This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
'transdb': args['database_url'] % {
'datadir': args['data_dir'], 'dbname': 'transactions'},
'secure': "False" if args['secure'] == "no" else "True",
'transdb': args['database_url'] % {
'datadir': args['data_dir'], 'dbname': 'transactions'},
'secure': "False" if args['secure'] == "no" else "True",
- 'debugging': "True" if args['server_debugging'] else "False"}
+ 'debugging': "True" if args['server_debugging'] else "False",
+ }
# Testing database sessions
if 'session_type' in args:
confopts['sesstype'] = args['session_type']
# Testing database sessions
if 'session_type' in args:
confopts['sesstype'] = args['session_type']
import datetime
import lasso
import uuid
import datetime
import lasso
import uuid
class UnknownProvider(ProviderException):
class UnknownProvider(ProviderException):
nameid = None
if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
nameid = None
if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
- # TODO map to something else ?
- nameid = provider.normalize_username(user.name)
+ idpsalt = self.cfg.idp_nameid_salt
+ if idpsalt is None:
+ raise AuthenticationError(
+ "idp nameid salt is not set in configuration"
+ )
+ value = hashlib.sha512()
+ value.update(idpsalt)
+ value.update(login.remoteProviderId)
+ value.update(user.name)
+ nameid = '_' + value.hexdigest()
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
import lasso
import os
import time
import lasso
import os
import time
class Redirect(AuthenticateRequest):
class Redirect(AuthenticateRequest):
'idp key file',
'The IdP Certificate Key genearated at install time.',
'certificate.key'),
'idp key file',
'The IdP Certificate Key genearated at install time.',
'certificate.key'),
+ pconfig.String(
+ 'idp nameid salt',
+ 'The salt used for persistent Name IDs.',
+ None),
pconfig.Condition(
'allow self registration',
'Allow authenticated users to register applications.',
pconfig.Condition(
'allow self registration',
'Allow authenticated users to register applications.',
return os.path.join(self.idp_storage_path,
self.get_config_value('idp key file'))
return os.path.join(self.idp_storage_path,
self.get_config_value('idp key file'))
+ @property
+ def idp_nameid_salt(self):
+ return self.get_config_value('idp nameid salt')
+
@property
def default_allowed_nameids(self):
return self.get_config_value('default allowed nameids')
@property
def default_allowed_nameids(self):
return self.get_config_value('default allowed nameids')
'%s/saml2/SSO/Redirect' % url)
self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
'%s/saml2/SLO/Redirect' % url)
'%s/saml2/SSO/Redirect' % url)
self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
'%s/saml2/SLO/Redirect' % url)
- self.meta.add_allowed_name_format(
- lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
self.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
self.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
self.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
self.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
config = {'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
config = {'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
- 'idp key file': cert.key}
+ 'idp key file': cert.key,
+ 'idp nameid salt': uuid.uuid4().hex}
po.save_plugin_config(config)
# Update global config to add login plugin
po.save_plugin_config(config)
# Update global config to add login plugin
'sesstype': 'file',
'sessopt': 'path',
'sessval': os.path.join(workdir, 'sessions'),
'sesstype': 'file',
'sessopt': 'path',
'sessval': os.path.join(workdir, 'sessions'),
+ 'secure': 'False',
+ })
conf = os.path.join(workdir, 'ipsilon.conf')
with open(conf, 'w+') as f:
f.write(text)
conf = os.path.join(workdir, 'ipsilon.conf')
with open(conf, 'w+') as f:
f.write(text)
import pwd
import sys
from string import Template
import pwd
import sys
from string import Template
saml2 idp storage path = ${TESTDIR}/lib/${NAME}/saml2
saml2 idp metadata file = metadata.xml
saml2 idp certificate file = ${TESTDIR}/lib/${NAME}/saml2/idp.pem
saml2 idp storage path = ${TESTDIR}/lib/${NAME}/saml2
saml2 idp metadata file = metadata.xml
saml2 idp certificate file = ${TESTDIR}/lib/${NAME}/saml2/idp.pem
+saml2 idp nameid salt = ${IDPSALT}
[saml2_data]
811d0231-9362-46c9-a105-a01a64818904 id = http://${SPADDR}:${SPPORT}/saml2
811d0231-9362-46c9-a105-a01a64818904 type = SP
[saml2_data]
811d0231-9362-46c9-a105-a01a64818904 id = http://${SPADDR}:${SPPORT}/saml2
811d0231-9362-46c9-a105-a01a64818904 type = SP
idpuri = "http://%s:%s/%s" % (idpaddr, idpport, idpname)
idpuri = "http://%s:%s/%s" % (idpaddr, idpport, idpname)
+ idpsalt = uuid.uuid4().hex
t = Template(idp_file_conf)
text = t.substitute({'NAME': idpname, 'IDPURI': idpuri,
'SPNAME': spname, 'SPADDR': spaddr, 'SPPORT': spport,
t = Template(idp_file_conf)
text = t.substitute({'NAME': idpname, 'IDPURI': idpuri,
'SPNAME': spname, 'SPADDR': spaddr, 'SPPORT': spport,
- 'SPMETA': spmeta, 'TESTDIR': testdir})
+ 'SPMETA': spmeta, 'TESTDIR': testdir,
+ 'IDPSALT': idpsalt})
adminconf = os.path.join(testdir, 'etc/admin.conf')
with open(adminconf, 'w+') as f:
adminconf = os.path.join(testdir, 'etc/admin.conf')
with open(adminconf, 'w+') as f: