def __init__(self, settings, request=None):
"""
Constructs the Logout Request object.
Arguments are:
* (OneLogin_Saml2_Settings) settings. Setting data
"""
self.__settings = settings
self.__error = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
name_id_value = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
cert = idp_data['x509cert']
name_id = OneLogin_Saml2_Utils.generate_name_id(
name_id_value,
sp_data['entityId'],
sp_data['NameIDFormat'],
cert
)
logout_request = """<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(single_logout_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
%(name_id)s
</samlp:LogoutRequest>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id,
}
else:
decoded = b64decode(request)
# We try to inflate
try:
inflated = decompress(decoded, -15)
logout_request = inflated
except Exception:
logout_request = decoded
self.__logout_request = logout_request
def __init__(self, settings, request=None):
"""
Constructs the Logout Request object.
Arguments are:
* (OneLogin_Saml2_Settings) settings. Setting data
"""
self.__settings = settings
self.__error = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
name_id_value = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
cert = idp_data['x509cert']
name_id = OneLogin_Saml2_Utils.generate_name_id(
name_id_value, sp_data['entityId'], sp_data['NameIDFormat'],
cert)
logout_request = """<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(single_logout_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
%(name_id)s
</samlp:LogoutRequest>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id,
}
else:
decoded = b64decode(request)
# We try to inflate
try:
inflated = decompress(decoded, -15)
logout_request = inflated
except Exception:
logout_request = decoded
self.__logout_request = logout_request
def build(self, in_response_to):
"""
Creates a Logout Response object.
:param in_response_to: InResponseTo value for the Logout Response.
:type in_response_to: string
"""
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
logout_response = """<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
InResponseTo="%(in_response_to)s"
>
<saml:Issuer>%(entity_id)s</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
</samlp:LogoutResponse>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'destination': idp_data['singleLogoutService']['url'],
'in_response_to': in_response_to,
'entity_id': sp_data['entityId'],
}
self.__logout_response = logout_response
def build(self, in_response_to):
"""
Creates a Logout Response object.
:param in_response_to: InResponseTo value for the Logout Response.
:type in_response_to: string
"""
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
logout_response = """<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
InResponseTo="%(in_response_to)s"
>
<saml:Issuer>%(entity_id)s</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
</samlp:LogoutResponse>""" % {
"id": uid,
"issue_instant": issue_instant,
"destination": idp_data["singleLogoutService"]["url"],
"in_response_to": in_response_to,
"entity_id": sp_data["entityId"],
}
self.__logout_response = logout_response
def __init__(self, settings):
"""
Constructs the AuthnRequest object.
Arguments are:
* (OneLogin_Saml2_Settings) settings. Setting data
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
request = """<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
%(provider_name)s
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="%(assertion_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
<samlp:NameIDPolicy
Format="%(name_id_policy)s"
AllowCreate="true" />
</samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'name_id_policy': name_id_policy_format,
}
self.__authn_request = request
def build(self, in_response_to):
"""
Creates a Logout Response object.
:param in_response_to: InResponseTo value for the Logout Response.
:type in_response_to: string
"""
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
{
'id': uid,
'issue_instant': issue_instant,
'destination': idp_data['singleLogoutService']['url'],
'in_response_to': in_response_to,
'entity_id': sp_data['entityId'],
'status': "urn:oasis:names:tc:SAML:2.0:status:Success"
}
self.__logout_response = logout_response
def build(self, in_response_to):
"""
Creates a Logout Response object.
:param in_response_to: InResponseTo value for the Logout Response.
:type in_response_to: string
"""
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
{
'id': uid,
'issue_instant': issue_instant,
'destination': idp_data['singleLogoutService']['url'],
'in_response_to': in_response_to,
'entity_id': sp_data['entityId'],
'status': "urn:oasis:names:tc:SAML:2.0:status:Success"
}
self.__logout_response = logout_response
def __init__(self,
settings,
request=None,
name_id=None,
session_index=None,
nq=None,
name_id_format=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type request_data: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
:param nq: IDP Name Qualifier
:type: string
:param name_id_format: The NameID Format that will be set in the LogoutRequest.
