From 2959e20b5607edab7313aa5ba4500c1f37358979 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 2 Mar 2014 18:32:06 -0500 Subject: [PATCH] Add ability to strip domain/realm per provider This allows to return (hopefully) the same name whether the user authenticated via ESSO or form based authentication. Crude for now, may be augmented with some regex configuration in the future. Signed-off-by: Simo Sorce --- ipsilon/providers/saml2/auth.py | 6 ++++-- ipsilon/providers/saml2/provider.py | 5 +++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 64d9835..7f92d77 100755 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -170,9 +170,11 @@ class AuthenticateRequest(ProviderPageBase): nameid = None if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT: - nameid = user.name ## TODO map to something else ? + ## TODO map to something else ? + nameid = provider.normalize_username(user.name) elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: - nameid = user.name ## TODO map to something else ? + ## TODO map to something else ? + nameid = provider.normalize_username(user.name) elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: nameid = us.get_data('user', 'krb_principal_name') elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: diff --git a/ipsilon/providers/saml2/provider.py b/ipsilon/providers/saml2/provider.py index c738ac2..acf2ee7 100755 --- a/ipsilon/providers/saml2/provider.py +++ b/ipsilon/providers/saml2/provider.py @@ -106,3 +106,8 @@ class ServiceProvider(object): def _debug(self, fact): if cherrypy.config.get('debug', False): cherrypy.log(fact) + + def normalize_username(self, username): + if 'strip domain' in self._properties: + return username.split('@', 1)[0] + return username -- 2.20.1