diff --git a/lcs/root.ptl b/lcs/root.ptl index 060d447..f0615af 100644 --- a/lcs/root.ptl +++ b/lcs/root.ptl @@ -92,17 +92,80 @@ class RootDirectory(Directory): def _q_index [html] (self): template.html_top('Lasso Conformance SP') + if not get_request().user: + form = Form(enctype='multipart/form-data') + form.add(HtmlWidget, '
') + form.add(CheckboxWidget, 'force_authn', value = False, + title = _('Force Authentication (ForceAuthn)')) + form.add(CheckboxWidget, 'is_passive', + title = _('No interaction (IsPassive)')) + form.add(CheckboxWidget, 'allow_create', value = True, + title = _('Allow new federation')) + form.add(SingleSelectWidget, 'nid_format', + title = _('Name Identifier Format'), + options = [('persistent', _('Persistent')), + ('transient', _('Transient')), + ('none', _('(none'))]) + # XXX: affiliation + form.add(SingleSelectWidget, 'consent', + title = _('Consent'), + options = ['(empty)', 'obtained', 'prior', 'current-implicit', + 'current-explicit', 'unavailable', 'inapplicable']) + form.add(SingleSelectWidget, 'authn_context', + title = _('Authn Req Context'), + options = ['(empty)', 'password', 'password on protected transport', + 'Client Certificate']) + form.add(SingleSelectWidget, 'matching', + title = _('Matching Rule'), + options = ['(empty)', 'exact', 'minimum', 'maximum', 'better']) + form.add(HtmlWidget, '
') + + for kidp, idp in get_cfg('idp', {}).items(): + form.add_submit(kidp, _('Log on %s') % kidp) + + if form.is_submitted(): + return self.do_login(form) + if get_request().user: '

%s

' % _('Logged in (%s)') % get_request().user.display_name '

%s

' % _('Logout') else: - if get_cfg('sp'): - '

%s

' % _('Login') + form.render() '
'
         get_session().lasso_identity_provider_id
         '
' + + def do_login(self, form): + server = misc.get_lasso_server(protocol = 'saml2') + login = lasso.Login(server) + + idp = None + # XXX: get idp from submitted button + + login.initAuthnRequest(idp, lasso.HTTP_METHOD_REDIRECT) # XXX: method must be an option + + nid_format = form.get_widget('nid_format').parse() + if nid_format == 'persistent': + login.request.nameIDPolicy.format = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT + elif nid_format == 'transient': + login.request.nameIDPolicy.format = lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT + elif nid_format == 'none': + login.request.nameIDPolicy.format = lasso.SAML2_NAME_IDENTIFIER_FORMAT_NONE + + login.request.nameIDPolicy.allowCreate = form.get_widget('allow_create').parse() + login.request.forceAuthn = form.get_widget('force_authn').parse() + login.request.isPassive = form.get_widget('is_passive').parse() + + consent = form.get_widget('consent').parse() + if consent: + login.request.consent = 'urn:oasis:names:tc:SAML:2.0:consent:%s' % consent + + login.buildAuthnRequestMsg() + return redirect(login.msgUrl) + + def logout(self): logger.info('logout') session = get_session() diff --git a/root/css/lcs.css b/root/css/lcs.css index d38cd44..9635625 100644 --- a/root/css/lcs.css +++ b/root/css/lcs.css @@ -15,6 +15,7 @@ div#page { text-align: justify; background: white url(img/page.png) repeat-y; color: black; + position: relative; } #top { @@ -316,3 +317,13 @@ div.buttons { clear: both; } +div#sso-options { + font-size: 80%; + position: absolute; + right: 20px; + top: 30px; + background: white; + border: 1px solid black; + padding: 4px; +} +