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
exists_multix509enc = 'x509certMulti' in idp_data and \
'encryption' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['encryption']
if exists_multix509enc:
cert = idp_data['x509certMulti']['encryption'][0]
else:
cert = idp_data['x509cert']
if name_id is not None:
if not name_id_format and sp_data[
'NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
name_id_format = sp_data['NameIDFormat']
else:
name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
spNameQualifier = None
if name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
name_id = idp_data['entityId']
nq = None
elif nq is not None:
# We only gonna include SPNameQualifier if NameQualifier is provided
# SPID: no! spNameQualifier = sp_data['entityId']
pass
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id, spNameQualifier, name_id_format, cert, False, nq)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
destination_url_parts = urlparse(
idp_data['singleLogoutService']['url'])
destination = "%s://%s" % (destination_url_parts.scheme,
destination_url_parts.netloc)
logout_request = """<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(single_logout_url)s">
<saml:Issuer
NameQualifier="%(entity_id)s"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>%(entity_id)s</saml:Issuer>
%(name_id)s
%(session_index)s
</samlp:LogoutRequest>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': destination,
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
decoded = b64decode(request)
# We try to inflate
try:
inflated = decompress(decoded, -15)
logout_request = inflated
except Exception:
logout_request = decoded
self.id = self.get_id(logout_request)
self.__logout_request = logout_request
def __init__(self,
settings,
force_authn=False,
is_passive=False,
set_nameid_policy=True):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type return_to: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
:type set_nameid_policy: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[
lang]['displayname'] is not None:
provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[
lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = "\n" + ' ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = "\n" + ' IsPassive="true"'
nameid_policy_str = ''
if set_nameid_policy:
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security[
'wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
nameid_policy_str = """
<samlp:NameIDPolicy
Format="%s"
AllowCreate="true" />""" % name_id_policy_format
requested_authn_context_str = ''
if 'requestedAuthnContext' in security.keys(
) and security['requestedAuthnContext'] is not False:
authn_comparison = 'exact'
if 'requestedAuthnContextComparison' in security.keys():
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % authn_comparison
else:
requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
attr_consuming_service_str = ''
if 'attributeConsumingService' in sp_data and sp_data[
'attributeConsumingService']:
attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
request = """<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="%(assertion_url)s"
%(attr_consuming_service_str)s>
<saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s%(requested_authn_context_str)s
</samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'nameid_policy_str': nameid_policy_str,
'requested_authn_context_str': requested_authn_context_str,
'attr_consuming_service_str': attr_consuming_service_str
}
self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type settings: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
:type is_passive: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
name_id_policy_format = sp_data['NameIDFormat']
if security['wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data
if 'en-US' in langs:
lang = 'en-US'
else:
lang = sorted(langs)[0]
display_name = 'displayname' in organization_data[lang] and organization_data[lang]['displayname']
if display_name:
provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = 'ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = 'IsPassive="true"'
requested_authn_context_str = ''
if security['requestedAuthnContext'] is not False:
if security['requestedAuthnContext'] is True:
requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>"""
else:
requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="exact">'
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'name_id_policy': name_id_policy_format,
'requested_authn_context_str': requested_authn_context_str,
}
self.__authn_request = request
def __init__(self,
settings,
request=None,
name_id=None,
session_index=None,
nq=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type settings: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
:param nq: IDP Name Qualifier
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
cert = None
if security['nameIdEncrypted']:
cert = idp_data['x509cert']
if name_id is not None:
name_id_format = sp_data['NameIDFormat']
sp_name_qualifier = None
else:
name_id = idp_data['entityId']
name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
sp_name_qualifier = sp_data['entityId']
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id,
sp_name_qualifier,
name_id_format,
cert,
nq=nq,
)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(
request, ignore_zip=True)
self.id = self.get_id(logout_request)
self.__logout_request = logout_request
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type settings: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
:param nq: IDP Name Qualifier
:type: string
:param name_id_format: The NameID Format that will be set in the LogoutRequest.
:type: string
:param spnq: SP Name Qualifier
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
cert = None
if security['nameIdEncrypted']:
exists_multix509enc = 'x509certMulti' in idp_data and \
'encryption' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['encryption']
if exists_multix509enc:
cert = idp_data['x509certMulti']['encryption'][0]
else:
cert = idp_data['x509cert']
if name_id is not None:
if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
name_id_format = sp_data['NameIDFormat']
else:
name_id = idp_data['entityId']
