def get_request_args(self, get_state=stateID):
oauth_state = get_state(self.config["base_url"], rndstr().encode())
request_args = {
"redirect_uri": self.redirect_url,
"state": oauth_state,
}
return request_args
def get_request_args(self, get_state=stateID):
oauth_state = get_state(self.config["base_url"], rndstr().encode())
request_args = {
"client_id": self.config['client_config']['client_id'],
"redirect_uri": self.redirect_url,
"scope": ' '.join(self.config['scope']),
"state": oauth_state,
}
return request_args
def authn_request(self, context, entity_id):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:rtype: satosa.response.Response
:param context: The current context
:param entity_id: Target IDP entity id
:return: response to the user agent
"""
# If IDP blacklisting is enabled and the selected IDP is blacklisted,
# stop here
if self.idp_blacklist_file:
with open(self.idp_blacklist_file) as blacklist_file:
blacklist_array = json.load(blacklist_file)['blacklist']
if entity_id in blacklist_array:
satosa_logging(logger, logging.DEBUG, "IdP with EntityID {} is blacklisted".format(entity_id), context.state, exc_info=False)
raise SATOSAAuthenticationError(context.state, "Selected IdP is blacklisted for this backend")
kwargs = {}
authn_context = self.construct_requested_authn_context(entity_id)
if authn_context:
kwargs['requested_authn_context'] = authn_context
try:
binding, destination = self.sp.pick_binding(
"single_sign_on_service", None, "idpsso", entity_id=entity_id)
satosa_logging(logger, logging.DEBUG, "binding: %s, destination: %s" % (binding, destination),
context.state)
acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0]
req_id, req = self.sp.create_authn_request(
destination, binding=response_binding, **kwargs)
relay_state = util.rndstr()
ht_args = self.sp.apply_binding(binding, "%s" % req, destination, relay_state=relay_state)
satosa_logging(logger, logging.DEBUG, "ht_args: %s" % ht_args, context.state)
except Exception as exc:
satosa_logging(logger, logging.DEBUG, "Failed to construct the AuthnRequest for state", context.state,
exc_info=True)
raise SATOSAAuthenticationError(context.state, "Failed to construct the AuthnRequest") from exc
if self.sp.config.getattr('allow_unsolicited', 'sp') is False:
if req_id in self.outstanding_queries:
errmsg = "Request with duplicate id {}".format(req_id)
satosa_logging(logger, logging.DEBUG, errmsg, context.state)
raise SATOSAAuthenticationError(context.state, errmsg)
self.outstanding_queries[req_id] = req
context.state[self.name] = {"relay_state": relay_state}
return make_saml_response(binding, ht_args)
def start_auth(self, context, internal_request, get_state=stateID):
"""
See super class method satosa.backends.base#start_auth
:param get_state: Generates a state to be used in the authentication call.
:type get_state: Callable[[str, bytes], str]
:type context: satosa.context.Context
:type internal_request: satosa.internal.InternalData
:rtype satosa.response.Redirect
"""
oauth_state = get_state(self.config["base_url"], rndstr().encode())
state_data = dict(state=oauth_state)
context.state[self.name] = state_data
request_args = {
"redirect_uri": self.redirect_url,
"state": oauth_state
}
cis = self.consumer.construct_AuthorizationRequest(
request_args=request_args)
return Redirect(cis.request(self.consumer.authorization_endpoint))
def start_auth(self, context, internal_request, get_state=stateID):
"""
See super class method satosa.backends.base#start_auth
:param get_state: Generates a state to be used in the authentication call.
