Exemplo n.º 1
0
    def create_attribute_response(self, identity, in_response_to, destination,
                                  sp_entity_id, userid="", name_id=None,
                                  status=None, issuer=None,
                                  sign_assertion=False, sign_response=False,
                                  attributes=None):
        """ Create an attribute assertion response.
        
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param in_response_to: The session identifier of the request
        :param destination: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param userid: A identifier of the user
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the whole response should be signed
        :param attributes:
        :return: A response instance
        """
        if not name_id and userid:
            try:
                name_id = self.ident.construct_nameid(userid,
                                                      self.config.policy,
                                                      sp_entity_id)
                logger.warning("Unspecified NameID format")
            except Exception:
                pass

        to_sign = []
        args = {}
        if identity:
            _issuer = self._issuer(issuer)
            ast = Assertion(identity)
            policy = self.config.getattr("policy", "aa")
            if policy:
                ast.apply_policy(sp_entity_id, policy)
            else:
                policy = Policy()

            if attributes:
                restr = restriction_from_attribute_spec(attributes)
                ast = filter_attribute_value_assertions(ast)

            assertion = ast.construct(sp_entity_id, in_response_to,
                                      destination, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer)

            if sign_assertion:
                assertion.signature = pre_signature_part(assertion.id,
                                                         self.sec.my_cert, 1)
                # Just the assertion or the response and the assertion ?
                to_sign = [(class_name(assertion), assertion.id)]

            args["assertion"] = assertion

        return self._response(in_response_to, destination, status, issuer,
                              sign_response, to_sign, **args)
Exemplo n.º 2
0
def test_assertion_1(AVA):
    ava = Assertion(AVA[0])
    
    print ava
    print ava.__dict__

    policy = Policy({
        "default": {
            "attribute_restrictions": {
                "givenName": ["^R.*"],
            }
        }
    })

    ava = ava.apply_policy( "", policy )
    
    print ava
    assert _eq(ava.keys(), [])

    ava = Assertion(AVA[1].copy())
    ava = ava.apply_policy( "", policy )
    assert _eq(ava.keys(), ["givenName"])
    assert ava["givenName"] == ["Ryan"]

    ava = Assertion(AVA[3].copy())
    ava = ava.apply_policy( "", policy )
    assert _eq(ava.keys(), ["givenName"])
    assert ava["givenName"] == ["Roland"]
Exemplo n.º 3
0
    def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
                        name_id, policy, _issuer, authn_statement, identity,
                        best_effort, sign_response, farg=None, **kwargs):
        """
        Construct and return the Assertion

        :param authn: Authentication information
        :param sp_entity_id:
        :param in_response_to: The ID of the request this is an answer to
        :param consumer_url: The recipient of the assertion
        :param name_id: The NameID of the subject
        :param policy: Assertion policies
        :param _issuer: Issuer of the statement
        :param authn_statement: An AuthnStatement instance
        :param identity: Identity information about the Subject
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :param sign_response: Sign the response, only applicable if
            ErrorResponse
        :param kwargs: Extra keyword arguments
        :return: An Assertion instance
        """

        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        farg = self.update_farg(in_response_to, consumer_url, farg)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict(
                [(AUTHN_DICT_MAP[k], v) for k, v in authn.items() if
                 k in AUTHN_DICT_MAP])
            authn_args.update(kwargs)

            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, farg=farg['assertion'], name_id=name_id,
                **authn_args)

        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, authn_statem=authn_statement,
                farg=farg['assertion'], name_id=name_id, **kwargs)
        else:
            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, farg=farg['assertion'], name_id=name_id,
                **kwargs)
        return assertion
Exemplo n.º 4
0
 def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url, name_id, policy, _issuer,
                     authn_statement, identity, best_effort, sign_response, add_subject=True):
     ast = Assertion(identity)
     ast.acs = self.config.getattr("attribute_converters", "idp")
     if policy is None:
         policy = Policy()
     try:
         ast.apply_policy(sp_entity_id, policy, self.metadata)
     except MissingValue, exc:
         if not best_effort:
             return self.create_error_response(in_response_to, consumer_url,
                                               exc, sign_response)
Exemplo n.º 5
0
def test_assertion_2():
    AVA = {'mail': u'*****@*****.**',
           'eduPersonTargetedID': 'http://lingon.ladok.umu.se:8090/idp!http://lingon.ladok.umu.se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976',
           'displayName': u'Roland Hedberg',
           'uid': 'http://roland.hedberg.myopenid.com/'}

    ava = Assertion(AVA)

    policy = Policy( {
        "default": {
            "lifetime": {"minutes": 240},
            "attribute_restrictions": None, # means all I have
            "name_form": NAME_FORMAT_URI
        },
    })

    ava = ava.apply_policy( "", policy )
    acs = ac_factory("attributemaps")
    attribute=from_local(acs, ava, policy.get_name_form(""))

    assert len(attribute) == 4
    names = [attr.name for attr in attribute]
    assert _eq(names, ['urn:oid:0.9.2342.19200300.100.1.3',
                       'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
                       'urn:oid:2.16.840.1.113730.3.1.241',
                       'urn:oid:0.9.2342.19200300.100.1.1'])
Exemplo n.º 6
0
    def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
                        name_id, policy, _issuer,
                        authn_statement, identity, best_effort, sign_response,
                        add_subject=True):
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict([
                                  (AUTHN_DICT_MAP[k], v) for k, v in
                                  authn.items()
                                  if k in AUTHN_DICT_MAP])