name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
# From saml-core-2.0-os 8.3.6, when the entity Format is used:
# "The NameQualifier, SPNameQualifier, and SPProvidedID attributes
# MUST be omitted.
if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
nq = None
spnq = None
# NameID Format UNSPECIFIED omitted
if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
name_id_format = None
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id,
spnq,
name_id_format,
cert,
False,
nq
)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True)
self.id = self.get_id(logout_request)
self.__logout_request = compat.to_string(logout_request)
def __init__(self,
settings,
force_authn=False,
is_passive=False,
set_nameid_policy=True):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type return_to: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
:type set_nameid_policy: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
# destination = idp_data['singleSignOnService']['url']
destination = 'https://fed.paci.gov.kw/idp/SSO.saml2'
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[
lang]['displayname'] is not None:
provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[
lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = "\n" + ' ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = "\n" + ' IsPassive="true"'
nameid_policy_str = ''
if set_nameid_policy:
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security[
'wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
nameid_policy_str = """
<samlp:NameIDPolicy
Format="%s"
AllowCreate="true" />""" % name_id_policy_format
requested_authn_context_str = ''
if 'requestedAuthnContext' in security.keys(
) and security['requestedAuthnContext'] is not False:
authn_comparison = 'exact'
if 'requestedAuthnContextComparison' in security.keys():
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % authn_comparison
else:
requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
attr_consuming_service_str = ''
if 'attributeConsumingService' in sp_data and sp_data[
'attributeConsumingService']:
attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
certificate = "MIIDWTCCAsKgAwIBAgIJAN2rSHgfq3x/MA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAktXMRwwGgYDVQQIExNUaGUgU1RBVEUgT0YgS1VXQUlUMQ8wDQYDVQQHEwZLdXdhaXQxJDAiBgNVBAoTG01pbmlzdHJ5IG9mIEZvcmVpZ24gQWZmYWlyczEYMBYGA1UEAxMPYWlkLm1vZmEuZ292Lmt3MB4XDTE3MDgyODA2NDQ0M1oXDTI3MDgyODA2NDQ0M1owfDELMAkGA1UEBhMCS1cxHDAaBgNVBAgTE1RoZSBTVEFURSBPRiBLVVdBSVQxDzANBgNVBAcTBkt1d2FpdDEkMCIGA1UEChMbTWluaXN0cnkgb2YgRm9yZWlnbiBBZmZhaXJzMRgwFgYDVQQDEw9haWQubW9mYS5nb3Yua3cwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQe0kiwithRqgLMU6jx8NG9PVrkCAVF84sL73jENoFac8ZmT398U3Gw5ZUfJlVVvfU4VyFCI7WCLbjzuFwu2McCdosa0CaG/HMDdYuDmXyOMCbyGKii5txuqlo6o35wq09hefL69i1yMIBdcMqPQLYVJVa6/loOMV++/QkEzA7xAgMBAAGjgeIwgd8wHQYDVR0OBBYEFKEdEz9D/YkpcYE6lpYvpiEy6WjgMIGvBgNVHSMEgacwgaSAFKEdEz9D/YkpcYE6lpYvpiEy6WjgoYGApH4wfDELMAkGA1UEBhMCS1cxHDAaBgNVBAgTE1RoZSBTVEFURSBPRiBLVVdBSVQxDzANBgNVBAcTBkt1d2FpdDEkMCIGA1UEChMbTWluaXN0cnkgb2YgRm9yZWlnbiBBZmZhaXJzMRgwFgYDVQQDEw9haWQubW9mYS5nb3Yua3eCCQDdq0h4H6t8fzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAImSBs54cT0LmLJ2tQEC/vfuPcUptSnhI7OZwBMCpND669ajfMxN6YuxDH4Nf4yR1cpD+0XRbMNtrfxq8XZ/5khsjI1uBDJ2odSu+/MiBe7P5ZMdVzM0GIq1hCT9ZZ6O6056ykP8QhoLJsGw3qm+N1FiGvDTLnxwBV4p9lLES5CX"
signature_value = 'owbA6nJRn8TMQojq27rkqMBk+z2s8Fly1F68MEMd1InH6vFpVQqvwn7NrEP7YEJnTiHH3y8vrQvpHqBYuXoJjoZpjLdmV3jlprrzjDF+ZFUeqqfUO9h8JAVPTtxwrIEj0bfzH76pCU9h+Fu0kEekQ0UjKGHUEOZbd1+W7lmcc7U='
assertion__consumer_service_url = 'https://api.mofa2.mykuwaitnet.net/saml?acs'
digest_value = 'Eph2yJzbGPhlVQThAl1OHWF/bmM='
saml_issuer = 'https://api.mofa2.mykuwaitnet.net/'
request = """<samlp:AuthnRequest ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(destination)s" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion__consumer_service_url)s" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%(saml_issuer)s</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#%(id)s"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>%(digest_value)s</DigestValue></Reference></SignedInfo><SignatureValue>%(signature_value)s</SignatureValue><KeyInfo><X509Data><X509Certificate>%(certificate)s</X509Certificate></X509Data></KeyInfo></Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'nameid_policy_str': nameid_policy_str,
'requested_authn_context_str': requested_authn_context_str,
'attr_consuming_service_str': attr_consuming_service_str,
'certificate': certificate,
'signature_value': signature_value,
'digest_value': digest_value,
'assertion__consumer_service_url': assertion__consumer_service_url,
'saml_issuer':saml_issuer
}
self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type settings: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
:type set_nameid_policy: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data
if 'en-US' in langs:
lang = 'en-US'
else:
lang = sorted(langs)[0]
display_name = 'displayname' in organization_data[lang] and organization_data[lang]['displayname']
if display_name:
provider_name_str = "\n" + ' ProviderName=%s' % quoteattr(organization_data[lang]['displayname'])
force_authn_str = ''
if force_authn is True:
force_authn_str = "\n" + ' ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = "\n" + ' IsPassive="true"'
nameid_policy_str = ''
if set_nameid_policy:
name_id_policy_format = sp_data['NameIDFormat']
if security['wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
nameid_policy_str = """
<samlp:NameIDPolicy
Format=%s
AllowCreate="true" />""" % quoteattr(name_id_policy_format)
requested_authn_context_str = ''
if security['requestedAuthnContext'] is not False:
authn_comparison = 'exact'
if 'requestedAuthnContextComparison' in security.keys():
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison=%s>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % quoteattr(authn_comparison)
else:
requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison=%s>' % quoteattr(authn_comparison)
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % escape(authn_context)
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
attr_consuming_service_str = ''
if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
attr_consuming_service_str = "\n AttributeConsumingServiceIndex=\"1\""
request = AUTHN_REQUEST % \
{
'id': quoteattr(uid),
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': quoteattr(issue_instant),
'destination': quoteattr(destination),
'assertion_url': quoteattr(sp_data['assertionConsumerService']['url']),
'entity_id': escape(sp_data['entityId']),
'nameid_policy_str': nameid_policy_str,
'requested_authn_context_str': requested_authn_context_str,
'attr_consuming_service_str': attr_consuming_service_str,
}
self.__authn_request = request
def _generate_request_id(self):
"""
Generate an unique request ID.
"""
return OneLogin_Saml2_Utils.generate_unique_id()
def __init__(self, settings, force_authn=False, is_passive=False):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type return_to: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
:type is_passive: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data["singleSignOnService"]["url"]
name_id_policy_format = sp_data["NameIDFormat"]
if "wantNameIdEncrypted" in security and security["wantNameIdEncrypted"]:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
provider_name_str = ""
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if "en-US" in langs:
lang = "en-US"
else:
lang = langs[0]
if "displayname" in organization_data[lang] and organization_data[lang]["displayname"] is not None:
provider_name_str = 'ProviderName="%s"' % organization_data[lang]["displayname"]
force_authn_str = ""
if force_authn is True:
force_authn_str = 'ForceAuthn="true"'
is_passive_str = ""
if is_passive is True:
is_passive_str = 'IsPassive="true"'
requested_authn_context_str = ""
if "requestedAuthnContext" in security.keys() and security["requestedAuthnContext"] is not False:
authn_comparison = "exact"
if "requestedAuthnContextComparison" in security.keys():
authn_comparison = security["requestedAuthnContextComparison"]
if security["requestedAuthnContext"] is True:
requested_authn_context_str = (
""" <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>"""
% authn_comparison
)
else:
requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security["requestedAuthnContext"]:
requested_authn_context_str += (
"<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>" % authn_context
)
requested_authn_context_str += " </samlp:RequestedAuthnContext>"
attr_consuming_service_str = ""
if "attributeConsumingService" in sp_data and sp_data["attributeConsumingService"]:
# TODO: Do we have to account for the case when we have multiple attributeconsumers?
# like will the index be > 1?
attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
request = """<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
%(provider_name)s
%(force_authn_str)s
%(is_passive_str)s
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="%(assertion_url)s"
%(attr_consuming_service_str)s>
<saml:Issuer>%(entity_id)s</saml:Issuer>
<samlp:NameIDPolicy
Format="%(name_id_policy)s"
AllowCreate="true" />
%(requested_authn_context_str)s
</samlp:AuthnRequest>""" % {
"id": uid,
"provider_name": provider_name_str,
"force_authn_str": force_authn_str,
"is_passive_str": is_passive_str,
"issue_instant": issue_instant,
"destination": destination,
"assertion_url": sp_data["assertionConsumerService"]["url"],
"entity_id": sp_data["entityId"],
"name_id_policy": name_id_policy_format,
"requested_authn_context_str": requested_authn_context_str,
"attr_consuming_service_str": attr_consuming_service_str,
}
self.__authn_request = request
def __init__(self,
settings,
force_authn=False,
is_passive=False,
set_nameid_policy=True):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type return_to: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
:type set_nameid_policy: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
# destination = idp_data['singleSignOnService']['url']
#destination = 'https://fed.paci.gov.kw/idp/SSO.saml2'
destination = 'https://smartidqa2.paci.gov.kw/'
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[
lang]['displayname'] is not None:
provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[
lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = "\n" + ' ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = "\n" + ' IsPassive="true"'
nameid_policy_str = ''
if set_nameid_policy:
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security[
'wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
nameid_policy_str = """
<samlp:NameIDPolicy
Format="%s"
AllowCreate="true" />""" % name_id_policy_format
requested_authn_context_str = ''
if 'requestedAuthnContext' in security.keys(
) and security['requestedAuthnContext'] is not False:
authn_comparison = 'exact'
if 'requestedAuthnContextComparison' in security.keys():
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % authn_comparison
else:
requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
attr_consuming_service_str = ''
if 'attributeConsumingService' in sp_data and sp_data[
'attributeConsumingService']:
attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
certificate = "MIIDqzCCApKgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBvMQswCQYDVQQGEwJrdzEPMA0GA1UECAwGS3V3YWl0MSQwIgYDVQQKDBtNaW5pc3RyeSBvZiBGb3JlaWduIEFmZmFpcnMxKTAnBgNVBAMMIGh0dHBzOi8vYXBpLmRldi5haWQubW9mYS5nb3Yua3cvMB4XDTE4MDQwMjA3MTM0MloXDTI4MDMzMDA3MTM0MlowbzELMAkGA1UEBhMCa3cxDzANBgNVBAgMBkt1d2FpdDEkMCIGA1UECgwbTWluaXN0cnkgb2YgRm9yZWlnbiBBZmZhaXJzMSkwJwYDVQQDDCBodHRwczovL2FwaS5kZXYuYWlkLm1vZmEuZ292Lmt3LzCCASMwDQYJKoZIhvcNAQEBBQADggEQADCCAQsCggECAM0iMD7x+k44+WJlRwoBSp9WA7maFhaGLZl0bK44aYZ9HRK7LdTJdkbBlDb3csQHgGzoPZliFj+Zp7NS0VWpi1r5qu4cWzhUjUWzRck7Kb3pL/v/n4ipzx+5jo9S5MRE+aGXJJ7NnaR84D5q9LQC3vt9bUj+ar4mpbYu+20IN0MkyKlnn+1YZF9oXZ9k3IrSsOUbeyXswM2ICmowxfLj9zaXYQM7CX6XB9KTThSplr62AgayXCjVLmhPhhZXMxZ+d/H4wdX+mDYcA+v+UfCa+tmywn0A3DsgiBMm1iHOo9jJou4Q/6rebU0PcEf5m4/dz/WdSxtiirDlGdNdJ4xqoeHTAgMBAAGjUDBOMB0GA1UdDgQWBBQC+/qFWLrqp7LWVLqgS4ud/pin5zAfBgNVHSMEGDAWgBQC+/qFWLrqp7LWVLqgS4ud/pin5zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAgCwpKemu0QnnzkTyNs/o3mZqgMxxJopXHmzLYECAsGoN6901Wnj0NinGPCl1K7MSGhtGeu2yieQx0cDExLhOEdlu9LPwYjp2iZ7Nv/dxpEz3RyJAcnaf+vI2A8dBUI9eFRQzefPIWOcEVY/qaTuqQVUgGoi+1qfNADhqKHyQdqhgPy7tulaUaXuW2WHnjcEjyy8G6wqbvfcLXmSl2akXh29ICUErKm8PT5n7FNefQGmg8AuvSEnfH+NB06/Qcqy5x6+Lw/OOJo0DkR3CghhMgA/jqpnhO3LgT+dG+gIREl1rWMCiX/8xwomWpIcEAksWSL5ZKasUSKf6wpnHJoeiaMyGQ=="
signature_value = 'owbA6nJRn8TMQojq27rkqMBk+z2s8Fly1F68MEMd1InH6vFpVQqvwn7NrEP7YEJnTiHH3y8vrQvpHqBYuXoJjoZpjLdmV3jlprrzjDF+ZFUeqqfUO9h8JAVPTtxwrIEj0bfzH76pCU9h+Fu0kEekQ0UjKGHUEOZbd1+W7lmcc7U='
assertion__consumer_service_url = 'https://api.dev.aid.mofa.gov.kw/saml?acs'
digest_value = 'Eph2yJzbGPhlVQThAl1OHWF/bmM='
saml_issuer = 'https://api.dev.aid.mofa.gov.kw/'
request = """<samlp:AuthnRequest ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(destination)s" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion__consumer_service_url)s" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%(saml_issuer)s</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#%(id)s"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>%(digest_value)s</DigestValue></Reference></SignedInfo><SignatureValue>%(signature_value)s</SignatureValue><KeyInfo><X509Data><X509Certificate>%(certificate)s</X509Certificate></X509Data></KeyInfo></Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'nameid_policy_str': nameid_policy_str,
