+
+ def init_idp(self):
+ idp = None
+ # Init IDP data
+ try:
+ idp = IdentityProvider(self)
+ except Exception, e: # pylint: disable=broad-except
+ self.debug('Failed to init SAML2 provider: %r' % e)
+ return None
+
+ self._root.logout.add_handler(self.name, self.idp_initiated_logout)
+
+ # Import all known applications
+ data = self.get_data()
+ for idval in data:
+ sp = data[idval]
+ if 'type' not in sp or sp['type'] != 'SP':
+ continue
+ if 'name' not in sp or 'metadata' not in sp:
+ continue
+ try:
+ idp.add_provider(sp)
+ except Exception, e: # pylint: disable=broad-except
+ self.debug('Failed to add SP %s: %r' % (sp['name'], e))
+
+ return idp
+
+ def on_enable(self):
+ super(IdpProvider, self).on_enable()
+ self.idp = self.init_idp()
+ if hasattr(self, 'admin'):
+ if self.admin:
+ self.admin.add_sps()
+
+ def idp_initiated_logout(self):
+ """
+ Logout all SP sessions when the logout comes from the IdP.
+
+ For the current user only.
+ """
+ self.debug("IdP-initiated SAML2 logout")
+ us = UserSession()
+
+ saml_sessions = us.get_provider_data('saml2')
+ if saml_sessions is None:
+ self.debug("No SAML2 sessions to logout")
+ return
+ session = saml_sessions.get_next_logout(remove=False)
+ if session is None:
+ return
+
+ # Add a fake session to indicate where the user should
+ # be redirected to when all SP's are logged out.
+ idpurl = self._root.instance_base_url()
+ saml_sessions.add_session("_idp_initiated_logout",
+ idpurl,
+ "")
+ init_session = saml_sessions.find_session_by_provider(idpurl)
+ init_session.set_logoutstate(idpurl, "idp_initiated_logout", None)
+ saml_sessions.start_logout(init_session)
+
+ logout = self.idp.get_logout_handler()
+ logout.setSessionFromDump(session.session.dump())
+ logout.initRequest(session.provider_id)
+ try:
+ logout.buildRequestMsg()
+ except lasso.Error, e:
+ self.error('failure to build logout request msg: %s' % e)
+ raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s '
+ % e)
+
+ raise cherrypy.HTTPRedirect(logout.msgUrl)
+
+
+class IdpMetadataGenerator(object):
+
+ def __init__(self, url, idp_cert, expiration=None):
+ self.meta = metadata.Metadata(metadata.IDP_ROLE, expiration)
+ self.meta.set_entity_id('%s/saml2/metadata' % url)
+ self.meta.add_certs(idp_cert, idp_cert)
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
+ '%s/saml2/SSO/POST' % url)
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
+ '%s/saml2/SSO/Redirect' % url)
+ if is_lasso_ecp_enabled():
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-soap'],
+ '%s/saml2/SSO/SOAP' % url)
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
+ '%s/saml2/SLO/Redirect' % url)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
+
+ def output(self, path=None):
+ return self.meta.output(path)
+
+
+class Installer(ProviderInstaller):
+
+ def __init__(self, *pargs):
+ super(Installer, self).__init__()
+ self.name = 'saml2'
+ self.pargs = pargs
+
+ def install_args(self, group):
+ group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
+ help='Configure SAML2 Provider')
+ group.add_argument('--saml2-metadata-validity',
+ default=METADATA_DEFAULT_VALIDITY_PERIOD,
+ help=('Metadata validity period in days '
+ '(default - %d)' %
+ METADATA_DEFAULT_VALIDITY_PERIOD))
+
+ def configure(self, opts, changes):
+ if opts['saml2'] != 'yes':
+ return
+
+ # Check storage path is present or create it
+ path = os.path.join(opts['data_dir'], 'saml2')
+ if not os.path.exists(path):
+ os.makedirs(path, 0700)
+
+ # Use the same cert for signing and ecnryption for now
+ cert = Certificate(path)
+ cert.generate('idp', opts['hostname'])
+
+ # Generate Idp Metadata
+ proto = 'https'
+ if opts['secure'].lower() == 'no':
+ proto = 'http'
+ url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
+ validity = int(opts['saml2_metadata_validity'])
+ meta = IdpMetadataGenerator(url, cert,
+ timedelta(validity))
+ if 'gssapi' in opts and opts['gssapi'] == 'yes':
+ meta.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
+
+ meta.output(os.path.join(path, 'metadata.xml'))
+
+ # Add configuration data to database
+ po = PluginObject(*self.pargs)
+ po.name = 'saml2'
+ po.wipe_data()
+ po.wipe_config_values()
+ config = {'idp storage path': path,
+ 'idp metadata file': 'metadata.xml',
+ 'idp certificate file': cert.cert,
+ 'idp key file': cert.key,
+ 'idp nameid salt': uuid.uuid4().hex,
+ 'idp metadata validity': opts['saml2_metadata_validity']}
+ po.save_plugin_config(config)
+
+ # Update global config to add login plugin
+ po.is_enabled = True
+ po.save_enabled_state()
+
+ # Fixup permissions so only the ipsilon user can read these files
+ files.fix_user_dirs(path, opts['system_user'])