def _supported_authn_context_class(self, ac):
# Note: "ac" is a sequence of context class references
# In principle, we should take into account as well the `Comparison`
# However, the processing rules are stupid. Thus, we always assume
# "minimum".
# We support a single context class.
my_ac = self.authn_context_class
for cr in ac:
comparison = compare_classes(cr, my_ac)
if comparison is not None and comparison <= 0: return True
return False
def _supported_authn_context_class(self, ac):
# Note: "ac" is a sequence of context class references
# In principle, we should take into account as well the `Comparison`
# However, the processing rules are stupid. Thus, we always assume
# "minimum".
# We support a single context class.
my_ac = self.authn_context_class
for cr in ac:
comparison = compare_classes(cr, my_ac)
if comparison is not None and comparison <= 0:
return True
return False
def authenticate(self,
idp,
ok,
fail,
authn_context_class=None,
passive=False,
force=False,
acs_index=None,
REQUEST=None):
"""authenticate via *idp*."""
r = REQUEST or self.REQUEST
R = r.response
if authn_context_class is None:
authn_context_class = self.default_authn_context_class
if authn_context_class is not None:
authn_context_class = normalize_class(authn_context_class)
if not force:
# see whether we have a valid authentication satisfying the requirements
session = self.get_authentication_session(r)
if session:
comparison = (authn_context_class is None and -1
or compare_classes(
authn_context_class,
session["authn_context_class"]))
if comparison is not None and comparison <= 0:
return R.redirect(ok)
# must authenticate
from dm.saml2.pyxb.protocol import AuthnRequest, RequestedAuthnContext, \
NameIDPolicy
from dm.saml2.pyxb.assertion import AuthnContextClassRef
req = AuthnRequest(ForceAuthn=force, IsPassive=passive)
if authn_context_class is not None:
req.RequestedAuthnContext = RequestedAuthnContext(
AuthnContextClassRef(authn_context_class))
if acs_index is not None:
req.AttributeConsumingServiceIndex = acs_index
self.customize_authn_request(req)
relay_state = self.store((req.ID, ok, fail))
nip = NameIDPolicy(AllowCreate=self.allow_create)
nifs = INameidFormatSupport(self).supported
if len(nifs) == 1: nip.Format = nifs[0]
req.NameIDPolicy = nip
return self.deliver(
Target(
eid=idp,
role="idpsso",
endpoint="SingleSignOnService",
sign_msg_attr="WantAuthnRequestsSigned",
binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
), None, req, relay_state)
def authenticate(self, idp, ok, fail, authn_context_class=None, passive=False, force=False, acs_index=None, REQUEST=None):
"""authenticate via *idp*."""
r = REQUEST or self.REQUEST; R = r.response
if authn_context_class is None:
authn_context_class = self.default_authn_context_class
if authn_context_class is not None:
authn_context_class = normalize_class(authn_context_class)
if not force:
# see whether we have a valid authentication satisfying the requirements
session = self.get_authentication_session(r)
if session:
comparison = (
authn_context_class is None and -1
or compare_classes(authn_context_class,
session["authn_context_class"]
)
)
if comparison is not None and comparison <= 0:
return R.redirect(ok)
# must authenticate
from dm.saml2.pyxb.protocol import AuthnRequest, RequestedAuthnContext, \
NameIDPolicy
from dm.saml2.pyxb.assertion import AuthnContextClassRef
req = AuthnRequest(ForceAuthn=force, IsPassive=passive)
if authn_context_class is not None:
req.RequestedAuthnContext = RequestedAuthnContext(
AuthnContextClassRef(authn_context_class)
)
if acs_index is not None:
req.AttributeConsumingServiceIndex = acs_index
self.customize_authn_request(req)
relay_state = self.store((req.ID, ok, fail))
nip = NameIDPolicy(AllowCreate=self.allow_create)
nifs = INameidFormatSupport(self).supported
if len(nifs) == 1: nip.Format = nifs[0]
req.NameIDPolicy = nip
return self.deliver(
Target(eid=idp, role="idpsso", endpoint="SingleSignOnService",
sign_msg_attr="WantAuthnRequestsSigned",
),
None, req, relay_state
)
