def __init__(self, message):
super(UnknownProvider, self).__init__(message)
- self._debug(message)
+ self.debug(message)
class AuthenticateRequest(ProviderPageBase):
e, message)
raise UnknownProvider(msg)
- self._debug('SP %s requested authentication' % login.remoteProviderId)
+ self.debug('SP %s requested authentication' % login.remoteProviderId)
return login
try:
login = self._parse_request(request)
except InvalidRequest, e:
- self._debug(str(e))
+ self.debug(str(e))
raise cherrypy.HTTPError(400, 'Invalid SAML request token')
except UnknownProvider, e:
- self._debug(str(e))
+ self.debug(str(e))
raise cherrypy.HTTPError(400, 'Unknown Service Provider')
except Exception, e: # pylint: disable=broad-except
- self._debug(str(e))
+ self.debug(str(e))
raise cherrypy.HTTPError(500)
return login
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
- nameid = us.get_data('user', 'krb_principal_name')
+ userattrs = us.get_user_attrs()
+ nameid = userattrs.get('gssapi_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- # Check attribute policy and perform mapping and filtering
- policy = Policy(self.cfg.default_attribute_mapping,
- self.cfg.default_allowed_attributes)
+ # Check attribute policy and perform mapping and filtering.
+ # If the SP has its own mapping or filtering policy use that
+ # instead of the global policy.
+ if (provider.attribute_mappings is not None and
+ len(provider.attribute_mappings) > 0):
+ attribute_mappings = provider.attribute_mappings
+ else:
+ attribute_mappings = self.cfg.default_attribute_mapping
+ if (provider.allowed_attributes is not None and
+ len(provider.allowed_attributes) > 0):
+ allowed_attributes = provider.allowed_attributes
+ else:
+ allowed_attributes = self.cfg.default_allowed_attributes
+ self.debug("Allowed attrs: %s" % allowed_attributes)
+ self.debug("Mapping: %s" % attribute_mappings)
+ policy = Policy(attribute_mappings, allowed_attributes)
userattrs = us.get_user_attrs()
mappedattrs, _ = policy.map_attributes(userattrs)
attributes = policy.filter_attributes(mappedattrs)
raise cherrypy.HTTPError(501)
elif login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_POST:
login.buildAuthnResponseMsg()
- self._debug('POSTing back to SP [%s]' % (login.msgUrl))
+ self.debug('POSTing back to SP [%s]' % (login.msgUrl))
context = {
"title": 'Redirecting back to the web application',
"action": login.msgUrl,
],
"submit": 'Return to application',
}
- # pylint: disable=star-args
return self._template('saml2/post_response.html', **context)
else:
projects / cascardo / ipsilon.git / blobdiff