+ nameid = None
+ if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+ ## TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+ ## TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+ nameid = us.get_data('user', 'krb_principal_name')
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+ nameid = us.get_user().email
+ if not nameid:
+ nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+
+ if nameid:
+ login.assertion.subject.nameId.format = nameidfmt
+ login.assertion.subject.nameId.content = nameid
+ else:
+ raise AuthenticationError("Unavailable Name ID type",
+ lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
+
+ # TODO: add user attributes as policy requires from 'usersession'
+
+ def saml2error(self, login, code, message):
+ status = lasso.Samlp2Status()
+ status.statusCode = lasso.Samlp2StatusCode()
+ status.statusCode.value = lasso.SAML2_STATUS_CODE_RESPONDER
+ status.statusCode.statusCode = lasso.Samlp2StatusCode()
+ status.statusCode.statusCode.value = code
+ login.response.status = status