def artifact_resolve(request, soap_message):
'''Resolve a SAMLv1.1 ArtifactResolve request
'''
server = create_idff12_server(request, reverse(metadata))
login = lasso.Login(server)
try:
login.processRequestMsg(soap_message)
except:
raise
logging.debug('ID-FFv1.2 artifact resolve %r' % soap_message)
liberty_artifact = LibertyArtifact.objects.get(
artifact = login.assertionArtifact)
if liberty_artifact:
liberty_artifact.delete()
provider_id = liberty_artifact.provider_id
load_provider(request, provider_id, server=login.server)
load_session(request, login,
session_key = liberty_artifact.django_session_key)
logging.info('ID-FFv1.2 artifact resolve from %r for artifact %r' % (
provider_id, login.assertionArtifact))
else:
logging.warning('ID-FFv1.2 no artifact found for %r' % login.assertionArtifact)
provider_id = None
return finish_artifact_resolve(request, login, provider_id,
session_key = liberty_artifact.django_session_key)
def artifact_resolve(request, soap_message):
'''Resolve a SAMLv1.1 ArtifactResolve request
'''
server = create_idff12_server(request, reverse(metadata))
login = lasso.Login(server)
try:
login.processRequestMsg(soap_message)
except:
raise
logging.debug('ID-FFv1.2 artifact resolve %r' % soap_message)
liberty_artifact = LibertyArtifact.objects.get(
artifact=login.assertionArtifact)
if liberty_artifact:
liberty_artifact.delete()
provider_id = liberty_artifact.provider_id
load_provider(request, provider_id, server=login.server)
load_session(request,
login,
session_key=liberty_artifact.django_session_key)
logging.info('ID-FFv1.2 artifact resolve from %r for artifact %r' %
(provider_id, login.assertionArtifact))
else:
logging.warning('ID-FFv1.2 no artifact found for %r' %
login.assertionArtifact)
provider_id = None
return finish_artifact_resolve(
request,
login,
provider_id,
session_key=liberty_artifact.django_session_key)
def idp_sso(request, provider_id, user_id=None):
'''Initiate an SSO toward provider_id without a prior AuthnRequest
'''
assert provider_id, 'You must call idp_initiated_sso with a provider_id parameter'
server = create_idff12_server(request, reverse(metadata))
login = lasso.Login(server)
liberty_provider = load_provider(request, provider_id, server=login.server)
service_provider = liberty_provider.service_provider
binding = service_provider.prefered_assertion_consumer_binding
nid_policy = service_provider.default_name_id_format
if user_id:
user = User.get(id=user_id)
if not check_delegated_authentication_permission(request):
logging.warning(
'ID-FFv1.2: %r tried to log as %r on %r but was forbidden' %
(request.user, user, provider_id))
return HttpResponseForbidden(
'You must be superuser to log as another user')
else:
user = request.user
load_federation(request, login, user)
if not liberty_provider:
message = _('ID-FFv1.2: provider %r unknown') % provider_id
logging.warning('ID-FFv1.2: provider %r unknown' % provider_id)
return HttpResponseForbidden(message)
login.initIdpInitiatedAuthnRequest(provider_id)
if binding == 'art':
login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
elif binding == 'post':
login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_POST
else:
raise Exception('Unsupported binding %r' % binding)
if nid_policy == 'persistent':
login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_FEDERATED
elif nid_policy == 'transient':
login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_ONE_TIME
else:
message = _(
'ID-FFv1.2: default nameIdPolicy unsupported %r') % nid_policy
logging.error(message)
raise Exception(message)
login.processAuthnRequestMsg(None)
return sso_after_process_request(request,
login,
consent_obtained=True,
user=user,
save=False)
def sso(request):
"""Endpoint for AuthnRequests asynchronously sent, i.e. POST or Redirect"""
# 1. Process the request, separate POST and GET treatment
message = get_idff12_request_message(request)
if not message:
return HttpResponseForbidden('Invalid SAML 1.1 AuthnRequest: "%s"' %
message)
server = create_idff12_server(request, reverse(metadata))
login = lasso.Login(server)
while True:
try:
logging.debug('ID-FFv1.2: processing sso request %r' % message)
login.processAuthnRequestMsg(message)
break
except lasso.ProfileInvalidMsgError:
message = _('Invalid SAML 1.1 AuthnRequest: %r') % message
logging.error(message)
return HttpResponseForbidden(message)
except lasso.DsInvalidSignatureError:
message = _(
'Invalid signature on SAML 1.1 AuthnRequest: %r') % message
logging.error(message)
# This error is handled through SAML status codes, so return a
# response
return finish_sso(request, login)
except lasso.ServerProviderNotFoundError:
# This path is not exceptionnal it should be normal since we did
# not load any provider in the Server object
provider_id = login.remoteProviderId
# 2. Lookup the ProviderID
logging.info('ID-FFv1.2: AuthnRequest from %r' % provider_id)
provider_loaded = load_provider(request,
provider_id,
server=login.server)
if not provider_loaded:
consent_obtained = False
message = _('ID-FFv1.2: provider %r unknown') % provider_id
logging.warning(message)
return HttpResponseForbidden(message)
else:
# XXX: does consent be always automatic for known providers ? Maybe
# add a configuration key on the provider.
consent_obtained = True
return sso_after_process_request(request,
login,
consent_obtained=consent_obtained)
def idp_sso(request, provider_id, user_id = None):
'''Initiate an SSO toward provider_id without a prior AuthnRequest
'''
assert provider_id, 'You must call idp_initiated_sso with a provider_id parameter'
server = create_idff12_server(request, reverse(metadata))
login = lasso.Login(server)
liberty_provider = load_provider(request, provider_id, server=login.server)
service_provider = liberty_provider.service_provider
binding = service_provider.prefered_assertion_consumer_binding
nid_policy = service_provider.default_name_id_format
if user_id:
user = User.get(id = user_id)
if not check_delegated_authentication_permission(request):
logging.warning('ID-FFv1.2: %r tried to log as %r on %r but was forbidden' % (
request.user, user, provider_id))
return HttpResponseForbidden('You must be superuser to log as another user')
else:
user = request.user
load_federation(request, login, user)
if not liberty_provider:
message = _('ID-FFv1.2: provider %r unknown') % provider_id
logging.warning('ID-FFv1.2: provider %r unknown' % provider_id)
return HttpResponseForbidden(message)
login.initIdpInitiatedAuthnRequest(provider_id)
if binding == 'art':
login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
elif binding == 'post':
login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_POST
else:
raise Exception('Unsupported binding %r' % binding)
if nid_policy == 'persistent':
login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_FEDERATED
elif nid_policy == 'transient':
login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_ONE_TIME
else:
message = _('ID-FFv1.2: default nameIdPolicy unsupported %r') % nid_policy
logging.error(message)
raise Exception(message)
login.processAuthnRequestMsg(None)
return sso_after_process_request(request, login,
consent_obtained = True, user = user, save = False)
def sso(request):
"""Endpoint for AuthnRequests asynchronously sent, i.e. POST or Redirect"""
# 1. Process the request, separate POST and GET treatment
message = get_idff12_request_message(request)
if not message:
return HttpResponseForbidden('Invalid SAML 1.1 AuthnRequest: "%s"' % message)
server = create_idff12_server(request, reverse(metadata))
login = lasso.Login(server)
while True:
try:
logging.debug('ID-FFv1.2: processing sso request %r' % message)
login.processAuthnRequestMsg(message)
break
except lasso.ProfileInvalidMsgError:
message = _('Invalid SAML 1.1 AuthnRequest: %r') % message
logging.error(message)
return HttpResponseForbidden(message)
except lasso.DsInvalidSignatureError:
message = _('Invalid signature on SAML 1.1 AuthnRequest: %r') % message
logging.error(message)
# This error is handled through SAML status codes, so return a
# response
return finish_sso(request, login)
except lasso.ServerProviderNotFoundError:
# This path is not exceptionnal it should be normal since we did
# not load any provider in the Server object
provider_id = login.remoteProviderId
# 2. Lookup the ProviderID
logging.info('ID-FFv1.2: AuthnRequest from %r' % provider_id)
provider_loaded = load_provider(request, provider_id, server=login.server)
if not provider_loaded:
consent_obtained = False
message = _('ID-FFv1.2: provider %r unknown') % provider_id
logging.warning(message)
return HttpResponseForbidden(message)
else:
# XXX: does consent be always automatic for known providers ? Maybe
# add a configuration key on the provider.
consent_obtained = True
return sso_after_process_request(request, login,
consent_obtained = consent_obtained)