From 4295ab3e4a78357b7c11e9c1a194bff79425aec6 Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Tue, 6 Dec 2016 12:55:51 -0500
Subject: [PATCH 1/3] Show SAML errors that aren't tied to a specific IdP.

---
 awx/api/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index e1009e6bfb..734d1159b6 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -534,7 +534,7 @@ class AuthView(APIView):
                     saml_backend_data = dict(backend_data.items())
                     saml_backend_data['login_url'] = '%s?idp=%s' % (login_url, idp)
                     full_backend_name = '%s:%s' % (name, idp)
-                    if err_backend == full_backend_name and err_message:
+                    if (err_backend == full_backend_name or err_backend == name) and err_message:
                         saml_backend_data['error'] = err_message
                     data[full_backend_name] = saml_backend_data
             else:

From 417d7c29ee6e7941e5b8c259a167a149964e3414 Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Tue, 6 Dec 2016 12:56:25 -0500
Subject: [PATCH 2/3] Allow SAML entity ID to be any string, not required to be
 a URL.

---
 awx/sso/conf.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/awx/sso/conf.py b/awx/sso/conf.py
index 4bde08e55a..c3ab7f7e56 100644
--- a/awx/sso/conf.py
+++ b/awx/sso/conf.py
@@ -924,13 +924,12 @@ register(
 
 register(
     'SOCIAL_AUTH_SAML_SP_ENTITY_ID',
-    field_class=fields.URLField,
-    schemes=('http', 'https'),
+    field_class=fields.CharField,
     allow_blank=True,
     default='',
     label=_('SAML Service Provider Entity ID'),
-    help_text=_('Set to a URL for a domain name you own (does not need to be a '
-                'valid URL; only used as a unique ID).'),
+    help_text=_('The application-defined unique identifier used as the '
+                'audience of the SAML service provider (SP) configuration.'),
     category=_('SAML'),
     category_slug='saml',
     feature_required='enterprise_auth',

From 1e157c2255eb9f0eda70f580f9ddd5efb6b00104 Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Tue, 6 Dec 2016 12:57:01 -0500
Subject: [PATCH 3/3] Display error instead of raising 500 for invalid SAML
 config to generate metadata.

---
 awx/sso/views.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/awx/sso/views.py b/awx/sso/views.py
index a25aabf511..5d34234464 100644
--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@@ -83,7 +83,11 @@ class MetadataView(View):
             'saml',
             redirect_uri=complete_url,
         )
-        metadata, errors = saml_backend.generate_metadata_xml()
+        try:
+            metadata, errors = saml_backend.generate_metadata_xml()
+        except Exception as e:
+            logger.exception('unable to generate SAML metadata')
+            errors = e
         if not errors:
             return HttpResponse(content=metadata, content_type='text/xml')
         else: