force authn context to be lasso.SAML2_AUTHN_CONTEXT_SMARTCARD_PKI

2017-01-10 11:00:21 +01:00 · 2017-01-10 11:00:21 +01:00 · d300907626
parent b1ed899f50
commit d300907626
1 changed files with 9 additions and 13 deletions
--- a/src/authentic2_auth_fedict/backends.py
+++ b/src/authentic2_auth_fedict/backends.py
@ -14,20 +14,16 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

+import lasso
 from mellon.backends import SAMLBackend

-from authentic2.middleware import StoreRequestMiddleware
-
-
 class FedictBackend(SAMLBackend):
    def get_saml2_authn_context(self):
-        # Pass AuthnContextClassRef from the previous IdP
-        request = StoreRequestMiddleware.get_request()
-        if request:
-            authn_context_class_ref = request.session.get(
-                'mellon_session', {}).get('authn_context_class_ref')
-            if authn_context_class_ref:
-                return authn_context_class_ref
-
-        import lasso
-        return lasso.SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION
+        # The Fedict will return one of:
+        #  * urn:be:fedict:iam:fas:citizen:eid,
+        #  * urn:be:fedict:iam:fas:citizen:token,
+        #  * urn:be:fedict:iam:fas:enterprise:eid,
+        #  * urn:be:fedict:iam:fas:citizen:token
+        # but we do not expose this detail to the service provider as all it
+        # needs to know is "strong authentication".
+        return lasso.SAML2_AUTHN_CONTEXT_SMARTCARD_PKI