str
+
+
+class SAMLProvider(TypedDict, total=False):
+    name: str
+    icon: str
+    idp: SAMLIdPConfig
+    attribute_mapping: Dict[str, str]
+
+
+class SAMLSPConfig(TypedDict, total=False):
+    entityId: str
+    assertionConsumerService: SAMLServiceBinding
+    singleLogoutService: SAMLServiceBinding
+    NameIDFormat: str
+    x509cert: str
+    privateKey: str
+
+
+class SAMLSecurityConfig(TypedDict, total=False):
+    nameIdEncrypted: bool
+    authnRequestsSigned: bool
+    logoutRequestSigned: bool
+    logoutResponseSigned: bool
+    signMetadata: bool
+    wantMessagesSigned: bool
+    wantAssertionsSigned: bool
+    wantAssertionsEncrypted: bool
+    wantNameId: bool
+    wantNameIdEncrypted: bool
+    wantAttributeStatement: bool
+
+
+class SAMLConfig(TypedDict, total=False):
+    strict: bool
+    debug: bool
+    sp: SAMLSPConfig
+    idp: SAMLIdPConfig
+    security: SAMLSecurityConfig
+
+
+class SAMLFlaskRequest(TypedDict):
+    https: str
+    http_host: str
+    server_port: str
+    script_name: str
+    get_data: Dict[str, Any]
+    post_data: Dict[str, Any]
+    query_string: str
+
+
+class SAMLUserInfo(TypedDict, total=False):
+    username: str
+    email: str
+    first_name: str
+    last_name: str
+    role_keys: List[str]

flask_appbuilder/security/saml/utils.py

@@ -0,0 +1,54 @@
+"""SAML utility helpers for Flask-AppBuilder."""
+
+from __future__ import annotations
+
+import logging
+from typing import Any, Dict, List, Optional
+
+from .types import SAMLUserInfo
+
+log = logging.getLogger(__name__)
+
+
+def map_saml_attributes(
+    saml_attributes: Dict[str, List[str]],
+    attribute_mapping: Dict[str, str],
+    name_id: Optional[str] = None,
+) -> SAMLUserInfo:
+    """Map SAML assertion attributes to FAB user fields.
+
+    Args:
+        saml_attributes: Raw attributes from the SAML assertion.
+        attribute_mapping: Mapping of SAML attribute names to FAB field names.
+        name_id: The SAML NameID value (used as fallback for username/email).
+
+    Returns:
+        Dictionary with FAB user field names as keys.
+    """
+    userinfo: Dict[str, Any] = {}
+
+    for saml_attr, fab_field in attribute_mapping.items():
+        value = saml_attributes.get(saml_attr)
+        if value is None:
+            continue
+        if fab_field == "role_keys":
+            userinfo[fab_field] = list(value)
+        else:
+            userinfo[fab_field] = value[0] if value else ""
+
+    # Fallback to NameID if no username/email mapped
+    if name_id and "username" not in userinfo:
+        userinfo["username"] = name_id
+        if "@" in name_id and "email" not in userinfo:
+            userinfo["email"] = name_id
+
+    return userinfo
+
+
+def fetch_idp_metadata(url: str) -> str:
+    """Fetch IdP metadata XML from a remote URL."""
+    import requests
+
+    resp = requests.get(url, timeout=10)
+    resp.raise_for_status()
+    return resp.text

flask_appbuilder/security/sqla/manager.py

@@ -82,6 +82,8 @@ class SecurityManager(BaseSecurityManager):
             self.useroauthmodelview.datamodel = user_datamodel
         elif self.auth_type == c.AUTH_REMOTE_USER:
             self.userremoteusermodelview.datamodel = user_datamodel
+        elif self.auth_type == c.AUTH_SAML:
+            self.usersamlmodelview.datamodel = user_datamodel
 
         if self.userstatschartview:
             self.userstatschartview.datamodel = user_datamodel
@@ -282,6 +284,15 @@ class SecurityManager(BaseSecurityManager):
 
