saml2: render nameid format and authnresp binding configurable (#7367)
This commit is contained in:
Jérôme Schneider
parent
7f3376a1a5
commit
46bf116cc9
|
|
@ -24,9 +24,10 @@ virtual host :
|
|||
|
||||
Optional options :
|
||||
* saml2_sp_logout_url: the url to logout the service provider (deprecated: use sp_logout_url instead)
|
||||
* saml2_authnresp_binding: only post is supported for now
|
||||
* saml2_authnresp_binding (default: post): artifact, post, redirect or soap
|
||||
* saml2_authnreq_http_method: only http_redirect at the moment
|
||||
* saml2_name_identifier_format: only persistent at the moment
|
||||
* saml2_name_identifier_format (default: persistant): email, transient, persistent, unspecified (username like gapps),
|
||||
encrypted, entity, windows, kerberos or x509
|
||||
* saml2_metadata_url: saml end point of the metadata
|
||||
* saml2_single_sign_on_post_url: saml end point of single sign on post
|
||||
* saml2_single_logout_url: saml end point of logout
|
||||
|
|
@ -41,6 +42,26 @@ END_POINTS_PATH = {
|
|||
'single_logout_return': '/mandaye/singleLogoutReturn',
|
||||
}
|
||||
|
||||
NAME_IDENTIFIERS_FORMAT = {
|
||||
'email': lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL,
|
||||
'transient': lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,
|
||||
'persistent': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
|
||||
'unspecified': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
|
||||
'username': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
|
||||
'encrypted': lasso.SAML2_NAME_IDENTIFIER_FORMAT_ENCRYPTED,
|
||||
'entity': lasso.SAML2_NAME_IDENTIFIER_FORMAT_ENTITY,
|
||||
'windows': lasso.SAML2_NAME_IDENTIFIER_FORMAT_WINDOWS,
|
||||
'kerberos': lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS,
|
||||
'x509': lasso.SAML2_NAME_IDENTIFIER_FORMAT_X509,
|
||||
}
|
||||
|
||||
METADATA_BINDING = {
|
||||
'artifact': lasso.SAML2_METADATA_BINDING_ARTIFACT,
|
||||
'post': lasso.SAML2_METADATA_BINDING_POST,
|
||||
'redirect': lasso.SAML2_METADATA_BINDING_REDIRECT,
|
||||
'soap': lasso.SAML2_METADATA_BINDING_SOAP
|
||||
}
|
||||
|
||||
class SAML2Auth(AuthForm):
|
||||
""" SAML 2 authentification
|
||||
"""
|
||||
|
|
@ -75,13 +96,22 @@ class SAML2Auth(AuthForm):
|
|||
private_key = self._get_file_content(
|
||||
self.env['mandaye.config']['saml2_signature_private_key']
|
||||
)
|
||||
authnresp_binding = self.env['mandaye.config'].get('saml2_authnresp_binding', 'post')
|
||||
name_identifier_format = self.env['mandaye.config'].get('saml2_name_identifier_format', 'persistent')
|
||||
if authnresp_binding not in METADATA_BINDING.keys():
|
||||
err = "saml2_authnresp_binding: '%s' invalid value (must be artifact, post, redirect or soap)"
|
||||
raise ImproperlyConfigured, err
|
||||
if name_identifier_format not in NAME_IDENTIFIERS_FORMAT.keys():
|
||||
err = "saml2_authnresp_binding: '%s' invalid value (must be email, transient, persistent,".\
|
||||
" unspecified (username like gapps), encrypted, entity, windows, kerberos or x509)"
|
||||
raise ImproperlyConfigured, err
|
||||
self.config = {
|
||||
'saml2_idp_metadata': self.env['mandaye.config']['saml2_idp_metadata'],
|
||||
'saml2_signature_public_key': public_key,
|
||||
'saml2_signature_private_key': private_key,
|
||||
'saml2_authnresp_binding': lasso.SAML2_METADATA_BINDING_POST,
|
||||
'saml2_authnresp_binding': METADATA_BINDING[authnresp_binding],
|
||||
'saml2_authnreq_http_method': lasso.HTTP_METHOD_REDIRECT,
|
||||
'saml2_name_identifier_format': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
|
||||
'saml2_name_identifier_format': NAME_IDENTIFIERS_FORMAT[name_identifier_format]
|
||||
}
|
||||
|
||||
self.metadata_map = (
|
||||
|
|
|
|||
Reference in New Issue