def __init__(self, settings, request=None): """ Constructs the Logout Request object. Arguments are: * (OneLogin_Saml2_Settings) settings. Setting data """ self.__settings = settings self.__error = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() name_id_value = OneLogin_Saml2_Utils.generate_unique_id() issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) cert = None if 'nameIdEncrypted' in security and security['nameIdEncrypted']: cert = idp_data['x509cert'] name_id = OneLogin_Saml2_Utils.generate_name_id( name_id_value, sp_data['entityId'], sp_data['NameIDFormat'], cert ) logout_request = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(single_logout_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> %(name_id)s </samlp:LogoutRequest>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id, } else: decoded = b64decode(request) # We try to inflate try: inflated = decompress(decoded, -15) logout_request = inflated except Exception: logout_request = decoded self.__logout_request = logout_request
def __init__(self, settings, request=None): """ Constructs the Logout Request object. Arguments are: * (OneLogin_Saml2_Settings) settings. Setting data """ self.__settings = settings self.__error = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() name_id_value = OneLogin_Saml2_Utils.generate_unique_id() issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) cert = None if 'nameIdEncrypted' in security and security['nameIdEncrypted']: cert = idp_data['x509cert'] name_id = OneLogin_Saml2_Utils.generate_name_id( name_id_value, sp_data['entityId'], sp_data['NameIDFormat'], cert) logout_request = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(single_logout_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> %(name_id)s </samlp:LogoutRequest>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id, } else: decoded = b64decode(request) # We try to inflate try: inflated = decompress(decoded, -15) logout_request = inflated except Exception: logout_request = decoded self.__logout_request = logout_request
def build(self, in_response_to): """ Creates a Logout Response object. :param in_response_to: InResponseTo value for the Logout Response. :type in_response_to: string """ sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() uid = OneLogin_Saml2_Utils.generate_unique_id() issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) logout_response = """<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(destination)s" InResponseTo="%(in_response_to)s" > <saml:Issuer>%(entity_id)s</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> </samlp:LogoutResponse>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'destination': idp_data['singleLogoutService']['url'], 'in_response_to': in_response_to, 'entity_id': sp_data['entityId'], } self.__logout_response = logout_response
def build(self, in_response_to): """ Creates a Logout Response object. :param in_response_to: InResponseTo value for the Logout Response. :type in_response_to: string """ sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() uid = OneLogin_Saml2_Utils.generate_unique_id() issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) logout_response = """<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(destination)s" InResponseTo="%(in_response_to)s" > <saml:Issuer>%(entity_id)s</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> </samlp:LogoutResponse>""" % { "id": uid, "issue_instant": issue_instant, "destination": idp_data["singleLogoutService"]["url"], "in_response_to": in_response_to, "entity_id": sp_data["entityId"], } self.__logout_response = logout_response
def __init__(self, settings): """ Constructs the AuthnRequest object. Arguments are: * (OneLogin_Saml2_Settings) settings. Setting data """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None: provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname'] request = """<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" %(provider_name)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> <samlp:NameIDPolicy Format="%(name_id_policy)s" AllowCreate="true" /> </samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'name_id_policy': name_id_policy_format, } self.__authn_request = request
def build(self, in_response_to): """ Creates a Logout Response object. :param in_response_to: InResponseTo value for the Logout Response. :type in_response_to: string """ sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() uid = OneLogin_Saml2_Utils.generate_unique_id() issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \ { 'id': uid, 'issue_instant': issue_instant, 'destination': idp_data['singleLogoutService']['url'], 'in_response_to': in_response_to, 'entity_id': sp_data['entityId'], 'status': "urn:oasis:names:tc:SAML:2.0:status:Success" } self.__logout_response = logout_response
