+ nameid = None
+ if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+ ## TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+ ## TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+ nameid = us.get_data('user', 'krb_principal_name')
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+ nameid = us.get_user().email
+ if not nameid:
+ nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+
+ if nameid:
+ login.assertion.subject.nameId.format = nameidfmt
+ login.assertion.subject.nameId.content = nameid
+ else:
+ raise AuthenticationError("Unavailable Name ID type",
+ lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
+
+ # TODO: add user attributes as policy requires taking from 'usersession'