import lasso
import os
import time
+import uuid
class Redirect(AuthenticateRequest):
'idp key file',
'The IdP Certificate Key genearated at install time.',
'certificate.key'),
+ pconfig.String(
+ 'idp nameid salt',
+ 'The salt used for persistent Name IDs.',
+ None),
pconfig.Condition(
'allow self registration',
'Allow authenticated users to register applications.',
'default allowed nameids',
'Default Allowed NameIDs for Service Providers.',
metadata.SAML2_NAMEID_MAP.keys(),
- ['persistent', 'transient', 'email', 'kerberos', 'x509']),
+ ['unspecified', 'persistent', 'transient', 'email',
+ 'kerberos', 'x509']),
pconfig.Pick(
'default nameid',
'Default NameID used by Service Providers.',
metadata.SAML2_NAMEID_MAP.keys(),
- 'persistent'),
+ 'unspecified'),
pconfig.String(
'default email domain',
'Used for users missing the email property.',
return os.path.join(self.idp_storage_path,
self.get_config_value('idp key file'))
+ @property
+ def idp_nameid_salt(self):
+ return self.get_config_value('idp nameid salt')
+
@property
def default_allowed_nameids(self):
return self.get_config_value('default allowed nameids')
'%s/saml2/SSO/Redirect' % url)
self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
'%s/saml2/SLO/Redirect' % url)
- self.meta.add_allowed_name_format(
- lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
self.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
self.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
config = {'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
- 'idp key file': cert.key}
+ 'idp key file': cert.key,
+ 'idp nameid salt': uuid.uuid4().hex}
po.save_plugin_config(config)
# Update global config to add login plugin