Add way to return Kerberos nameid if available

Signed-off-by: Simo Sorce <simo@redhat.com>

diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py
index b6ff99c..77b907b 100755 (executable)
--- a/ipsilon/login/authkrb.py
+++ b/ipsilon/login/authkrb.py
@@ -18,6 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipsilon.login.common import LoginPageBase, LoginManagerBase
+from ipsilon.util.user import UserSession
 import cherrypy
 
 
@@ -33,9 +34,10 @@ class KrbAuth(LoginPageBase):
 
     def root(self, *args, **kwargs):
         # If we can get here, we must be authenticated and remote_user
-        # was set. Check the session has a use set already or error.
+        # was set. Check the session has a user set already or error.
         if self.user and self.user.name:
-            return self.lm.auth_successful(self.user.name)
+            userdata = { 'krb_principal_name': self.user.name }
+            return self.lm.auth_successful(self.user.name, userdata)
         else:
             return self.lm.auth_failed()
 

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 9d796c5..955f01f 100755 (executable)
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -159,7 +159,8 @@ class AuthenticateRequest(ProviderPageBase):
         authtime_notbefore = authtime - skew
         authtime_notafter = authtime + skew
 
-        user = UserSession().get_user()
+        us = UserSession()
+        user = us.get_user()
 
         # TODO: get authentication type fnd name format from session
         # need to save which login manager authenticated and map it to a
@@ -178,6 +179,8 @@ class AuthenticateRequest(ProviderPageBase):
             nameid = user.name  ## TODO map to something else ?
         elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
             nameid = user.name  ## TODO map to something else ?
+        elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+            nameid = us.get_data('user', 'krb_principal_name')
 
         if nameid:
             login.assertion.subject.nameId.format = self.nameidfmt