'requested_authn_context_str': requested_authn_context_str,
'attr_consuming_service_str': attr_consuming_service_str,
'certificate': certificate,
'signature_value': signature_value,
'digest_value': digest_value,
'assertion__consumer_service_url': assertion__consumer_service_url,
'saml_issuer':saml_issuer
}
self.__authn_request = request
def _generate_request_id(self):
"""
Generate an unique logout response ID.
"""
return OneLogin_Saml2_Utils.generate_unique_id()
def __init__(self, settings, request=None, name_id=None, session_index=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type settings: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
cert = None
if security['nameIdEncrypted']:
cert = idp_data['x509cert']
if name_id is not None:
name_id_format = sp_data['NameIDFormat']
sp_name_qualifier = None
else:
name_id = idp_data['entityId']
name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
sp_name_qualifier = sp_data['entityId']
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id,
sp_name_qualifier,
name_id_format,
cert
)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True)
self.id = self.get_id(logout_request)
self.__logout_request = logout_request
def __init__(self,
settings,
force_authn=False,
is_passive=False,
set_nameid_policy=True,
name_id_value_req=None):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type settings: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
:type set_nameid_policy: bool
:param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated
:type name_id_value_req: string
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data
if 'en-US' in langs:
lang = 'en-US'
else:
lang = sorted(langs)[0]
display_name = 'displayname' in organization_data[
lang] and organization_data[lang]['displayname']
if display_name:
provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[
lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = "\n" + ' ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = "\n" + ' IsPassive="true"'
subject_str = ''
if name_id_value_req:
subject_str = """
<saml:Subject>
<saml:NameID Format="%s">%s</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml:SubjectConfirmation>
</saml:Subject>""" % (sp_data['NameIDFormat'], name_id_value_req)
nameid_policy_str = ''
if set_nameid_policy:
name_id_policy_format = sp_data['NameIDFormat']
if security['wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
nameid_policy_str = """
<samlp:NameIDPolicy
Format="%s"
AllowCreate="true" />""" % name_id_policy_format
requested_authn_context_str = ''
if security['requestedAuthnContext'] is not False:
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % authn_comparison
else:
requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
attr_consuming_service_str = ''
if 'attributeConsumingService' in sp_data and sp_data[
'attributeConsumingService']:
attr_consuming_service_str = "\n AttributeConsumingServiceIndex=\"1\""
request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'subject_str': subject_str,
'nameid_policy_str': nameid_policy_str,
'requested_authn_context_str': requested_authn_context_str,
'attr_consuming_service_str': attr_consuming_service_str,
}
self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type return_to: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
:type is_passive: bool
"""
self._settings = settings
sp_data = self._settings.get_sp_data()
idp_data = self._settings.get_idp_data()
security = self._settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self._id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = 'ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = 'IsPassive="true"'
requested_authn_context_str = ''
if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False:
authn_comparison = 'exact'
if 'requestedAuthnContextComparison' in security.keys():
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % authn_comparison
else:
requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
request = """<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
%(provider_name)s
%(force_authn_str)s
%(is_passive_str)s
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="%(assertion_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
<samlp:NameIDPolicy
Format="%(name_id_policy)s"
AllowCreate="true" />
%(requested_authn_context_str)s
</samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'name_id_policy': name_id_policy_format,
'requested_authn_context_str': requested_authn_context_str,
}
self._authn_request = request
def __init__(self,
settings,
request=None,
name_id=None,
session_index=None,
nq=None,
name_id_format=None,
spnq=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type request_data: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
:param nq: IDP Name Qualifier
:type: string
:param name_id_format: The NameID Format that will be set in the LogoutRequest.
