| |
@@ -228,6 +228,32 @@
|
| |
authtime_notbefore = authtime - skew
|
| |
authtime_notafter = authtime + skew
|
| |
|
| |
+ # Let's first do the attribute mapping, so we could map the username
|
| |
+ # Check attribute policy and perform mapping and filtering.
|
| |
+ # If the SP has its own mapping or filtering policy use that
|
| |
+ # instead of the global policy.
|
| |
+ if (provider.attribute_mappings is not None and
|
| |
+ len(provider.attribute_mappings) > 0):
|
| |
+ attribute_mappings = provider.attribute_mappings
|
| |
+ else:
|
| |
+ attribute_mappings = self.cfg.default_attribute_mapping
|
| |
+ if (provider.allowed_attributes is not None and
|
| |
+ len(provider.allowed_attributes) > 0):
|
| |
+ allowed_attributes = provider.allowed_attributes
|
| |
+ else:
|
| |
+ allowed_attributes = self.cfg.default_allowed_attributes
|
| |
+ self.debug("Allowed attrs: %s" % allowed_attributes)
|
| |
+ self.debug("Mapping: %s" % attribute_mappings)
|
| |
+ policy = Policy(attribute_mappings, allowed_attributes)
|
| |
+ userattrs = us.get_user_attrs()
|
| |
+ mappedattrs, _ = policy.map_attributes(userattrs)
|
| |
+ attributes = policy.filter_attributes(mappedattrs)
|
| |
+
|
| |
+ if '_groups' in attributes and 'groups' not in attributes:
|
| |
+ attributes['groups'] = attributes['_groups']
|
| |
+
|
| |
+ self.debug("%s's attributes: %s" % (user.name, attributes))
|
| |
+
|
| |
# TODO: get authentication type fnd name format from session
|
| |
# need to save which login manager authenticated and map it to a
|
| |
# saml2 authentication context
|
| |
@@ -250,19 +276,18 @@
|
| |
value = hashlib.sha512()
|
| |
value.update(idpsalt)
|
| |
value.update(login.remoteProviderId)
|
| |
- value.update(user.name)
|
| |
+ value.update(mappedattrs.get('_username'))
|
| |
nameid = '_' + value.hexdigest()
|
| |
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
|
| |
nameid = '_' + uuid.uuid4().hex
|
| |
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
|
| |
- userattrs = us.get_user_attrs()
|
| |
nameid = userattrs.get('gssapi_principal_name')
|
| |
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
|
| |
- nameid = us.get_user().email
|
| |
+ nameid = mappedattrs.get('email')
|
| |
if not nameid:
|
| |
nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
|
| |
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED:
|
| |
- nameid = provider.normalize_username(user.name)
|
| |
+ nameid = provider.normalize_username(mappedattrs.get('_username'))
|
| |
|
| |
if nameid:
|
| |
login.assertion.subject.nameId.format = nameidfmt
|
| |
@@ -274,31 +299,6 @@
|
| |
raise AuthenticationError("Unavailable Name ID type",
|
| |
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
|
| |
|
| |
- # Check attribute policy and perform mapping and filtering.
|
| |
- # If the SP has its own mapping or filtering policy use that
|
| |
- # instead of the global policy.
|
| |
- if (provider.attribute_mappings is not None and
|
| |
- len(provider.attribute_mappings) > 0):
|
| |
- attribute_mappings = provider.attribute_mappings
|
| |
- else:
|
| |
- attribute_mappings = self.cfg.default_attribute_mapping
|
| |
- if (provider.allowed_attributes is not None and
|
| |
- len(provider.allowed_attributes) > 0):
|
| |
- allowed_attributes = provider.allowed_attributes
|
| |
- else:
|
| |
- allowed_attributes = self.cfg.default_allowed_attributes
|
| |
- self.debug("Allowed attrs: %s" % allowed_attributes)
|
| |
- self.debug("Mapping: %s" % attribute_mappings)
|
| |
- policy = Policy(attribute_mappings, allowed_attributes)
|
| |
- userattrs = us.get_user_attrs()
|
| |
- mappedattrs, _ = policy.map_attributes(userattrs)
|
| |
- attributes = policy.filter_attributes(mappedattrs)
|
| |
-
|
| |
- if '_groups' in attributes and 'groups' not in attributes:
|
| |
- attributes['groups'] = attributes['_groups']
|
| |
-
|
| |
- self.debug("%s's attributes: %s" % (user.name, attributes))
|
| |
-
|
| |
# The saml-core-2.0-os specification section 2.7.3 requires
|
| |
# the AttributeStatement element to be non-empty.
|
| |
if attributes:
|
| |