     def update_user(self, user):
         try:
+            # Load existing user from DB to detect role/group changes
+            existing_user = self.session.get(self.user_model, user.id)
+
+            roles_changed = set(existing_user.roles) != set(user.roles)
+            groups_changed = set(existing_user.groups) != set(user.groups)
+
+            if roles_changed or groups_changed:
+                user.changed_on = datetime.utcnow()  # pragma: no cover
+
             self.session.merge(user)
             self.session.commit()
             log.info(c.LOGMSG_INF_SEC_UPD_USER, user)

flask_appbuilder/security/views.py

@@ -3,7 +3,17 @@ import logging
 import re
 from typing import Any, Optional
 
-from flask import abort, current_app, flash, g, redirect, request, session, url_for
+from flask import (
+    abort,
+    current_app,
+    flash,
+    g,
+    make_response,
+    redirect,
+    request,
+    session,
+    url_for,
+)
 from flask_appbuilder._compat import as_unicode
 from flask_appbuilder.actions import action
 from flask_appbuilder.baseviews import BaseView
@@ -21,6 +31,7 @@ from flask_appbuilder.security.forms import (
     roles_or_groups_required,
     UserInfoEdit,
 )
+from flask_appbuilder.security.saml.metadata import get_sp_metadata
 from flask_appbuilder.security.utils import generate_random_string
 from flask_appbuilder.utils.base import get_safe_redirect, lazy_formatter_gettext
 from flask_appbuilder.validators import PasswordComplexityValidator
@@ -732,6 +743,199 @@ class AuthOAuthView(AuthView):
             return redirect(next_url)
 
 
+class UserSAMLModelView(UserModelView):
+    """
+    View that adds SAML specifics to User view.
+    Override to implement your own custom view.
+    Then override usersamlmodelview property on SecurityManager.
+    """
+
+    pass
+
+
+class AuthSAMLView(AuthView):
+    """SAML 2.0 Authentication View."""
+
+    login_template = "appbuilder/general/security/login_saml.html"
+
+    @expose("/login/")
+    @expose("/login/<idp>")
+    @no_cache
+    def login(self, idp: Optional[str] = None) -> WerkzeugResponse:
+        if g.user is not None and g.user.is_authenticated:
+            return redirect(self.appbuilder.get_url_for_index)
+
+        sm = self.appbuilder.sm
+        providers = sm.saml_providers
+
+        if idp is None:
+            if len(providers) == 1:
+                return redirect(url_for(".login", idp=providers[0]["name"]))
+            return self.render_template(
+                self.login_template,
+                providers=providers,
+                title=self.title,
+                appbuilder=self.appbuilder,
+            )
+
+        from onelogin.saml2.errors import (
+            OneLogin_Saml2_Error,
+            OneLogin_Saml2_ValidationError,
+        )
+
+        try:
+            session["saml_idp"] = idp
+            next_url = get_safe_redirect(request.args.get("next", ""))
+            if next_url and next_url != self.appbuilder.get_url_for_index:
+                session["saml_next"] = next_url
+            return redirect(sm.get_saml_login_redirect_url(idp))
+        except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
+            log.error("SAML error initiating login for IdP '%s': %s", idp, e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_index)
+        except ValueError as e:
+            log.error("SAML configuration error for IdP '%s': %s", idp, e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_index)
+
+    @expose("/saml/acs/", methods=["POST"])
+    @no_cache
+    def acs(self) -> WerkzeugResponse:
+        """Assertion Consumer Service - receives SAML responses from IdP."""
+        from onelogin.saml2.errors import (
+            OneLogin_Saml2_Error,
+            OneLogin_Saml2_ValidationError,
+        )
+
+        sm = self.appbuilder.sm
+        try:
+            idp = session.get("saml_idp")
+            if not idp:
+                providers = sm.saml_providers
+                if len(providers) == 1:
+                    idp = providers[0]["name"]
+                else:
+                    flash("Could not determine identity provider.", "warning")
+                    return redirect(self.appbuilder.get_url_for_login)
+
+            userinfo = sm.get_saml_userinfo(idp)
+            if userinfo is None:
+                flash(as_unicode(self.invalid_login_message), "warning")
+                return redirect(self.appbuilder.get_url_for_login)
+
+            user = sm.auth_user_saml(userinfo)
+            if user is None:
+                flash(as_unicode(self.invalid_login_message), "warning")
+                return redirect(self.appbuilder.get_url_for_login)
+
+            # Calculate redirect URL before login (so failures don't leave partial state)
+            next_url = session.pop("saml_next", "") or ""
+            if next_url:
+                next_url = get_safe_redirect(next_url)
+            else:
+                next_url = self.appbuilder.get_url_for_index
+
+            # Store SAML session info for SLO
+            session["saml_name_id"] = userinfo.get("saml_name_id")
+            session["saml_session_index"] = userinfo.get("saml_session_index")
+            session["saml_idp"] = idp
+
+            # login_user is the last operation before redirect
+            login_user(user, remember=False)
+            return redirect(next_url)
+
+        except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
+            log.error("SAML validation error in ACS: %s", e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_login)
+        except ValueError as e:
+            # Provider not found or config error
+            log.error("SAML configuration error in ACS: %s", e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_login)
+
+    @expose("/saml/slo/", methods=["GET", "POST"])
+    def slo(self) -> WerkzeugResponse:
+        """Single Logout endpoint."""
+        from onelogin.saml2.errors import (
+            OneLogin_Saml2_Error,
+            OneLogin_Saml2_ValidationError,
+        )
+
+        try:
+            idp = session.get("saml_idp")
+            if not idp:
+                logout_user()
+                return redirect(self.appbuilder.get_url_for_index)
+
+            url, should_logout = self.appbuilder.sm.get_saml_logout_redirect_url(
+                idp,
+                name_id=session.get("saml_name_id"),
+                session_index=session.get("saml_session_index"),
+            )
+            if should_logout:
+                logout_user()
+            return redirect(url or self.appbuilder.get_url_for_index)
+
+        except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
+            log.error("SAML SLO validation error: %s", e)
+            logout_user()
+            return redirect(self.appbuilder.get_url_for_index)
+        except ValueError as e:
+            log.error("SAML SLO configuration error: %s", e)
+            logout_user()
+            return redirect(self.appbuilder.get_url_for_index)
+
+    @expose("/logout/")
+    def logout(self) -> WerkzeugResponse:
+        """Override logout to support SAML SLO."""
+        idp = session.get("saml_idp")
+        if idp:
+            try:
+                return redirect(url_for(".slo"))
+            except Exception:
+                pass
+        logout_user()
+        return redirect(
+            current_app.config.get(
+                "LOGOUT_REDIRECT_URL", self.appbuilder.get_url_for_index
+            )
+        )
+
+    @expose("/saml/metadata/")
+    @expose("/saml/metadata/<idp>")
+    def metadata(self, idp: Optional[str] = None) -> WerkzeugResponse:
+        """SP Metadata endpoint.
+
+        Without idp parameter, returns metadata for the first configured provider.
+        With idp parameter, returns metadata for that specific provider.
+        """
+        try:
+            sm = self.appbuilder.sm
+            providers = sm.saml_providers
+            if not providers:
+                abort(404)
+
+            # Use specified IdP or default to first provider
+            provider_name = idp if idp else providers[0]["name"]
+            if idp and not sm.get_saml_provider(idp):
+                log.warning("Metadata requested for unknown IdP: %s", idp)
+                abort(404)
+
+            saml_settings = sm.get_saml_settings(provider_name)
+            metadata_xml = get_sp_metadata(saml_settings)
+
+            resp = make_response(metadata_xml, 200)
+            resp.headers["Content-Type"] = "text/xml"
+            return resp
+        except ValueError as e:
+            log.error("SAML metadata configuration error: %s", e)
+            abort(404)
+        except Exception as e:
+            log.error("Error generating SP metadata: %s", e)
+            abort(500)
+
+
 class AuthRemoteUserView(AuthView):
     login_template = ""
 

