Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transient

NameQualifier and SPNameQualifier are optional and are not included.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index f5e8f0f..71bfc9a 100644 (file)
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -27,6 +27,7 @@ from ipsilon.util.trans import Transaction
 import cherrypy
 import datetime
 import lasso
+import uuid
 
 
 class UnknownProvider(ProviderException):
@@ -185,8 +186,7 @@ class AuthenticateRequest(ProviderPageBase):
             # TODO map to something else ?
             nameid = provider.normalize_username(user.name)
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
-            # TODO map to something else ?
-            nameid = provider.normalize_username(user.name)
+            nameid = '_' + uuid.uuid4().hex
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
             nameid = us.get_data('user', 'krb_principal_name')
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: