This was originally getting the principal from the
user object itself which meant it was looking for
it in the database. Look in the attributes instead
which are stored in the user session.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
- nameid = us.get_data('user', 'gssapi_principal_name')
+ userattrs = us.get_user_attrs()
+ nameid = userattrs.get('gssapi_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
session = self.get_session(url)
allow_redirects = False
if krb:
session = self.get_session(url)
allow_redirects = False
if krb:
- # In at least the test instance we don't get back a negotiate
- # blob to do mutual authentication against.
+ # python-requests-kerberos isn't too bright about doing mutual
+ # authentication and it tries to do it on any non-401 response
+ # which doesn't work in our case since we follow redirects.
kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
kwargs['auth'] = kerberos_auth
allow_redirects = True
kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
kwargs['auth'] = kerberos_auth
allow_redirects = True