            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      add_subject=add_subject,
                                      **authn_args)
        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      authn_statem=authn_statement,
                                      add_subject=add_subject)
        else:
            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      add_subject=add_subject)
        return assertion
Exemplo n.º 7
0
    def _authn_response(self, in_response_to, consumer_url,
                        sp_entity_id, identity=None, name_id=None,
                        status=None, authn=None, issuer=None, policy=None,
                        sign_assertion=False, sign_response=False,
                        best_effort=False, encrypt_assertion=False,
                        encrypt_cert=None, authn_statement=None):
        """ Create a response. A layer of indirection.

        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param authn: A dictionary containing information about the
            authn context.
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the response should be signed or not
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :return: A response instance
        """

        to_sign = []
        args = {}
        #if identity:
        _issuer = self._issuer(issuer)
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue, exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)
Exemplo n.º 8
0
def test_assertion_2():
    AVA = {
        "mail": u"*****@*****.**",
        "eduPersonTargetedID": "http://lingon.ladok.umu"
        ".se:8090/idp!http://lingon.ladok.umu"
        ".se:8088/sp!95e9ae91dbe62d35198fbbd5e1fb0976",
        "displayName": u"Roland Hedberg",
        "uid": "http://roland.hedberg.myopenid.com/",
    }

    ava = Assertion(AVA)

    policy = Policy(
        {
            "default": {
                "lifetime": {"minutes": 240},
                "attribute_restrictions": None,  # means all I have
                "name_form": NAME_FORMAT_URI,
            }
        }
    )

    ava = ava.apply_policy("", policy)
    acs = ac_factory(full_path("attributemaps"))
    attribute = from_local(acs, ava, policy.get_name_form(""))

    assert len(attribute) == 4
    names = [attr.name for attr in attribute]
    assert _eq(
        names,
        [
            "urn:oid:0.9.2342.19200300.100.1.3",
            "urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
            "urn:oid:2.16.840.1.113730.3.1.241",
            "urn:oid:0.9.2342.19200300.100.1.1",
        ],
    )
Exemplo n.º 9
0
    def _authn_response(self, in_response_to, consumer_url,
                        sp_entity_id, identity=None, name_id=None,
                        status=None, authn=None, issuer=None, policy=None,
                        sign_assertion=False, sign_response=False):
        """ Create a response. A layer of indirection.
        
        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param authn: A dictionary containing information about the
            authn context.
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the response should be signed or not
        :return: A response instance
        """

        to_sign = []
        args = {}
        if identity:
            _issuer = self._issuer(issuer)
            ast = Assertion(identity)
            if policy is None:
                policy = Policy()
            try:
                ast.apply_policy(sp_entity_id, policy, self.metadata)
            except MissingValue, exc:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

            if authn:  # expected to be a dictionary
                if "decl" in authn:
                    assertion = ast.construct(sp_entity_id, in_response_to,
                                              consumer_url, name_id,
                                              self.config.attribute_converters,
                                              policy, issuer=_issuer,
                                              authn_decl=authn["decl"],
                                              authn_auth=authn["authn_auth"])
                else:
                    assertion = ast.construct(sp_entity_id, in_response_to,
                                              consumer_url, name_id,
                                              self.config.attribute_converters,
                                              policy, issuer=_issuer,
                                              authn_class=authn["class_ref"],
                                              authn_auth=authn["authn_auth"])
            else:
                assertion = ast.construct(sp_entity_id, in_response_to,
                                          consumer_url, name_id,
                                          self.config.attribute_converters,
                                          policy, issuer=_issuer)

            if sign_assertion:
                assertion.signature = pre_signature_part(assertion.id,
                                                         self.sec.my_cert, 1)
                # Just the assertion or the response and the assertion ?
                to_sign = [(class_name(assertion), assertion.id)]

            # Store which assertion that has been sent to which SP about which
            # subject.

            # self.cache.set(assertion.subject.name_id.text,
            #                 sp_entity_id, {"ava": identity, "authn": authn},
            #                 assertion.conditions.not_on_or_after)

            args["assertion"] = assertion

            if self.support_AssertionIDRequest() or self.support_AuthnQuery():
                self.session_db.store_assertion(assertion, to_sign)
Exemplo n.º 10
0
    def _response(
        self,
        in_response_to,
        consumer_url=None,
        sp_entity_id=None,
        identity=None,
        name_id=None,
        status=None,
        sign=False,
        policy=Policy(),
        authn=None,
        authn_decl=None,
        issuer=None,
    ):
        """ Create a Response that adhers to the ??? profile.
        