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None): """ Constructs the Logout Request object. :param settings: Setting data :type request_data: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string :param nq: IDP Name Qualifier :type: string :param name_id_format: The NameID Format that will be set in the LogoutRequest. :type: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) cert = None if 'nameIdEncrypted' in security and security['nameIdEncrypted']: exists_multix509enc = 'x509certMulti' in idp_data and \ 'encryption' in idp_data['x509certMulti'] and \ idp_data['x509certMulti']['encryption'] if exists_multix509enc: cert = idp_data['x509certMulti']['encryption'][0] else: cert = idp_data['x509cert'] if name_id is not None: if not name_id_format and sp_data[ 'NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED: name_id_format = sp_data['NameIDFormat'] else: name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY spNameQualifier = None if name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY: name_id = idp_data['entityId'] nq = None elif nq is not None: # We only gonna include SPNameQualifier if NameQualifier is provided # SPID: no! spNameQualifier = sp_data['entityId'] pass name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, spNameQualifier, name_id_format, cert, False, nq) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' destination_url_parts = urlparse( idp_data['singleLogoutService']['url']) destination = "%s://%s" % (destination_url_parts.scheme, destination_url_parts.netloc) logout_request = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(single_logout_url)s"> <saml:Issuer NameQualifier="%(entity_id)s" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >%(entity_id)s</saml:Issuer> %(name_id)s %(session_index)s </samlp:LogoutRequest>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': destination, 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: decoded = b64decode(request) # We try to inflate try: inflated = decompress(decoded, -15) logout_request = inflated except Exception: logout_request = decoded self.id = self.get_id(logout_request) self.__logout_request = logout_request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True): """ Constructs the AuthnRequest object. :param settings: OSetting data :type return_to: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'. :type is_passive: bool :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element. :type set_nameid_policy: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[ lang]['displayname'] is not None: provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[ lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = "\n" + ' ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = "\n" + ' IsPassive="true"' nameid_policy_str = '' if set_nameid_policy: name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security[ 'wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED nameid_policy_str = """ <samlp:NameIDPolicy Format="%s" AllowCreate="true" />""" % name_id_policy_format requested_authn_context_str = '' if 'requestedAuthnContext' in security.keys( ) and security['requestedAuthnContext'] is not False: authn_comparison = 'exact' if 'requestedAuthnContextComparison' in security.keys(): authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison else: requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' attr_consuming_service_str = '' if 'attributeConsumingService' in sp_data and sp_data[ 'attributeConsumingService']: attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"' request = """<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s" %(attr_consuming_service_str)s> <saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s%(requested_authn_context_str)s </samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, 'attr_consuming_service_str': attr_consuming_service_str } self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False): """ Constructs the AuthnRequest object. :param settings: OSetting data :type settings: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'. :type is_passive: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] name_id_policy_format = sp_data['NameIDFormat'] if security['wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data if 'en-US' in langs: lang = 'en-US' else: lang = sorted(langs)[0] display_name = 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] if display_name: provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = 'ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = 'IsPassive="true"' requested_authn_context_str = '' if security['requestedAuthnContext'] is not False: if security['requestedAuthnContext'] is True: requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" else: requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="exact">' for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'name_id_policy': name_id_policy_format, 'requested_authn_context_str': requested_authn_context_str, } self.__authn_request = request
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None): """ Constructs the Logout Request object. :param settings: Setting data :type settings: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string :param nq: IDP Name Qualifier :type: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) cert = None if security['nameIdEncrypted']: cert = idp_data['x509cert'] if name_id is not None: name_id_format = sp_data['NameIDFormat'] sp_name_qualifier = None else: name_id = idp_data['entityId'] name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY sp_name_qualifier = sp_data['entityId'] name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, sp_name_qualifier, name_id_format, cert, nq=nq, ) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate( request, ignore_zip=True) self.id = self.get_id(logout_request) self.__logout_request = logout_request
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None): """ Constructs the Logout Request object. :param settings: Setting data :type settings: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string :param nq: IDP Name Qualifier :type: string :param name_id_format: The NameID Format that will be set in the LogoutRequest. :type: string :param spnq: SP Name Qualifier :type: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) cert = None if security['nameIdEncrypted']: exists_multix509enc = 'x509certMulti' in idp_data and \ 'encryption' in idp_data['x509certMulti'] and \ idp_data['x509certMulti']['encryption'] if exists_multix509enc: cert = idp_data['x509certMulti']['encryption'][0] else: cert = idp_data['x509cert'] if name_id is not None: if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED: name_id_format = sp_data['NameIDFormat'] else: name_id = idp_data['entityId'] name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY # From saml-core-2.0-os 8.3.6, when the entity Format is used: # "The NameQualifier, SPNameQualifier, and SPProvidedID attributes # MUST be omitted. if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY: nq = None spnq = None # NameID Format UNSPECIFIED omitted if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED: name_id_format = None name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, spnq, name_id_format, cert, False, nq ) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True) self.id = self.get_id(logout_request) self.__logout_request = compat.to_string(logout_request)
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True): """ Constructs the AuthnRequest object. :param settings: OSetting data :type return_to: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'. :type is_passive: bool :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element. :type set_nameid_policy: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) # destination = idp_data['singleSignOnService']['url'] destination = 'https://fed.paci.gov.kw/idp/SSO.saml2' provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[ lang]['displayname'] is not None: provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[ lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = "\n" + ' ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = "\n" + ' IsPassive="true"' nameid_policy_str = '' if set_nameid_policy: name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security[ 'wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED nameid_policy_str = """ <samlp:NameIDPolicy Format="%s" AllowCreate="true" />""" % name_id_policy_format requested_authn_context_str = '' if 'requestedAuthnContext' in security.keys( ) and security['requestedAuthnContext'] is not False: authn_comparison = 'exact' if 'requestedAuthnContextComparison' in security.keys(): authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison else: requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' attr_consuming_service_str = '' if 'attributeConsumingService' in sp_data and sp_data[ 'attributeConsumingService']: attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"' certificate = "MIIDWTCCAsKgAwIBAgIJAN2rSHgfq3x/MA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAktXMRwwGgYDVQQIExNUaGUgU1RBVEUgT0YgS1VXQUlUMQ8wDQYDVQQHEwZLdXdhaXQxJDAiBgNVBAoTG01pbmlzdHJ5IG9mIEZvcmVpZ24gQWZmYWlyczEYMBYGA1UEAxMPYWlkLm1vZmEuZ292Lmt3MB4XDTE3MDgyODA2NDQ0M1oXDTI3MDgyODA2NDQ0M1owfDELMAkGA1UEBhMCS1cxHDAaBgNVBAgTE1RoZSBTVEFURSBPRiBLVVdBSVQxDzANBgNVBAcTBkt1d2FpdDEkMCIGA1UEChMbTWluaXN0cnkgb2YgRm9yZWlnbiBBZmZhaXJzMRgwFgYDVQQDEw9haWQubW9mYS5nb3Yua3cwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANQe0kiwithRqgLMU6jx8NG9PVrkCAVF84sL73jENoFac8ZmT398U3Gw5ZUfJlVVvfU4VyFCI7WCLbjzuFwu2McCdosa0CaG/HMDdYuDmXyOMCbyGKii5txuqlo6o35wq09hefL69i1yMIBdcMqPQLYVJVa6/loOMV++/QkEzA7xAgMBAAGjgeIwgd8wHQYDVR0OBBYEFKEdEz9D/YkpcYE6lpYvpiEy6WjgMIGvBgNVHSMEgacwgaSAFKEdEz9D/YkpcYE6lpYvpiEy6WjgoYGApH4wfDELMAkGA1UEBhMCS1cxHDAaBgNVBAgTE1RoZSBTVEFURSBPRiBLVVdBSVQxDzANBgNVBAcTBkt1d2FpdDEkMCIGA1UEChMbTWluaXN0cnkgb2YgRm9yZWlnbiBBZmZhaXJzMRgwFgYDVQQDEw9haWQubW9mYS5nb3Yua3eCCQDdq0h4H6t8fzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAImSBs54cT0LmLJ2tQEC/vfuPcUptSnhI7OZwBMCpND669ajfMxN6YuxDH4Nf4yR1cpD+0XRbMNtrfxq8XZ/5khsjI1uBDJ2odSu+/MiBe7P5ZMdVzM0GIq1hCT9ZZ6O6056ykP8QhoLJsGw3qm+N1FiGvDTLnxwBV4p9lLES5CX" signature_value = 'owbA6nJRn8TMQojq27rkqMBk+z2s8Fly1F68MEMd1InH6vFpVQqvwn7NrEP7YEJnTiHH3y8vrQvpHqBYuXoJjoZpjLdmV3jlprrzjDF+ZFUeqqfUO9h8JAVPTtxwrIEj0bfzH76pCU9h+Fu0kEekQ0UjKGHUEOZbd1+W7lmcc7U=' assertion__consumer_service_url = 'https://api.mofa2.mykuwaitnet.net/saml?acs' digest_value = 'Eph2yJzbGPhlVQThAl1OHWF/bmM=' saml_issuer = 'https://api.mofa2.mykuwaitnet.net/' request = """<samlp:AuthnRequest ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(destination)s" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion__consumer_service_url)s" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%(saml_issuer)s</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#%(id)s"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>%(digest_value)s</DigestValue></Reference></SignedInfo><SignatureValue>%(signature_value)s</SignatureValue><KeyInfo><X509Data><X509Certificate>%(certificate)s</X509Certificate></X509Data></KeyInfo></Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, 'attr_consuming_service_str': attr_consuming_service_str, 'certificate': certificate, 'signature_value': signature_value, 'digest_value': digest_value, 'assertion__consumer_service_url': assertion__consumer_service_url, 'saml_issuer':saml_issuer } self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True): """ Constructs the AuthnRequest object. :param settings: OSetting data :type settings: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'. :type is_passive: bool :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element. :type set_nameid_policy: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data if 'en-US' in langs: lang = 'en-US' else: lang = sorted(langs)[0] display_name = 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] if display_name: provider_name_str = "\n" + ' ProviderName=%s' % quoteattr(organization_data[lang]['displayname']) force_authn_str = '' if force_authn is True: force_authn_str = "\n" + ' ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = "\n" + ' IsPassive="true"' nameid_policy_str = '' if set_nameid_policy: name_id_policy_format = sp_data['NameIDFormat'] if security['wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED nameid_policy_str = """ <samlp:NameIDPolicy Format=%s AllowCreate="true" />""" % quoteattr(name_id_policy_format) requested_authn_context_str = '' if security['requestedAuthnContext'] is not False: authn_comparison = 'exact' if 'requestedAuthnContextComparison' in security.keys(): authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison=%s> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % quoteattr(authn_comparison) else: requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison=%s>' % quoteattr(authn_comparison) for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % escape(authn_context) requested_authn_context_str += ' </samlp:RequestedAuthnContext>' attr_consuming_service_str = '' if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']: attr_consuming_service_str = "\n AttributeConsumingServiceIndex=\"1\"" request = AUTHN_REQUEST % \ { 'id': quoteattr(uid), 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': quoteattr(issue_instant), 'destination': quoteattr(destination), 'assertion_url': quoteattr(sp_data['assertionConsumerService']['url']), 'entity_id': escape(sp_data['entityId']), 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, 'attr_consuming_service_str': attr_consuming_service_str, } self.__authn_request = request
def _generate_request_id(self): """ Generate an unique request ID. """ return OneLogin_Saml2_Utils.generate_unique_id()
def __init__(self, settings, force_authn=False, is_passive=False): """ Constructs the AuthnRequest object. :param settings: OSetting data :type return_to: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'. :type is_passive: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) destination = idp_data["singleSignOnService"]["url"] name_id_policy_format = sp_data["NameIDFormat"] if "wantNameIdEncrypted" in security and security["wantNameIdEncrypted"]: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED provider_name_str = "" organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if "en-US" in langs: lang = "en-US" else: lang = langs[0] if "displayname" in organization_data[lang] and organization_data[lang]["displayname"] is not None: provider_name_str = 'ProviderName="%s"' % organization_data[lang]["displayname"] force_authn_str = "" if force_authn is True: force_authn_str = 'ForceAuthn="true"' is_passive_str = "" if is_passive is True: is_passive_str = 'IsPassive="true"' requested_authn_context_str = "" if "requestedAuthnContext" in security.keys() and security["requestedAuthnContext"] is not False: authn_comparison = "exact" if "requestedAuthnContextComparison" in security.keys(): authn_comparison = security["requestedAuthnContextComparison"] if security["requestedAuthnContext"] is True: requested_authn_context_str = ( """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison ) else: requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security["requestedAuthnContext"]: requested_authn_context_str += ( "<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>" % authn_context ) requested_authn_context_str += " </samlp:RequestedAuthnContext>" attr_consuming_service_str = "" if "attributeConsumingService" in sp_data and sp_data["attributeConsumingService"]: # TODO: Do we have to account for the case when we have multiple attributeconsumers? # like will the index be > 1? attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"' request = """<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" %(provider_name)s %(force_authn_str)s %(is_passive_str)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s" %(attr_consuming_service_str)s> <saml:Issuer>%(entity_id)s</saml:Issuer> <samlp:NameIDPolicy Format="%(name_id_policy)s" AllowCreate="true" /> %(requested_authn_context_str)s </samlp:AuthnRequest>""" % { "id": uid, "provider_name": provider_name_str, "force_authn_str": force_authn_str, "is_passive_str": is_passive_str, "issue_instant": issue_instant, "destination": destination, "assertion_url": sp_data["assertionConsumerService"]["url"], "entity_id": sp_data["entityId"], "name_id_policy": name_id_policy_format, "requested_authn_context_str": requested_authn_context_str, "attr_consuming_service_str": attr_consuming_service_str, } self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True): """ Constructs the AuthnRequest object. :param settings: OSetting data :type return_to: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'. :type is_passive: bool :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element. :type set_nameid_policy: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) # destination = idp_data['singleSignOnService']['url'] #destination = 'https://fed.paci.gov.kw/idp/SSO.saml2' destination = 'https://smartidqa2.paci.gov.kw/' provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[ lang]['displayname'] is not None: provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[ lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = "\n" + ' ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = "\n" + ' IsPassive="true"' nameid_policy_str = '' if set_nameid_policy: name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security[ 'wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED nameid_policy_str = """ <samlp:NameIDPolicy Format="%s" AllowCreate="true" />""" % name_id_policy_format requested_authn_context_str = '' if 'requestedAuthnContext' in security.keys( ) and security['requestedAuthnContext'] is not False: authn_comparison = 'exact' if 'requestedAuthnContextComparison' in security.keys(): authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison else: requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' attr_consuming_service_str = '' if 'attributeConsumingService' in sp_data and sp_data[ 'attributeConsumingService']: attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"' certificate = "MIIDqzCCApKgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBvMQswCQYDVQQGEwJrdzEPMA0GA1UECAwGS3V3YWl0MSQwIgYDVQQKDBtNaW5pc3RyeSBvZiBGb3JlaWduIEFmZmFpcnMxKTAnBgNVBAMMIGh0dHBzOi8vYXBpLmRldi5haWQubW9mYS5nb3Yua3cvMB4XDTE4MDQwMjA3MTM0MloXDTI4MDMzMDA3MTM0MlowbzELMAkGA1UEBhMCa3cxDzANBgNVBAgMBkt1d2FpdDEkMCIGA1UECgwbTWluaXN0cnkgb2YgRm9yZWlnbiBBZmZhaXJzMSkwJwYDVQQDDCBodHRwczovL2FwaS5kZXYuYWlkLm1vZmEuZ292Lmt3LzCCASMwDQYJKoZIhvcNAQEBBQADggEQADCCAQsCggECAM0iMD7x+k44+WJlRwoBSp9WA7maFhaGLZl0bK44aYZ9HRK7LdTJdkbBlDb3csQHgGzoPZliFj+Zp7NS0VWpi1r5qu4cWzhUjUWzRck7Kb3pL/v/n4ipzx+5jo9S5MRE+aGXJJ7NnaR84D5q9LQC3vt9bUj+ar4mpbYu+20IN0MkyKlnn+1YZF9oXZ9k3IrSsOUbeyXswM2ICmowxfLj9zaXYQM7CX6XB9KTThSplr62AgayXCjVLmhPhhZXMxZ+d/H4wdX+mDYcA+v+UfCa+tmywn0A3DsgiBMm1iHOo9jJou4Q/6rebU0PcEf5m4/dz/WdSxtiirDlGdNdJ4xqoeHTAgMBAAGjUDBOMB0GA1UdDgQWBBQC+/qFWLrqp7LWVLqgS4ud/pin5zAfBgNVHSMEGDAWgBQC+/qFWLrqp7LWVLqgS4ud/pin5zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAgCwpKemu0QnnzkTyNs/o3mZqgMxxJopXHmzLYECAsGoN6901Wnj0NinGPCl1K7MSGhtGeu2yieQx0cDExLhOEdlu9LPwYjp2iZ7Nv/dxpEz3RyJAcnaf+vI2A8dBUI9eFRQzefPIWOcEVY/qaTuqQVUgGoi+1qfNADhqKHyQdqhgPy7tulaUaXuW2WHnjcEjyy8G6wqbvfcLXmSl2akXh29ICUErKm8PT5n7FNefQGmg8AuvSEnfH+NB06/Qcqy5x6+Lw/OOJo0DkR3CghhMgA/jqpnhO3LgT+dG+gIREl1rWMCiX/8xwomWpIcEAksWSL5ZKasUSKf6wpnHJoeiaMyGQ==" signature_value = 'owbA6nJRn8TMQojq27rkqMBk+z2s8Fly1F68MEMd1InH6vFpVQqvwn7NrEP7YEJnTiHH3y8vrQvpHqBYuXoJjoZpjLdmV3jlprrzjDF+ZFUeqqfUO9h8JAVPTtxwrIEj0bfzH76pCU9h+Fu0kEekQ0UjKGHUEOZbd1+W7lmcc7U=' assertion__consumer_service_url = 'https://api.dev.aid.mofa.gov.kw/saml?acs' digest_value = 'Eph2yJzbGPhlVQThAl1OHWF/bmM=' saml_issuer = 'https://api.dev.aid.mofa.gov.kw/' request = """<samlp:AuthnRequest ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(destination)s" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion__consumer_service_url)s" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%(saml_issuer)s</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#%(id)s"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>%(digest_value)s</DigestValue></Reference></SignedInfo><SignatureValue>%(signature_value)s</SignatureValue><KeyInfo><X509Data><X509Certificate>%(certificate)s</X509Certificate></X509Data></KeyInfo></Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, 'attr_consuming_service_str': attr_consuming_service_str, 'certificate': certificate, 'signature_value': signature_value, 'digest_value': digest_value, 'assertion__consumer_service_url': assertion__consumer_service_url, 'saml_issuer':saml_issuer } self.__authn_request = request
def _generate_request_id(self): """ Generate an unique logout response ID. """ return OneLogin_Saml2_Utils.generate_unique_id()
def __init__(self, settings, request=None, name_id=None, session_index=None): """ Constructs the Logout Request object. :param settings: Setting data :type settings: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) cert = None if security['nameIdEncrypted']: cert = idp_data['x509cert'] if name_id is not None: name_id_format = sp_data['NameIDFormat'] sp_name_qualifier = None else: name_id = idp_data['entityId'] name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY sp_name_qualifier = sp_data['entityId'] name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, sp_name_qualifier, name_id_format, cert ) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True) self.id = self.get_id(logout_request) self.__logout_request = logout_request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None): """ Constructs the AuthnRequest object. :param settings: OSetting data :type settings: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'. :type is_passive: bool :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element. :type set_nameid_policy: bool :param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated :type name_id_value_req: string """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data if 'en-US' in langs: lang = 'en-US' else: lang = sorted(langs)[0] display_name = 'displayname' in organization_data[ lang] and organization_data[lang]['displayname'] if display_name: provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[ lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = "\n" + ' ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = "\n" + ' IsPassive="true"' subject_str = '' if name_id_value_req: subject_str = """ <saml:Subject> <saml:NameID Format="%s">%s</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml:SubjectConfirmation> </saml:Subject>""" % (sp_data['NameIDFormat'], name_id_value_req) nameid_policy_str = '' if set_nameid_policy: name_id_policy_format = sp_data['NameIDFormat'] if security['wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED nameid_policy_str = """ <samlp:NameIDPolicy Format="%s" AllowCreate="true" />""" % name_id_policy_format requested_authn_context_str = '' if security['requestedAuthnContext'] is not False: authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison else: requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' attr_consuming_service_str = '' if 'attributeConsumingService' in sp_data and sp_data[ 'attributeConsumingService']: attr_consuming_service_str = "\n AttributeConsumingServiceIndex=\"1\"" request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'subject_str': subject_str, 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, 'attr_consuming_service_str': attr_consuming_service_str, } self.__authn_request = request
def __init__(self, settings, force_authn=False, is_passive=False): """ Constructs the AuthnRequest object. :param settings: OSetting data :type return_to: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'. :type is_passive: bool """ self._settings = settings sp_data = self._settings.get_sp_data() idp_data = self._settings.get_idp_data() security = self._settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self._id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None: provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = 'ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = 'IsPassive="true"' requested_authn_context_str = '' if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False: authn_comparison = 'exact' if 'requestedAuthnContextComparison' in security.keys(): authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison else: requested_authn_context_str = ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' request = """<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" %(provider_name)s %(force_authn_str)s %(is_passive_str)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> <samlp:NameIDPolicy Format="%(name_id_policy)s" AllowCreate="true" /> %(requested_authn_context_str)s </samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'name_id_policy': name_id_policy_format, 'requested_authn_context_str': requested_authn_context_str, } self._authn_request = request
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None): """ Constructs the Logout Request object. :param settings: Setting data :type request_data: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string :param nq: IDP Name Qualifier :type: string :param name_id_format: The NameID Format that will be set in the LogoutRequest. :type: string :param spnq: SP Name Qualifier :type: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) cert = None if 'nameIdEncrypted' in security and security['nameIdEncrypted']: exists_multix509enc = 'x509certMulti' in idp_data and \ 'encryption' in idp_data['x509certMulti'] and \ idp_data['x509certMulti']['encryption'] if exists_multix509enc: cert = idp_data['x509certMulti']['encryption'][0] else: cert = idp_data['x509cert'] if name_id is not None: if not name_id_format and sp_data[ 'NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED: name_id_format = sp_data['NameIDFormat'] else: name_id = idp_data['entityId'] name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY # From saml-core-2.0-os 8.3.6, when the entity Format is used: # "The NameQualifier, SPNameQualifier, and SPProvidedID attributes # MUST be omitted. if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY: nq = None spnq = None # NameID Format UNSPECIFIED omitted if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED: name_id_format = None name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, spnq, name_id_format, cert, False, nq) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' logout_request = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(single_logout_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> %(name_id)s %(session_index)s </samlp:LogoutRequest>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': self.__settings.get_idp_slo_url(), 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: decoded = b64decode(request) # We try to inflate try: inflated = decompress(decoded, -15) logout_request = inflated except Exception: logout_request = decoded self.id = self.get_id(logout_request) self.__logout_request = logout_request
def __init__(self, settings, request=None, name_id=None, session_index=None): """ Constructs the Logout Request object. :param settings: Setting data :type request_data: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) cert = None if 'nameIdEncrypted' in security and security['nameIdEncrypted']: cert = idp_data['x509cert'] if name_id is not None: nameIdFormat = sp_data['NameIDFormat'] spNameQualifier = None else: name_id = idp_data['entityId'] nameIdFormat = OneLogin_Saml2_Constants.NAMEID_ENTITY spNameQualifier = sp_data['entityId'] name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, spNameQualifier, nameIdFormat, cert) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' logout_request = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(single_logout_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> %(name_id)s %(session_index)s </samlp:LogoutRequest>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: decoded = b64decode(request) # We try to inflate try: inflated = decompress(decoded, -15) logout_request = inflated except Exception: logout_request = decoded self.id = self.get_id(logout_request) self.__logout_request = logout_request
def __init__(self, settings): """ Constructs the AuthnRequest object. Arguments are: * (OneLogin_Saml2_Settings) settings. Setting data """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML( OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security[ 'wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[ lang]['displayname'] is not None: provider_name_str = 'ProviderName="%s"' % organization_data[ lang]['displayname'] request = """<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" %(provider_name)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> <samlp:NameIDPolicy Format="%(name_id_policy)s" AllowCreate="true" /> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'name_id_policy': name_id_policy_format, } self.__authn_request = request
def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None): """ Constructs the Logout Request object. :param settings: Setting data :type request_data: OneLogin_Saml2_Settings :param request: Optional. A LogoutRequest to be loaded instead build one. :type request: string :param name_id: The NameID that will be set in the LogoutRequest. :type name_id: string :param session_index: SessionIndex that identifies the session of the user. :type session_index: string :param nq: IDP Name Qualifier :type: string """ self.__settings = settings self.__error = None self.id = None if request is None: sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) cert = None if 'nameIdEncrypted' in security and security['nameIdEncrypted']: cert = idp_data['x509cert'] if name_id is not None: nameIdFormat = sp_data['NameIDFormat'] spNameQualifier = None else: name_id = idp_data['entityId'] nameIdFormat = OneLogin_Saml2_Constants.NAMEID_ENTITY spNameQualifier = sp_data['entityId'] name_id_obj = OneLogin_Saml2_Utils.generate_name_id( name_id, spNameQualifier, nameIdFormat, cert ) if session_index: session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index else: session_index_str = '' logout_request = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0" IssueInstant="%(issue_instant)s" Destination="%(single_logout_url)s"> <saml:Issuer>%(entity_id)s</saml:Issuer> %(name_id)s %(session_index)s </samlp:LogoutRequest>""" % \ { 'id': uid, 'issue_instant': issue_instant, 'single_logout_url': idp_data['singleLogoutService']['url'], 'entity_id': sp_data['entityId'], 'name_id': name_id_obj, 'session_index': session_index_str, } else: decoded = b64decode(request) # We try to inflate try: inflated = decompress(decoded, -15) logout_request = inflated except Exception: logout_request = decoded self.id = self.get_id(logout_request) self.__logout_request = logout_request
def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True): """ Constructs the AuthnRequest object. :param settings: OSetting data :type return_to: OneLogin_Saml2_Settings :param force_authn: Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'. :type force_authn: bool :param is_passive: Optional argument. When true the AuthNReuqest will set the Ispassive='true'. :type is_passive: bool :param set_nameid_policy: Optional argument. When true the AuthNReuqest will set a nameIdPolicy element. :type set_nameid_policy: bool """ self.__settings = settings sp_data = self.__settings.get_sp_data() idp_data = self.__settings.get_idp_data() security = self.__settings.get_security_data() uid = OneLogin_Saml2_Utils.generate_unique_id() self.__id = uid issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now()) destination = idp_data['singleSignOnService']['url'] provider_name_str = '' organization_data = settings.get_organization() if isinstance(organization_data, dict) and organization_data: langs = organization_data.keys() if 'en-US' in langs: lang = 'en-US' else: lang = langs[0] if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None: provider_name_str = "\n" + ' ProviderName="%s"' % organization_data[lang]['displayname'] force_authn_str = '' if force_authn is True: force_authn_str = "\n" + ' ForceAuthn="true"' is_passive_str = '' if is_passive is True: is_passive_str = "\n" + ' IsPassive="true"' nameid_policy_str = '' if set_nameid_policy: name_id_policy_format = sp_data['NameIDFormat'] if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']: name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED nameid_policy_str = """ <samlp:NameIDPolicy Format="%s" AllowCreate="true" />""" % name_id_policy_format requested_authn_context_str = '' if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False: authn_comparison = 'exact' if 'requestedAuthnContextComparison' in security.keys(): authn_comparison = security['requestedAuthnContextComparison'] if security['requestedAuthnContext'] is True: requested_authn_context_str = "\n" + """ <samlp:RequestedAuthnContext Comparison="%s"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>""" % authn_comparison else: requested_authn_context_str = "\n" + ' <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison for authn_context in security['requestedAuthnContext']: requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context requested_authn_context_str += ' </samlp:RequestedAuthnContext>' attr_consuming_service_str = '' if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']: attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"' request = """<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="%(id)s" Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s IssueInstant="%(issue_instant)s" Destination="%(destination)s" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="%(assertion_url)s" %(attr_consuming_service_str)s> <saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s%(requested_authn_context_str)s </samlp:AuthnRequest>""" % \ { 'id': uid, 'provider_name': provider_name_str, 'force_authn_str': force_authn_str, 'is_passive_str': is_passive_str, 'issue_instant': issue_instant, 'destination': destination, 'assertion_url': sp_data['assertionConsumerService']['url'], 'entity_id': sp_data['entityId'], 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, 'attr_consuming_service_str': attr_consuming_service_str } #from https://github.com/onelogin/python-saml/pull/78. credit to @tachang # Only the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding gets the enveloped signature if settings.get_idp_data()['singleSignOnService'].get('binding', None) == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' and \ security['authnRequestsSigned'] is True: log.debug("Generating AuthnRequest using urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding") if 'signatureAlgorithm' in security: key = settings.get_sp_key() if not key: raise OneLogin_Saml2_Error("Attempt to sign the AuthnRequest but unable to load the SP private key") cert = settings.get_sp_cert() if not key: raise OneLogin_Saml2_Error("Attempt to sign the AuthnRequest but unable to load the SP cert") doc = parseString(request) security_algo = security['signatureAlgorithm'] digest_method_algo = security['digestMethodAlgorithm'] self.__authn_request = OneLogin_Saml2_Utils.add_sign_with_id(doc, uid, key, cert, sign_algorithm=security_algo, digest_algorithm=digest_method_algo, debug=False) log.debug("Generated AuthnRequest: {}".format(self.__authn_request)) else: self.__authn_request = request log.debug("Generated AuthnRequest: {}".format(self.__authn_request)) else: self.__authn_request = request