+ attribute_mappings = self.cfg.default_attribute_mapping
+ if (provider.allowed_attributes is not None and
+ len(provider.allowed_attributes) > 0):
+ allowed_attributes = provider.allowed_attributes
+ else:
+ allowed_attributes = self.cfg.default_allowed_attributes
+ self.debug("Allowed attrs: %s" % allowed_attributes)
+ self.debug("Mapping: %s" % attribute_mappings)
+ policy = Policy(attribute_mappings, allowed_attributes)
+ userattrs = us.get_user_attrs()
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
+
+ if '_groups' in attributes and 'groups' not in attributes:
+ attributes['groups'] = attributes['_groups']
+
+ self.debug("%s's attributes: %s" % (user.name, attributes))
+
+ # The saml-core-2.0-os specification section 2.7.3 requires
+ # the AttributeStatement element to be non-empty.
+ if attributes:
+ if not login.assertion.attributeStatement:
+ attrstat = lasso.Saml2AttributeStatement()
+ login.assertion.attributeStatement = [attrstat]
+ else:
+ attrstat = login.assertion.attributeStatement[0]
+ if not attrstat.attribute:
+ attrstat.attribute = ()