Add support for attribute policies in samlidp

[cascardo/ipsilon.git] / ipsilon / providers / saml2idp.py

diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py
index c8f5dab..9fa2fd6 100644 (file)
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -17,6 +17,7 @@
 
 from ipsilon.providers.common import ProviderBase, ProviderPageBase
 from ipsilon.providers.saml2.auth import AuthenticateRequest
+from ipsilon.providers.saml2.logout import LogoutRequest
 from ipsilon.providers.saml2.admin import Saml2AdminPage
 from ipsilon.providers.saml2.provider import IdentityProvider
 from ipsilon.tools.certs import Certificate
@@ -89,6 +90,19 @@ class Continue(AuthenticateRequest):
         return self.auth(login)
 
 
+class RedirectLogout(LogoutRequest):
+
+    def GET(self, *args, **kwargs):
+        query = cherrypy.request.query_string
+
+        relaystate = kwargs.get(lasso.SAML2_FIELD_RELAYSTATE)
+        response = kwargs.get(lasso.SAML2_FIELD_RESPONSE)
+
+        return self.logout(query,
+                           relaystate=relaystate,
+                           samlresponse=response)
+
+
 class SSO(ProviderPageBase):
 
     def __init__(self, *args, **kwargs):
@@ -98,6 +112,14 @@ class SSO(ProviderPageBase):
         self.Continue = Continue(*args, **kwargs)
 
 
+class SLO(ProviderPageBase):
+
+    def __init__(self, *args, **kwargs):
+        super(SLO, self).__init__(*args, **kwargs)
+        self._debug('SLO init')
+        self.Redirect = RedirectLogout(*args, **kwargs)
+
+
 # one week
 METADATA_RENEW_INTERVAL = 60 * 60 * 24 * 7
 # 30 days
@@ -138,6 +160,7 @@ class SAML2(ProviderPageBase):
         super(SAML2, self).__init__(*args, **kwargs)
         self.metadata = Metadata(*args, **kwargs)
         self.SSO = SSO(*args, **kwargs)
+        self.SLO = SLO(*args, **kwargs)
 
 
 class IdpProvider(ProviderBase):
@@ -186,6 +209,14 @@ Provides SAML 2.0 authentication infrastructure. """
                 'default email domain',
                 'Used for users missing the email property.',
                 'example.com'),
+            pconfig.MappingList(
+                'default attribute mapping',
+                'Defines how to map attributes before returning them to SPs',
+                [['*', '*']]),
+            pconfig.ComplexList(
+                'default allowed attributes',
+                'Defines a list of allowed attributes, applied after mapping',
+                ['*']),
         )
         if cherrypy.config.get('debug', False):
             import logging
@@ -230,6 +261,14 @@ Provides SAML 2.0 authentication infrastructure. """
     def default_email_domain(self):
         return self.get_config_value('default email domain')
 
+    @property
+    def default_attribute_mapping(self):
+        return self.get_config_value('default attribute mapping')
+
+    @property
+    def default_allowed_attributes(self):
+        return self.get_config_value('default allowed attributes')
+
     def get_tree(self, site):
         self.idp = self.init_idp()
         self.page = SAML2(site, self)