flask_appbuilder/templates/appbuilder/general/security/login_saml.html

@@ -0,0 +1,45 @@
+<!-- extend base layout -->
+{% extends "appbuilder/base.html" %}
+
+{% block content %}
+
+<div class="container">
+    <div id="loginbox" style="margin-top:50px;" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
+        <div class="panel panel-primary">
+            <div class="panel-heading">
+                <div class="panel-title">{{ title }}</div>
+            </div>
+            <div style="padding-top:30px" class="panel-body">
+                <div>
+                    {% for provider in providers %}
+                    <a
+                        id="btn-signin-{{provider.name}}"
+                        class="btn btn-primary btn-block"
+                        type="submit"
+                    >
+                        {{_('Sign In with ')}}{{ provider.name }}
+                        <i id="{{provider.name}}" class="provider-select fa {{provider.get('icon', 'fa-sign-in')}} fa-1x"></i>
+                    </a>
+                    {% endfor %}
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+<script nonce="{{ baselib.get_nonce() }}">
+    var baseLoginUrl = {{ appbuilder.get_url_for_login | tojson }};
+    var nextParam = {{ request.args.get('next', '') | urlencode | tojson }};
+    var next = nextParam ? "?next=" + nextParam : "";
+
+    function signin(provider) {
+        window.location.href = baseLoginUrl + provider + next;
+    }
+
+    {% for provider in providers %}
+        document.getElementById({{ ("btn-signin-" ~ provider.name) | tojson }})
+            .addEventListener("click", function () { signin({{ provider.name | tojson }}) })
+    {% endfor %}
+
+</script>
+{% endblock %}

{flask_appbuilder-5.0.2rc2.dist-info → flask_appbuilder-5.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: flask-appbuilder
-Version: 5.0.2rc2
+Version: 5.1.0
 Summary: Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.
 Home-page: https://github.com/dpgaspar/flask-appbuilder/
 Author: Daniel Vaz Gaspar
@@ -46,6 +46,8 @@ Provides-Extra: jmespath
 Requires-Dist: jmespath >=0.9.5 ; extra == 'jmespath'
 Provides-Extra: oauth
 Requires-Dist: Authlib <2.0.0,>=0.14 ; extra == 'oauth'
+Provides-Extra: saml
+Requires-Dist: python3-saml >=1.15.0 ; extra == 'saml'
 Provides-Extra: talisman
 Requires-Dist: flask-talisman <2.0,>=1.0.0 ; extra == 'talisman'
 