:type: string
:param spnq: SP Name Qualifier
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
exists_multix509enc = 'x509certMulti' in idp_data and \
'encryption' in idp_data['x509certMulti'] and \
idp_data['x509certMulti']['encryption']
if exists_multix509enc:
cert = idp_data['x509certMulti']['encryption'][0]
else:
cert = idp_data['x509cert']
if name_id is not None:
if not name_id_format and sp_data[
'NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
name_id_format = sp_data['NameIDFormat']
else:
name_id = idp_data['entityId']
name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
# From saml-core-2.0-os 8.3.6, when the entity Format is used:
# "The NameQualifier, SPNameQualifier, and SPProvidedID attributes
# MUST be omitted.
if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
nq = None
spnq = None
# NameID Format UNSPECIFIED omitted
if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
name_id_format = None
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id, spnq, name_id_format, cert, False, nq)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
logout_request = """<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(single_logout_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
%(name_id)s
%(session_index)s
</samlp:LogoutRequest>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': self.__settings.get_idp_slo_url(),
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
decoded = b64decode(request)
# We try to inflate
try:
inflated = decompress(decoded, -15)
logout_request = inflated
except Exception:
logout_request = decoded
self.id = self.get_id(logout_request)
self.__logout_request = logout_request
def __init__(self,
settings,
request=None,
name_id=None,
session_index=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type request_data: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
cert = idp_data['x509cert']
if name_id is not None:
nameIdFormat = sp_data['NameIDFormat']
spNameQualifier = None
else:
name_id = idp_data['entityId']
nameIdFormat = OneLogin_Saml2_Constants.NAMEID_ENTITY
spNameQualifier = sp_data['entityId']
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id, spNameQualifier, nameIdFormat, cert)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
logout_request = """<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(single_logout_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
%(name_id)s
%(session_index)s
</samlp:LogoutRequest>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
decoded = b64decode(request)
# We try to inflate
try:
inflated = decompress(decoded, -15)
logout_request = inflated
except Exception:
logout_request = decoded
self.id = self.get_id(logout_request)
self.__logout_request = logout_request
def __init__(self, settings):
"""
Constructs the AuthnRequest object.
Arguments are:
* (OneLogin_Saml2_Settings) settings. Setting data
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security[
'wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[
lang]['displayname'] is not None:
provider_name_str = 'ProviderName="%s"' % organization_data[
lang]['displayname']
request = """<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
%(provider_name)s
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="%(assertion_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
<samlp:NameIDPolicy
Format="%(name_id_policy)s"
AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'name_id_policy': name_id_policy_format,
}
self.__authn_request = request
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None):
"""
Constructs the Logout Request object.
:param settings: Setting data
:type request_data: OneLogin_Saml2_Settings
:param request: Optional. A LogoutRequest to be loaded instead build one.
:type request: string
:param name_id: The NameID that will be set in the LogoutRequest.
:type name_id: string
:param session_index: SessionIndex that identifies the session of the user.
:type session_index: string
:param nq: IDP Name Qualifier
:type: string
"""
self.__settings = settings
self.__error = None
self.id = None
if request is None:
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
cert = None
if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
cert = idp_data['x509cert']
if name_id is not None:
nameIdFormat = sp_data['NameIDFormat']
spNameQualifier = None
else:
name_id = idp_data['entityId']
nameIdFormat = OneLogin_Saml2_Constants.NAMEID_ENTITY
spNameQualifier = sp_data['entityId']
name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
name_id,
spNameQualifier,
nameIdFormat,
cert
)
if session_index:
session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
else:
session_index_str = ''
logout_request = """<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"
IssueInstant="%(issue_instant)s"
Destination="%(single_logout_url)s">
<saml:Issuer>%(entity_id)s</saml:Issuer>
%(name_id)s
%(session_index)s
</samlp:LogoutRequest>""" % \
{
'id': uid,
'issue_instant': issue_instant,
'single_logout_url': idp_data['singleLogoutService']['url'],
'entity_id': sp_data['entityId'],
'name_id': name_id_obj,
'session_index': session_index_str,
}
else:
decoded = b64decode(request)
# We try to inflate
try:
inflated = decompress(decoded, -15)
logout_request = inflated
except Exception:
logout_request = decoded
self.id = self.get_id(logout_request)
self.__logout_request = logout_request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True):
"""
Constructs the AuthnRequest object.
:param settings: OSetting data
:type return_to: OneLogin_Saml2_Settings
:param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
:type force_authn: bool
:param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
:type is_passive: bool
:param set_nameid_policy: Optional argument. When true the AuthNReuqest will set a nameIdPolicy element.
:type set_nameid_policy: bool
"""
self.__settings = settings
sp_data = self.__settings.get_sp_data()
idp_data = self.__settings.get_idp_data()
security = self.__settings.get_security_data()
uid = OneLogin_Saml2_Utils.generate_unique_id()
self.__id = uid
issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
destination = idp_data['singleSignOnService']['url']
provider_name_str = ''
organization_data = settings.get_organization()
if isinstance(organization_data, dict) and organization_data:
langs = organization_data.keys()
if 'en-US' in langs:
lang = 'en-US'
else:
lang = langs[0]
if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[lang]['displayname']
force_authn_str = ''
if force_authn is True:
force_authn_str = "\n" + ' ForceAuthn="true"'
is_passive_str = ''
if is_passive is True:
is_passive_str = "\n" + ' IsPassive="true"'
nameid_policy_str = ''
if set_nameid_policy:
name_id_policy_format = sp_data['NameIDFormat']
if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']:
name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
nameid_policy_str = """
<samlp:NameIDPolicy
Format="%s"
AllowCreate="true" />""" % name_id_policy_format
requested_authn_context_str = ''
if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False:
authn_comparison = 'exact'
if 'requestedAuthnContextComparison' in security.keys():
authn_comparison = security['requestedAuthnContextComparison']
if security['requestedAuthnContext'] is True:
requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>""" % authn_comparison
else:
requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
for authn_context in security['requestedAuthnContext']:
requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
requested_authn_context_str += ' </samlp:RequestedAuthnContext>'
attr_consuming_service_str = ''
if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
request = """<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="%(id)s"
Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s
IssueInstant="%(issue_instant)s"
Destination="%(destination)s"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="%(assertion_url)s"
%(attr_consuming_service_str)s>
<saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s%(requested_authn_context_str)s
</samlp:AuthnRequest>""" % \
{
'id': uid,
'provider_name': provider_name_str,
'force_authn_str': force_authn_str,
'is_passive_str': is_passive_str,
'issue_instant': issue_instant,
'destination': destination,
'assertion_url': sp_data['assertionConsumerService']['url'],
'entity_id': sp_data['entityId'],
'nameid_policy_str': nameid_policy_str,
'requested_authn_context_str': requested_authn_context_str,
'attr_consuming_service_str': attr_consuming_service_str
}
#from https://github.com/onelogin/python-saml/pull/78. credit to @tachang
# Only the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding gets the enveloped signature
if settings.get_idp_data()['singleSignOnService'].get('binding',
None) == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' and \
security['authnRequestsSigned'] is True:
log.debug("Generating AuthnRequest using urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding")
if 'signatureAlgorithm' in security:
key = settings.get_sp_key()
if not key:
raise OneLogin_Saml2_Error("Attempt to sign the AuthnRequest but unable to load the SP private key")
cert = settings.get_sp_cert()
if not key:
raise OneLogin_Saml2_Error("Attempt to sign the AuthnRequest but unable to load the SP cert")
doc = parseString(request)
security_algo = security['signatureAlgorithm']
digest_method_algo = security['digestMethodAlgorithm']
self.__authn_request = OneLogin_Saml2_Utils.add_sign_with_id(doc, uid, key, cert,
sign_algorithm=security_algo,
digest_algorithm=digest_method_algo,
debug=False)
log.debug("Generated AuthnRequest: {}".format(self.__authn_request))
else:
self.__authn_request = request
log.debug("Generated AuthnRequest: {}".format(self.__authn_request))
else:
self.__authn_request = request
