from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
-from ipsilon.providers.saml2.sessions import SAMLSessionFactory
from ipsilon.tools import saml2metadata as metadata
from ipsilon.util.policy import Policy
from ipsilon.util.user import UserSession
class AuthenticateRequest(ProviderPageBase):
- def __init__(self, *args, **kwargs):
- super(AuthenticateRequest, self).__init__(*args, **kwargs)
+ def __init__(self, site, provider, *args, **kwargs):
+ super(AuthenticateRequest, self).__init__(site, provider)
self.stage = 'init'
self.trans = None
self.binding = None
return login
- def saml2login(self, request):
+ def _idp_initiated_login(self, spidentifier, relaystate):
+ """
+ Perform an Idp-initiated login
- if not request:
+ Exceptions are handled by the caller
+ """
+ login = self.cfg.idp.get_login_handler()
+
+ login.initIdpInitiatedAuthnRequest(spidentifier)
+
+ # Hardcode for now, handle Artifact later
+ login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
+
+ login.processAuthnRequestMsg()
+
+ if relaystate is not None:
+ login.msgRelayState = relaystate
+ else:
+ provider = ServiceProvider(self.cfg, login.remoteProviderId)
+ if provider.splink is not None:
+ login.msgRelayState = provider.splink
+ else:
+ login.msgRelayState = login.remoteProviderId
+
+ return login
+
+ def saml2login(self, request, spidentifier=None, relaystate=None):
+ """
+ request: the SAML request
+ spidentifier: the provider ID for IdP-initiated login
+ relaystate: optional string to direct user to particular place on
+ the SP after sending POST. If one is not provided then
+ the protected site from the SP is used, otherwise it
+ is set to the remote provider ID.
+ """
+ if not request and not spidentifier:
raise cherrypy.HTTPError(400,
'SAML request token missing or empty')
- try:
- login = self._parse_request(request)
- except InvalidRequest, e:
- self.debug(str(e))
- raise cherrypy.HTTPError(400, 'Invalid SAML request token')
- except UnknownProvider, e:
- self.debug(str(e))
- raise cherrypy.HTTPError(400, 'Unknown Service Provider')
- except Exception, e: # pylint: disable=broad-except
- self.debug(str(e))
- raise cherrypy.HTTPError(500)
+ if spidentifier:
+ try:
+ login = self._idp_initiated_login(spidentifier, relaystate)
+ except lasso.ServerProviderNotFoundError:
+ raise cherrypy.HTTPError(400, 'Unknown Service Provider')
+ except Exception, e: # pylint: disable=broad-except
+ self.debug(str(e))
+ raise cherrypy.HTTPError(500)
+ else:
+ try:
+ login = self._parse_request(request)
+ except InvalidRequest, e:
+ self.debug(str(e))
+ raise cherrypy.HTTPError(400, 'Invalid SAML request token')
+ except UnknownProvider, e:
+ self.debug(str(e))
+ raise cherrypy.HTTPError(400, 'Unknown Service Provider')
+ except Exception, e: # pylint: disable=broad-except
+ self.debug(str(e))
+ raise cherrypy.HTTPError(500)
return login
login.assertion.subject.nameId.content = nameid
else:
self.trans.wipe()
+ self.error('Authentication succeeded but it was not ' +
+ 'provided by NameID %s' % nameidfmt)
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
self.debug('Assertion: %s' % login.assertion.dump())
- saml_sessions = SAMLSessionFactory()
+ saml_sessions = self.cfg.idp.sessionfactory
lasso_session = lasso.Session()
lasso_session.addAssertion(login.remoteProviderId, login.assertion)
+ provider = ServiceProvider(self.cfg, login.remoteProviderId)
saml_sessions.add_session(login.assertion.id,
login.remoteProviderId,
user.name,
- lasso_session.dump())
+ lasso_session.dump(),
+ None,
+ provider.logout_mechs)
def saml2error(self, login, code, message):
status = lasso.Samlp2Status()