{flask_appbuilder-5.0.2rc2.dist-info → flask_appbuilder-5.1.0.dist-info}/RECORD

@@ -1,11 +1,11 @@
-flask_appbuilder/__init__.py,sha256=kccl0QS1QRwVjpyVz6r_GntQ2KzHn4Uc357t3s5rOW8,707
+flask_appbuilder/__init__.py,sha256=ETKfC8lr0iG2ejNbDVVZsObKUhRiTF3TNebyr21l34s,704
 flask_appbuilder/_compat.py,sha256=Ac71GIwVHe9Pq7i2qDsrGUgL63Vz5oeC4rjhWw0kd6g,1969
 flask_appbuilder/actions.py,sha256=-TqIH159BKCB-ezHJifbubApk2nxjospNYfH_7IgBJ8,1177
 flask_appbuilder/base.py,sha256=m9TTuOoBiU99qHfCPv27RwhVeXu4IjpS2_RzkQJvnFY,25543
 flask_appbuilder/basemanager.py,sha256=MdgZ52RhUBxKWRBxp4a2u41cUy9u7FBYWVHo6FW_RG0,342
 flask_appbuilder/baseviews.py,sha256=z97PnyNnK30MyDU6vnaBdPdZFiXJMK6gMg9oDQJpKfQ,50171
 flask_appbuilder/cli.py,sha256=2QtMfOOVzdtSRBhZKYe1W3T6oFMchoSRv3ptS3U304w,14347
-flask_appbuilder/const.py,sha256=D4ZZN1afeg0OYSiBVqfoFeq0n5ij62e8oYh9kiNmaP0,8378
+flask_appbuilder/const.py,sha256=scpuwc53EgiT7FBbb4eiCFAc1EJn2l6UQBRK0D2xF_w,8392
 flask_appbuilder/exceptions.py,sha256=nA-l9TNFCuKt6KhS0YAF4Tn9Mf2KgNe2lBXykyChf2M,1798
 flask_appbuilder/fields.py,sha256=GyM_EjpP0HL1cpqhVjWludv3uj1VdKImM-kj5fazDk8,9328
 flask_appbuilder/fieldwidgets.py,sha256=XPQPzBsNsTOi848nK2lsQG0knkZzx9kLvujspqL83Qs,6058
@@ -49,13 +49,17 @@ flask_appbuilder/security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 flask_appbuilder/security/api.py,sha256=HcVBiiSk9gwsMGJXhvYFSVYdowNOFoDMGyN6DqZOH4s,5229
 flask_appbuilder/security/decorators.py,sha256=0qiJEN5MiSwsxE_LI2vtGkdEoqMH8fqXarlGRk9SAYo,11011
 flask_appbuilder/security/forms.py,sha256=PTJlF4-5HOOSBmfZYq_YWC5QSyEPYsvirLt4oeBgvXQ,3452
-flask_appbuilder/security/manager.py,sha256=hkf59yDN_yrj6hRk9PNrqqBTdlZdu4bk_WAE8A6eSFk,79414
+flask_appbuilder/security/manager.py,sha256=Hd5msEYmU1_ZiQ0McZnA_vw3Kma84QMDgBnRxiqoVSM,89522
 flask_appbuilder/security/registerviews.py,sha256=cj1KDR6DiZ4WlDfIdrpvBp1Nd_VJ4gyHn6qc_A4HUTM,7512
 flask_appbuilder/security/schemas.py,sha256=keManyd6dh-FXBXGkuvVHLWh-BSYoJytv8pTZ2wTHhY,1359
 flask_appbuilder/security/utils.py,sha256=0PwDO-mB76RLPYlV9tCksChIMRq3zQgwLwiVMJ8jeiU,247
-flask_appbuilder/security/views.py,sha256=yABRVGT8A1Xn_c0-Cs-qlcp3VWUV3zN9Aqde8F4DczM,25570
+flask_appbuilder/security/views.py,sha256=crZitKI_DOzMOTwy7Zsjh-7xDFsEQhJTijGQ0u-dpYg,33042
+flask_appbuilder/security/saml/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+flask_appbuilder/security/saml/metadata.py,sha256=Vvd_OrxdBC8wcX-SJpYoqfZ-zxzgOC7S3fRWjz2g1Tc,793
+flask_appbuilder/security/saml/types.py,sha256=v8EwQSMittRvXCyAWlUSo_77pWeA1XcG-CAjDGxHqOM,1591
+flask_appbuilder/security/saml/utils.py,sha256=PKgFyPi8pxzfmM0h3C42qp6ro-qIdzrtihA3T9aGwEA,1550
 flask_appbuilder/security/sqla/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-flask_appbuilder/security/sqla/manager.py,sha256=Pj_HsTC0dxm8P3pDGvs1YkSAgB1HjUuc_3T18uUwoV4,28515
