from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
from ipsilon.providers.saml2.sessions import SAMLSessionsContainer
+from ipsilon.util.policy import Policy
from ipsilon.util.user import UserSession
from ipsilon.util.trans import Transaction
import cherrypy
import datetime
import lasso
+import uuid
+import hashlib
class UnknownProvider(ProviderException):
nameid = None
if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
- # TODO map to something else ?
- nameid = provider.normalize_username(user.name)
+ idpsalt = self.cfg.idp_nameid_salt
+ if idpsalt is None:
+ raise AuthenticationError(
+ "idp nameid salt is not set in configuration"
+ )
+ value = hashlib.sha512()
+ value.update(idpsalt)
+ value.update(login.remoteProviderId)
+ value.update(user.name)
+ nameid = '_' + value.hexdigest()
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
- # TODO map to something else ?
- nameid = provider.normalize_username(user.name)
+ nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
nameid = us.get_data('user', 'krb_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED:
+ nameid = provider.normalize_username(user.name)
if nameid:
login.assertion.subject.nameId.format = nameidfmt
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- # TODO: filter user attributes as policy requires from 'usersession'
- if not login.assertion.attributeStatement:
- attrstat = lasso.Saml2AttributeStatement()
- login.assertion.attributeStatement = [attrstat]
- else:
- attrstat = login.assertion.attributeStatement[0]
- if not attrstat.attribute:
- attrstat.attribute = ()
+ # Check attribute policy and perform mapping and filtering
+ policy = Policy(self.cfg.default_attribute_mapping,
+ self.cfg.default_allowed_attributes)
+ userattrs = us.get_user_attrs()
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
- attributes = us.get_user_attrs()
+ if '_groups' in attributes and 'groups' not in attributes:
+ attributes['groups'] = attributes['_groups']
+
+ self.debug("%s's attributes: %s" % (user.name, attributes))
+
+ # The saml-core-2.0-os specification section 2.7.3 requires
+ # the AttributeStatement element to be non-empty.
+ if attributes:
+ if not login.assertion.attributeStatement:
+ attrstat = lasso.Saml2AttributeStatement()
+ login.assertion.attributeStatement = [attrstat]
+ else:
+ attrstat = login.assertion.attributeStatement[0]
+ if not attrstat.attribute:
+ attrstat.attribute = ()
for key in attributes:
+ # skip internal info
+ if key[0] == '_':
+ continue
values = attributes[key]
if isinstance(values, dict):
continue