:type get_state: (str, bytes) -> str
:type context: satosa.context.Context
:type internal_request: satosa.internal_data.InternalRequest
:rtype satosa.response.Redirect
"""
consumer = self.get_consumer()
request_args = {"redirect_uri": self.redirect_url,
"state": get_state(self.config["base_url"], rndstr().encode())}
state_data = {
"state": request_args["state"]
}
state = context.state
state.add(self.config["state_id"], state_data)
cis = consumer.construct_AuthorizationRequest(request_args=request_args)
url, body, ht_args, cis = consumer.uri_and_body(AuthorizationRequest, cis,
method="GET",
request_args=request_args)
return Redirect(url)
def start_auth(self, context, internal_request, get_state=stateID):
"""
:param get_state: Generates a state to be used in authentication call
:type get_state: Callable[[str, bytes], str]
:type context: satosa.context.Context
:type internal_request: satosa.internal.InternalData
:rtype satosa.response.Redirect
"""
oauth_state = get_state(self.config["base_url"], rndstr().encode())
context.state[self.name] = dict(state=oauth_state)
request_args = dict(
response_type='code',
client_id=self.config['client_config']['client_id'],
redirect_uri=self.redirect_url,
state=oauth_state)
scope = ' '.join(self.config['scope'])
if scope:
request_args['scope'] = scope
cis = self.consumer.construct_AuthorizationRequest(
request_args=request_args)
return Redirect(cis.request(self.consumer.authorization_endpoint))
def start_auth(self, context, internal_request, get_state=stateID):
"""
:param get_state: Generates a state to be used in authentication call
:type get_state: Callable[[str, bytes], str]
:type context: satosa.context.Context
:type internal_request: satosa.internal.InternalData
:rtype satosa.response.Redirect
"""
oauth_state = get_state(self.config["base_url"], rndstr().encode())
context.state[self.name] = dict(state=oauth_state)
request_args = dict(
response_type='code',
client_id=self.config['client_config']['client_id'],
redirect_uri=self.redirect_url,
state=oauth_state)
scope = ' '.join(self.config['scope'])
if scope:
request_args['scope'] = scope
cis = self.consumer.construct_AuthorizationRequest(
request_args=request_args)
return Redirect(cis.request(self.consumer.authorization_endpoint))
def start_auth(self, context, internal_request, get_state=stateID):
"""
See super class method satosa.backends.base#start_auth
:param get_state: Generates a state to be used in the authentication call.
:type get_state: (str, bytes) -> str
:type context: satosa.context.Context
:type internal_request: satosa.internal_data.InternalRequest
:rtype satosa.response.Redirect
"""
consumer = self.get_consumer()
request_args = {
"redirect_uri": self.redirect_url,
"state": get_state(self.config["base_url"],
rndstr().encode())
}
state_data = {"state": request_args["state"]}
state = context.state
state.add(self.config["state_id"], state_data)
cis = consumer.construct_AuthorizationRequest(
request_args=request_args)
url, body, ht_args, cis = consumer.uri_and_body(
AuthorizationRequest, cis, method="GET", request_args=request_args)
return Redirect(url)
def authn_request(self, context, entity_id):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:rtype: satosa.response.Response
:param context: The current context
:param entity_id: Target IDP entity id
:return: response to the user agent
"""
# If IDP blacklisting is enabled and the selected IDP is blacklisted,
# stop here
if self.idp_blacklist_file:
with open(self.idp_blacklist_file) as blacklist_file:
blacklist_array = json.load(blacklist_file)['blacklist']
if entity_id in blacklist_array:
msg = "IdP with EntityID {} is blacklisted".format(entity_id)
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
logger.debug(logline, exc_info=False)
