def _supported_authn_context_class(self, ac): # Note: "ac" is a sequence of context class references # In principle, we should take into account as well the `Comparison` # However, the processing rules are stupid. Thus, we always assume # "minimum". # We support a single context class. my_ac = self.authn_context_class for cr in ac: comparison = compare_classes(cr, my_ac) if comparison is not None and comparison <= 0: return True return False
def authenticate(self, idp, ok, fail, authn_context_class=None, passive=False, force=False, acs_index=None, REQUEST=None): """authenticate via *idp*.""" r = REQUEST or self.REQUEST R = r.response if authn_context_class is None: authn_context_class = self.default_authn_context_class if authn_context_class is not None: authn_context_class = normalize_class(authn_context_class) if not force: # see whether we have a valid authentication satisfying the requirements session = self.get_authentication_session(r) if session: comparison = (authn_context_class is None and -1 or compare_classes( authn_context_class, session["authn_context_class"])) if comparison is not None and comparison <= 0: return R.redirect(ok) # must authenticate from dm.saml2.pyxb.protocol import AuthnRequest, RequestedAuthnContext, \ NameIDPolicy from dm.saml2.pyxb.assertion import AuthnContextClassRef req = AuthnRequest(ForceAuthn=force, IsPassive=passive) if authn_context_class is not None: req.RequestedAuthnContext = RequestedAuthnContext( AuthnContextClassRef(authn_context_class)) if acs_index is not None: req.AttributeConsumingServiceIndex = acs_index self.customize_authn_request(req) relay_state = self.store((req.ID, ok, fail)) nip = NameIDPolicy(AllowCreate=self.allow_create) nifs = INameidFormatSupport(self).supported if len(nifs) == 1: nip.Format = nifs[0] req.NameIDPolicy = nip return self.deliver( Target( eid=idp, role="idpsso", endpoint="SingleSignOnService", sign_msg_attr="WantAuthnRequestsSigned", binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", ), None, req, relay_state)
def authenticate(self, idp, ok, fail, authn_context_class=None, passive=False, force=False, acs_index=None, REQUEST=None): """authenticate via *idp*.""" r = REQUEST or self.REQUEST; R = r.response if authn_context_class is None: authn_context_class = self.default_authn_context_class if authn_context_class is not None: authn_context_class = normalize_class(authn_context_class) if not force: # see whether we have a valid authentication satisfying the requirements session = self.get_authentication_session(r) if session: comparison = ( authn_context_class is None and -1 or compare_classes(authn_context_class, session["authn_context_class"] ) ) if comparison is not None and comparison <= 0: return R.redirect(ok) # must authenticate from dm.saml2.pyxb.protocol import AuthnRequest, RequestedAuthnContext, \ NameIDPolicy from dm.saml2.pyxb.assertion import AuthnContextClassRef req = AuthnRequest(ForceAuthn=force, IsPassive=passive) if authn_context_class is not None: req.RequestedAuthnContext = RequestedAuthnContext( AuthnContextClassRef(authn_context_class) ) if acs_index is not None: req.AttributeConsumingServiceIndex = acs_index self.customize_authn_request(req) relay_state = self.store((req.ID, ok, fail)) nip = NameIDPolicy(AllowCreate=self.allow_create) nifs = INameidFormatSupport(self).supported if len(nifs) == 1: nip.Format = nifs[0] req.NameIDPolicy = nip return self.deliver( Target(eid=idp, role="idpsso", endpoint="SingleSignOnService", sign_msg_attr="WantAuthnRequestsSigned", ), None, req, relay_state )