+flask_appbuilder/security/sqla/manager.py,sha256=3SZjwcKS4zVuOKipx4QcDUu57ggpbrE31sfermPs6vM,29032
 flask_appbuilder/security/sqla/models.py,sha256=Za5Ec7qRCGA9WAmwGdTzI1OZLTx_ovoH0hUYf1Q1im0,9497
 flask_appbuilder/security/sqla/apis/__init__.py,sha256=BEPT-0mp9n48tq72bZQiES80P0L8vdWYqki3kbhTr-s,512
 flask_appbuilder/security/sqla/apis/group/__init__.py,sha256=6HMo0L15Bw5dZX_1k2eh1zh-3Jg2KuDIlIy8V8R9jCU,40
@@ -167,6 +171,7 @@ flask_appbuilder/templates/appbuilder/general/security/activation.html,sha256=xE
 flask_appbuilder/templates/appbuilder/general/security/login_db.html,sha256=gJVY9kxEa_-bpxHTAJsVBCVJ2MZmlg0oVnNC18vB4bE,2955
 flask_appbuilder/templates/appbuilder/general/security/login_ldap.html,sha256=W3pPTRUwFkCKTJEDItipq0E1SvBZ92dP6wekR_qxYrc,2002
 flask_appbuilder/templates/appbuilder/general/security/login_oauth.html,sha256=-XwSh9NBm3rpd_kryjRThF_mqQTFPgiJu_zOnYGAGtM,1595
+flask_appbuilder/templates/appbuilder/general/security/login_saml.html,sha256=CbIslIhPSXp4mfO32cg4ztxP9Uvufkfkeezp2H66v3w,1644
 flask_appbuilder/templates/appbuilder/general/security/register_mail.html,sha256=o40VoLzyETkSM7lW5el2Hff-gIAh3i5jMlW0d2Ay-4M,230
 flask_appbuilder/templates/appbuilder/general/security/register_oauth.html,sha256=Zl-ORB_dCbphWaXYigEGSVIBU6ZrcNwAGDPrUUXSVo4,1057
 flask_appbuilder/templates/appbuilder/general/widgets/base_list.html,sha256=Fv7FyPoLPanYh_zmFosQnibJb0jTJ4QwToqKAkBCHqU,1153
@@ -232,9 +237,9 @@ flask_appbuilder/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3
 flask_appbuilder/utils/base.py,sha256=MtrE-rqiigb45HzcJmvz3J_-22mtKXjXYNB9tQ6CcbY,2490
 flask_appbuilder/utils/legacy.py,sha256=Bz2_imi02_aOE_w7dN_0Igl_fWjD1PTLlu6gx8IMAW4,1001
 flask_appbuilder/utils/limit.py,sha256=hEwMH2k_bPiqMaaP--alPW5YaiJS21YBgRthKiv0uPo,725
-flask_appbuilder-5.0.2rc2.dist-info/LICENSE,sha256=pZ-ajm1I_0h91a1peoZFSemkiFE8kK1H_xmV_cxlQlY,1493
-flask_appbuilder-5.0.2rc2.dist-info/METADATA,sha256=vvU0b0IO8EuuFgocLFjBylmdQ1T6wHaB2pozc8s1MCw,8786
-flask_appbuilder-5.0.2rc2.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-flask_appbuilder-5.0.2rc2.dist-info/entry_points.txt,sha256=h5lBK4jb4RFWW8gH7C-0tE5QvQGUA5wx5hlYOhNWy4Q,48
-flask_appbuilder-5.0.2rc2.dist-info/top_level.txt,sha256=Dy4t809z2TNdpjQhDUMEXU8Hc61x1e6WRNaC7hG6r8M,17
-flask_appbuilder-5.0.2rc2.dist-info/RECORD,,
+flask_appbuilder-5.1.0.dist-info/LICENSE,sha256=pZ-ajm1I_0h91a1peoZFSemkiFE8kK1H_xmV_cxlQlY,1493
+flask_appbuilder-5.1.0.dist-info/METADATA,sha256=DXpnxeSzXlEdpX0NY_F6vos-YOHlWZ0P8lOKWdZa3ss,8859
+flask_appbuilder-5.1.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+flask_appbuilder-5.1.0.dist-info/entry_points.txt,sha256=h5lBK4jb4RFWW8gH7C-0tE5QvQGUA5wx5hlYOhNWy4Q,48
+flask_appbuilder-5.1.0.dist-info/top_level.txt,sha256=Dy4t809z2TNdpjQhDUMEXU8Hc61x1e6WRNaC7hG6r8M,17
+flask_appbuilder-5.1.0.dist-info/RECORD,,