import cherrypy
import datetime
import lasso
+import uuid
+import hashlib
class UnknownProvider(ProviderException):
nameid = None
if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
- # TODO map to something else ?
- nameid = provider.normalize_username(user.name)
+ idpsalt = self.cfg.idp_nameid_salt
+ if idpsalt is None:
+ raise AuthenticationError(
+ "idp nameid salt is not set in configuration"
+ )
+ value = hashlib.sha512()
+ value.update(idpsalt)
+ value.update(login.remoteProviderId)
+ value.update(user.name)
+ nameid = '_' + value.hexdigest()
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
- # TODO map to something else ?
- nameid = provider.normalize_username(user.name)
+ nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
nameid = us.get_data('user', 'krb_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED:
+ nameid = provider.normalize_username(user.name)
if nameid:
login.assertion.subject.nameId.format = nameidfmt
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- # Check attribute policy and perform mapping and filtering
- policy = Policy(self.cfg.default_attribute_mapping,
- self.cfg.default_allowed_attributes)
+ # Check attribute policy and perform mapping and filtering.
+ # If the SP has its own mapping or filtering policy use that
+ # instead of the global policy.
+ if (provider.attribute_mappings is not None and
+ len(provider.attribute_mappings) > 0):
+ attribute_mappings = provider.attribute_mappings
+ else:
+ attribute_mappings = self.cfg.default_attribute_mapping
+ if (provider.allowed_attributes is not None and
+ len(provider.allowed_attributes) > 0):
+ allowed_attributes = provider.allowed_attributes
+ else:
+ allowed_attributes = self.cfg.default_allowed_attributes
+ self.debug("Allowed attrs: %s" % allowed_attributes)
+ self.debug("Mapping: %s" % attribute_mappings)
+ policy = Policy(attribute_mappings, allowed_attributes)
userattrs = us.get_user_attrs()
mappedattrs, _ = policy.map_attributes(userattrs)
attributes = policy.filter_attributes(mappedattrs)