+ nameid = None
+ if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+ # TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+ # TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+ nameid = us.get_data('user', 'krb_principal_name')
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+ nameid = us.get_user().email
+ if not nameid:
+ nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+
+ if nameid:
+ login.assertion.subject.nameId.format = nameidfmt
+ login.assertion.subject.nameId.content = nameid
+ else:
+ self.trans.wipe()
+ raise AuthenticationError("Unavailable Name ID type",
+ lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
+
+ if not login.assertion.attributeStatement:
+ attrstat = lasso.Saml2AttributeStatement()
+ login.assertion.attributeStatement = [attrstat]
+ else:
+ attrstat = login.assertion.attributeStatement[0]
+ if not attrstat.attribute:
+ attrstat.attribute = ()
+
+ # Check attribute policy and perform mapping and filtering
+ policy = Policy(self.cfg.default_attribute_mapping,
+ self.cfg.default_allowed_attributes)
+ userattrs = us.get_user_attrs()
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
+
+ self.debug("%s's attributes: %s" % (user.name, attributes))
+
+ for key in attributes:
+ values = attributes[key]
+ if isinstance(values, dict):
+ continue
+ if not isinstance(values, list):
+ values = [values]
+ for value in values:
+ attr = lasso.Saml2Attribute()
+ attr.name = key
+ attr.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
+ value = str(value).encode('utf-8')
+ self.debug('value %s' % value)
+ node = lasso.MiscTextNode.newWithString(value)
+ node.textChild = True
+ attrvalue = lasso.Saml2AttributeValue()
+ attrvalue.any = [node]
+ attr.attributeValue = [attrvalue]
+ attrstat.attribute = attrstat.attribute + (attr,)
+
+ self.debug('Assertion: %s' % login.assertion.dump())
+
+ saml_sessions = us.get_provider_data('saml2')
+ if saml_sessions is None:
+ saml_sessions = SAMLSessionsContainer()
+
+ session = saml_sessions.find_session_by_provider(
+ login.remoteProviderId)
+ if session:
+ # TODO: something...
+ self.debug('Login session for this user already exists!?')
+ session.dump()
+
+ lasso_session = lasso.Session()
+ lasso_session.addAssertion(login.remoteProviderId, login.assertion)
+ saml_sessions.add_session(login.assertion.id,
+ login.remoteProviderId,
+ lasso_session)
+ us.save_provider_data('saml2', saml_sessions)
+
+ def saml2error(self, login, code, message):
+ status = lasso.Samlp2Status()
+ status.statusCode = lasso.Samlp2StatusCode()
+ status.statusCode.value = lasso.SAML2_STATUS_CODE_RESPONDER
+ status.statusCode.statusCode = lasso.Samlp2StatusCode()
+ status.statusCode.statusCode.value = code
+ login.response.status = status