raise SATOSAAuthenticationError(context.state, "Selected IdP is blacklisted for this backend")
kwargs = {}
target_accr = context.state.get(Context.KEY_TARGET_AUTHN_CONTEXT_CLASS_REF)
authn_context = self.construct_requested_authn_context(entity_id, target_accr=target_accr)
if authn_context:
kwargs["requested_authn_context"] = authn_context
if self.config.get(SAMLBackend.KEY_MIRROR_FORCE_AUTHN):
kwargs["force_authn"] = get_force_authn(
context, self.config, self.sp.config
)
if self.config.get(SAMLBackend.KEY_SEND_REQUESTER_ID):
requester = context.state.state_dict[STATE_KEY_BASE]['requester']
kwargs["scoping"] = Scoping(requester_id=[RequesterID(text=requester)])
try:
acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0]
relay_state = util.rndstr()
req_id, binding, http_info = self.sp.prepare_for_negotiated_authenticate(
entityid=entity_id,
response_binding=response_binding,
relay_state=relay_state,
**kwargs,
)
except Exception as e:
msg = "Failed to construct the AuthnRequest for state"
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
logger.debug(logline, exc_info=True)
raise SATOSAAuthenticationError(context.state, "Failed to construct the AuthnRequest") from e
if self.sp.config.getattr('allow_unsolicited', 'sp') is False:
if req_id in self.outstanding_queries:
msg = "Request with duplicate id {}".format(req_id)
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
logger.debug(logline)
raise SATOSAAuthenticationError(context.state, msg)
self.outstanding_queries[req_id] = req_id
context.state[self.name] = {"relay_state": relay_state}
return make_saml_response(binding, http_info)
def authn_request(self, context, entity_id):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:rtype: satosa.response.Response
:param context: The current context
:param entity_id: Target IDP entity id
:return: response to the user agent
"""
self.check_blacklist(context, entity_id)
kwargs = {}
# fetch additional kwargs
kwargs.update(self.get_kwargs_sign_dig_algs())
authn_context = self.construct_requested_authn_context(entity_id)
req_authn_context = authn_context or requested_authn_context(
class_ref=self._authn_context)
req_authn_context.comparison = self.config.get("spid_acr_comparison",
"minimum")
# force_auth = true only if SpidL >= 2
if "SpidL1" in authn_context.authn_context_class_ref[0].text:
force_authn = "false"
else:
force_authn = "true"
try:
binding = saml2.BINDING_HTTP_POST
destination = context.internal_data.get("target_entity_id",
entity_id)
# SPID CUSTOMIZATION
# client = saml2.client.Saml2Client(conf)
client = self.sp
logger.debug(f"binding: {binding}, destination: {destination}")
# acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0]
# req_id, req = self.sp.create_authn_request(
# destination, binding=response_binding, **kwargs)
logger.debug(f"Redirecting user to the IdP via {binding} binding.")
# use the html provided by pysaml2 if no template was specified or it didn't exist
# SPID want the fqdn of the IDP as entityID, not the SSO endpoint
# 'http://idpspid.testunical.it:8088'
# dovrebbe essere destination ma nel caso di spid-testenv2 è entityid...
# binding, destination = self.sp.pick_binding("single_sign_on_service", None, "idpsso", entity_id=entity_id)
location = client.sso_location(destination, binding)
# location = client.sso_location(entity_id, binding)
# not used anymore thanks to avviso 11
# location_fixed = destination # entity_id
# ...hope to see the SSO endpoint soon in spid-testenv2
# returns 'http://idpspid.testunical.it:8088/sso'
# fixed: https://github.com/italia/spid-testenv2/commit/6041b986ec87ab8515dd0d43fed3619ab4eebbe9
# verificare qui
# acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0]
authn_req = saml2.samlp.AuthnRequest()
authn_req.force_authn = force_authn
authn_req.destination = location
# spid-testenv2 preleva l'attribute consumer service dalla authnRequest
# (anche se questo sta già nei metadati...)
authn_req.attribute_consuming_service_index = "0"
issuer = saml2.saml.Issuer()
issuer.name_qualifier = client.config.entityid
issuer.text = client.config.entityid
issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
authn_req.issuer = issuer
# message id
authn_req.id = saml2.s_utils.sid()
authn_req.version = saml2.VERSION # "2.0"
authn_req.issue_instant = saml2.time_util.instant()
name_id_policy = saml2.samlp.NameIDPolicy()
# del(name_id_policy.allow_create)
name_id_policy.format = NAMEID_FORMAT_TRANSIENT
authn_req.name_id_policy = name_id_policy
# TODO: use a parameter instead
authn_req.requested_authn_context = req_authn_context
authn_req.protocol_binding = binding
assertion_consumer_service_url = client.config._sp_endpoints[
"assertion_consumer_service"][0][0]
authn_req.assertion_consumer_service_url = (
assertion_consumer_service_url # 'http://sp-fqdn/saml2/acs/'
)
authn_req_signed = client.sign(
authn_req,
sign_prepare=False,
sign_alg=kwargs["sign_alg"],
digest_alg=kwargs["digest_alg"],
)
authn_req.id
_req_str = authn_req_signed
logger.debug(f"AuthRequest to {destination}: {_req_str}")
relay_state = util.rndstr()
ht_args = client.apply_binding(
binding,
_req_str,
location,
sign=True,
sigalg=kwargs["sign_alg"],
relay_state=relay_state,
)
if self.sp.config.getattr("allow_unsolicited", "sp") is False:
if authn_req.id in self.outstanding_queries:
errmsg = "Request with duplicate id {}".format(
authn_req.id)
logger.debug(errmsg)
raise SATOSAAuthenticationError(context.state, errmsg)
self.outstanding_queries[authn_req.id] = authn_req_signed
context.state[self.name] = {"relay_state": relay_state}
# these will give the way to check compliances between the req and resp
context.state["req_args"] = {"id": authn_req.id}
logger.info(f"SAMLRequest: {ht_args}")
return make_saml_response(binding, ht_args)
except Exception as exc:
logger.debug("Failed to construct the AuthnRequest for state")
raise SATOSAAuthenticationError(
context.state, "Failed to construct the AuthnRequest") from exc
def authn_request(self, context, entity_id):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:rtype: satosa.response.Response
:param context: The current context
:param entity_id: Target IDP entity id
:return: response to the user agent
"""
self.check_blacklist()
kwargs = {}
# fetch additional kwargs
kwargs.update(self.get_kwargs_sign_dig_algs())
authn_context = self.construct_requested_authn_context(entity_id)
requested_authn_context = authn_context or requested_authn_context(
class_ref=self._authn_context)
# force_auth = true only if SpidL >= 2
if 'SpidL1' in authn_context.authn_context_class_ref[0].text:
force_authn = 'false'
else:
force_authn = 'true'
try:
binding = saml2.BINDING_HTTP_POST
destination = context.request['entityID']
# SPID CUSTOMIZATION
#client = saml2.client.Saml2Client(conf)
client = self.sp
satosa_logging(
logger, logging.DEBUG,
"binding: %s, destination: %s" % (binding, destination),
context.state)
# acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0]
# req_id, req = self.sp.create_authn_request(
# destination, binding=response_binding, **kwargs)
logger.debug('Redirecting user to the IdP via %s binding.',
binding)
# use the html provided by pysaml2 if no template was specified or it didn't exist
# SPID want the fqdn of the IDP as entityID, not the SSO endpoint
# 'http://idpspid.testunical.it:8088'
# dovrebbe essere destination ma nel caso di spid-testenv2 è entityid...
# binding, destination = self.sp.pick_binding("single_sign_on_service", None, "idpsso", entity_id=entity_id)
# location = client.sso_location(destination, binding)
location = client.sso_location(entity_id, binding)
location_fixed = entity_id
# ...hope to see the SSO endpoint soon in spid-testenv2
# returns 'http://idpspid.testunical.it:8088/sso'
# fixed: https://github.com/italia/spid-testenv2/commit/6041b986ec87ab8515dd0d43fed3619ab4eebbe9
# verificare qui
# acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0]
authn_req = saml2.samlp.AuthnRequest()
authn_req.force_authn = force_authn
authn_req.destination = location
# spid-testenv2 preleva l'attribute consumer service dalla authnRequest (anche se questo sta già nei metadati...)
authn_req.attribute_consuming_service_index = "0"
# import pdb; pdb.set_trace()
issuer = saml2.saml.Issuer()
issuer.name_qualifier = client.config.entityid
issuer.text = client.config.entityid
issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
authn_req.issuer = issuer
# message id
authn_req.id = saml2.s_utils.sid()
authn_req.version = saml2.VERSION # "2.0"
authn_req.issue_instant = saml2.time_util.instant()
name_id_policy = saml2.samlp.NameIDPolicy()
# del(name_id_policy.allow_create)
name_id_policy.format = NAMEID_FORMAT_TRANSIENT
authn_req.name_id_policy = name_id_policy
# TODO: use a parameter instead
authn_req.requested_authn_context = requested_authn_context
authn_req.protocol_binding = binding
assertion_consumer_service_url = client.config._sp_endpoints[
'assertion_consumer_service'][0][0]
authn_req.assertion_consumer_service_url = assertion_consumer_service_url #'http://sp-fqdn/saml2/acs/'
authn_req_signed = client.sign(authn_req,
sign_prepare=False,
sign_alg=kwargs['sign_alg'],
digest_alg=kwargs['digest_alg'])
session_id = authn_req.id
_req_str = authn_req_signed
logger.debug('AuthRequest to {}: {}'.format(
destination, (_req_str)))
relay_state = util.rndstr()
ht_args = client.apply_binding(binding,
_req_str,
location,
sign=True,
sigalg=kwargs['sign_alg'],
relay_state=relay_state)
if self.sp.config.getattr('allow_unsolicited', 'sp') is False:
if authn_req.id in self.outstanding_queries:
errmsg = "Request with duplicate id {}".format(req_id)
satosa_logging(logger, logging.DEBUG, errmsg,
context.state)
raise SATOSAAuthenticationError(context.state, errmsg)
self.outstanding_queries[authn_req.id] = authn_req_signed
context.state[self.name] = {"relay_state": relay_state}
satosa_logging(logger, logging.DEBUG, "ht_args: %s" % ht_args,
context.state)
return make_saml_response(binding, ht_args)
except Exception as exc:
satosa_logging(logger,
logging.DEBUG,
"Failed to construct the AuthnRequest for state",
context.state,
exc_info=True)
raise SATOSAAuthenticationError(
context.state, "Failed to construct the AuthnRequest") from exc
def authn_request(self, context, entity_id, internal_req):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:type internal_req: satosa.internal_data.InternalRequest
:rtype: satosa.response.Response
:param context: The curretn context
:param entity_id: Target IDP entity id
:param internal_req: The request
:return: Response
"""
_cli = self.sp
hash_type = UserIdHashType.persistent.name
if "hash_type" in self.config:
hash_type = self.config["hash_type"]
req_args = {"name_id_policy": self.create_name_id_policy(hash_type)}
state = context.state
try:
# Picks a binding to use for sending the Request to the IDP
_binding, destination = _cli.pick_binding(
"single_sign_on_service", self.bindings, "idpsso",
entity_id=entity_id)
satosa_logging(LOGGER, logging.DEBUG,
"binding: %s, destination: %s" % (_binding, destination), state)
# Binding here is the response binding that is which binding the
# IDP should use to return the response.
acs = _cli.config.getattr("endpoints", "sp")[
"assertion_consumer_service"]
# just pick one
endp, return_binding = acs[0]
req_id, req = _cli.create_authn_request(destination,
binding=return_binding,
**req_args)
relay_state = rndstr()
ht_args = _cli.apply_binding(_binding, "%s" % req, destination, relay_state=relay_state)
satosa_logging(LOGGER, logging.DEBUG, "ht_args: %s" % ht_args, state)
except Exception as exc:
satosa_logging(LOGGER, logging.DEBUG,
"Failed to construct the AuthnRequest for state", state, exc_info=True)
raise SATOSAAuthenticationError(state, "Failed to construct the AuthnRequest") from exc
state.add(self.state_id, relay_state)
if _binding == BINDING_HTTP_REDIRECT:
for param, value in ht_args["headers"]:
if param == "Location":
resp = SeeOther(str(value))
break
else:
satosa_logging(LOGGER, logging.DEBUG, "Parameter error for state", state)
raise SATOSAAuthenticationError(state, "Parameter error")
else:
resp = Response(ht_args["data"], headers=ht_args["headers"])
return resp
def authn_request(self, context, entity_id, requested_attributes=None):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:type requested_attributes: list
:rtype: satosa.response.Response
:param context: The current context
:param entity_id: Target IDP entity id
:return: response to the user agent
"""
# If IDP blacklisting is enabled and the selected IDP is blacklisted,
# stop here
if self.idp_blacklist_file:
with open(self.idp_blacklist_file) as blacklist_file:
blacklist_array = json.load(blacklist_file)['blacklist']
if entity_id in blacklist_array:
msg = "IdP with EntityID {} is blacklisted".format(
entity_id)
logline = lu.LOG_FMT.format(id=lu.get_session_id(
context.state),
message=msg)
logger.debug(logline, exc_info=False)
raise SATOSAAuthenticationError(
context.state,
"Selected IdP is blacklisted for this backend")
try:
binding, destination = self.sp.pick_binding(
"single_sign_on_service", None, "idpsso", entity_id=entity_id)
msg = "binding: {}, destination: {}".format(binding, destination)
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state),
message=msg)
logger.debug(logline)
kwargs = self._get_authn_request_args(
context, entity_id, requested_attributes=requested_attributes)
req_id, req = self.sp.create_authn_request(destination, **kwargs)
relay_state = util.rndstr()
ht_args = self.sp.apply_binding(binding,
"%s" % req,
destination,
relay_state=relay_state)
msg = "ht_args: {}".format(ht_args)
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state),
message=msg)
logger.debug(logline)
except Exception as exc:
msg = "Failed to construct the AuthnRequest for state"
logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state),
message=msg)
logger.debug(logline, exc_info=True)
raise SATOSAAuthenticationError(
context.state, "Failed to construct the AuthnRequest") from exc
if self.sp.config.getattr('allow_unsolicited', 'sp') is False:
if req_id in self.outstanding_queries:
msg = "Request with duplicate id {}".format(req_id)
logline = lu.LOG_FMT.format(id=lu.get_session_id(
context.state),
message=msg)
logger.debug(logline)
raise SATOSAAuthenticationError(context.state, msg)
self.outstanding_queries[req_id] = req
context.state[self.name] = {"relay_state": relay_state}
return make_saml_response(binding, ht_args)
def authn_request(self, context, entity_id):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:rtype: satosa.response.Response
:param context: The current context
:param entity_id: Target IDP entity id
:return: response to the user agent
"""
# If IDP blacklisting is enabled and the selected IDP is blacklisted,
# stop here
if self.idp_blacklist_file:
with open(self.idp_blacklist_file) as blacklist_file:
blacklist_array = json.load(blacklist_file)['blacklist']
if entity_id in blacklist_array:
satosa_logging(
logger,
logging.DEBUG,
"IdP with EntityID {} is blacklisted".format(
entity_id),
context.state,
exc_info=False)
raise SATOSAAuthenticationError(
context.state,
"Selected IdP is blacklisted for this backend")
kwargs = {}
authn_context = self.construct_requested_authn_context(entity_id)
if authn_context:
kwargs['requested_authn_context'] = authn_context
try:
binding, destination = self.sp.pick_binding(
"single_sign_on_service", None, "idpsso", entity_id=entity_id)
satosa_logging(
logger, logging.DEBUG,
"binding: %s, destination: %s" % (binding, destination),
context.state)
acs_endp, response_binding = self.sp.config.getattr(
"endpoints", "sp")["assertion_consumer_service"][0]
req_id, req = self.sp.create_authn_request(
destination, binding=response_binding, **kwargs)
relay_state = util.rndstr()
ht_args = self.sp.apply_binding(binding,
"%s" % req,
destination,
relay_state=relay_state)
satosa_logging(logger, logging.DEBUG, "ht_args: %s" % ht_args,
context.state)
except Exception as exc:
satosa_logging(logger,
logging.DEBUG,
"Failed to construct the AuthnRequest for state",
context.state,
exc_info=True)
raise SATOSAAuthenticationError(
context.state, "Failed to construct the AuthnRequest") from exc
if self.sp.config.getattr('allow_unsolicited', 'sp') is False:
if req_id in self.outstanding_queries:
errmsg = "Request with duplicate id {}".format(req_id)
satosa_logging(logger, logging.DEBUG, errmsg, context.state)
raise SATOSAAuthenticationError(context.state, errmsg)
self.outstanding_queries[req_id] = req
context.state[self.name] = {"relay_state": relay_state}
### rZone Code Start ###
requested_attributes = []
for claim_name in self.requested_claims:
if claim_name in self.internal_attributes['attributes']:
if 'saml' in self.internal_attributes['attributes'][
claim_name]:
for saml_attr in self.internal_attributes['attributes'][
claim_name]['saml']:
requested_attributes.append(saml_attr)
db_uri = self.config.get("db_uri")
if db_uri:
consent_db = MongoWrapper(db_uri, "satosa", "consents")
consent_info = {}
consent_info['relay_state'] = relay_state
consent_info['requester'] = self.internal_req.requester
consent_info['requested_attributes'] = requested_attributes
consent_db[relay_state] = consent_info
'''
logger.info('======= proin:satosa:samlbackend =========')
logger.info('proin:satosa:samlbackend:attribute ' + str(requested_attributes))
logger.info('proin:satosa:samlbackend:requester ' + self.internal_req.requester)
logger.info('proin:satosa:samlbackend:requester_name ' + self.internal_req.requester_name[0]['text'])
logger.info('proin:satosa:samlbackend:relay ' + relay_state)
'''
### rZone Code End ###
return make_saml_response(binding, ht_args)
def authn_request(self, context, entity_id, internal_req):
"""
Do an authorization request on idp with given entity id.
This is the start of the authorization.
:type context: satosa.context.Context
:type entity_id: str
:type internal_req: satosa.internal_data.InternalRequest
:rtype: satosa.response.Response
:param context: The curretn context
:param entity_id: Target IDP entity id
:param internal_req: The request
:return: Response
"""
_cli = self.sp
hash_type = UserIdHashType.persistent.name
if "hash_type" in self.config:
hash_type = self.config["hash_type"]
req_args = {"name_id_policy": self.create_name_id_policy(hash_type)}
state = context.state
try:
# Picks a binding to use for sending the Request to the IDP
_binding, destination = _cli.pick_binding("single_sign_on_service",
self.bindings,
"idpsso",
entity_id=entity_id)
satosa_logging(
LOGGER, logging.DEBUG,
"binding: %s, destination: %s" % (_binding, destination),
state)
# Binding here is the response binding that is which binding the
# IDP should use to return the response.
acs = _cli.config.getattr("endpoints",
"sp")["assertion_consumer_service"]
# just pick one
endp, return_binding = acs[0]
req_id, req = _cli.create_authn_request(destination,
binding=return_binding,
**req_args)
relay_state = rndstr()
ht_args = _cli.apply_binding(_binding,
"%s" % req,
destination,
relay_state=relay_state)
satosa_logging(LOGGER, logging.DEBUG, "ht_args: %s" % ht_args,
state)
except Exception as exc:
satosa_logging(LOGGER,
logging.DEBUG,
"Failed to construct the AuthnRequest for state",
state,
exc_info=True)
raise SATOSAAuthenticationError(
state, "Failed to construct the AuthnRequest") from exc
state.add(self.state_id, relay_state)
if _binding == BINDING_HTTP_REDIRECT:
for param, value in ht_args["headers"]:
if param == "Location":
resp = SeeOther(str(value))
break
else:
satosa_logging(LOGGER, logging.DEBUG,
"Parameter error for state", state)
raise SATOSAAuthenticationError(state, "Parameter error")
else:
resp = Response(ht_args["data"], headers=ht_args["headers"])
return resp