        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param sign: Whether the assertion should be signed or not 
        :param policy: The attribute release policy for this instance
        :param authn: A 2-tuple denoting the authn class and the authn
            authority
        :param authn_decl:
        :param issuer: The issuer of the response
        :return: A Response instance
        """

        to_sign = []

        if not status:
            status = success_status_factory()

        _issuer = self.issuer(issuer)

        response = response_factory(issuer=_issuer, in_response_to=in_response_to, status=status)

        if consumer_url:
            response.destination = consumer_url

        if identity:
            ast = Assertion(identity)
            try:
                ast.apply_policy(sp_entity_id, policy, self.metadata)
            except MissingValue, exc:
                return self.error_response(in_response_to, consumer_url, sp_entity_id, exc, name_id)

            if authn:  # expected to be a 2-tuple class+authority
                (authn_class, authn_authn) = authn
                assertion = ast.construct(
                    sp_entity_id,
                    in_response_to,
                    consumer_url,
                    name_id,
                    self.conf.attribute_converters,
                    policy,
                    issuer=_issuer,
                    authn_class=authn_class,
                    authn_auth=authn_authn,
                )
            elif authn_decl:
                assertion = ast.construct(
                    sp_entity_id,
                    in_response_to,
                    consumer_url,
                    name_id,
                    self.conf.attribute_converters,
                    policy,
                    issuer=_issuer,
                    authn_decl=authn_decl,
                )
            else:
                assertion = ast.construct(
                    sp_entity_id,
                    in_response_to,
                    consumer_url,
                    name_id,
                    self.conf.attribute_converters,
                    policy,
                    issuer=_issuer,
                )

            if sign:
                assertion.signature = pre_signature_part(assertion.id, self.sec.my_cert, 1)
                # Just the assertion or the response and the assertion ?
                to_sign = [(class_name(assertion), assertion.id)]

            # Store which assertion that has been sent to which SP about which
            # subject.

            # self.cache.set(assertion.subject.name_id.text,
            #                 sp_entity_id, {"ava": identity, "authn": authn},
            #                 assertion.conditions.not_on_or_after)

            response.assertion = assertion
Exemplo n.º 11
0
    def _authn_response(self, in_response_to, consumer_url,
                        sp_entity_id, identity=None, name_id=None,
                        status=None, authn=None, issuer=None, policy=None,
                        sign_assertion=False, sign_response=False,
                        best_effort=False, encrypt_assertion=False, encrypt_cert=None):
        """ Create a response. A layer of indirection.
        
        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param authn: A dictionary containing information about the
            authn context.
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the response should be signed or not
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :return: A response instance
        """

        to_sign = []
        args = {}
        #if identity:
        _issuer = self._issuer(issuer)
        ast = Assertion(identity)
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict([
                (AUTHN_DICT_MAP[k], v) for k, v in list(authn.items())
                if k in AUTHN_DICT_MAP])

            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      **authn_args)
        else:
            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer)

        if sign_assertion:
            assertion.signature = pre_signature_part(assertion.id,
                                                     self.sec.my_cert, 1)
            # Just the assertion or the response and the assertion ?
            to_sign = [(class_name(assertion), assertion.id)]

        # Store which assertion that has been sent to which SP about which
        # subject.

        # self.cache.set(assertion.subject.name_id.text,
        #                 sp_entity_id, {"ava": identity, "authn": authn},
        #                 assertion.conditions.not_on_or_after)

        args["assertion"] = assertion

        if self.support_AssertionIDRequest() or self.support_AuthnQuery():
            self.session_db.store_assertion(assertion, to_sign)

        return self._response(in_response_to, consumer_url, status, issuer,
                              sign_response, to_sign, encrypt_assertion=encrypt_assertion,
                              encrypt_cert=encrypt_cert, **args)
Exemplo n.º 12
0
    def create_attribute_response(self,
                                  identity,
                                  in_response_to,
                                  destination,
                                  sp_entity_id,
                                  userid="",
                                  name_id=None,
                                  status=None,
                                  issuer=None,
                                  sign_assertion=False,
                                  sign_response=False,
                                  attributes=None,
                                  sign_alg=None,
                                  digest_alg=None,
                                  farg=None,
                                  **kwargs):
        """ Create an attribute assertion response.

        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param in_response_to: The session identifier of the request
        :param destination: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param userid: A identifier of the user
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the whole response should be signed
        :param attributes:
        :param kwargs: To catch extra keyword arguments
        :return: A response instance
        """

        policy = self.config.getattr("policy", "aa")

        if not name_id and userid:
            try:
                name_id = self.ident.construct_nameid(userid, policy,
                                                      sp_entity_id)
                logger.warning("Unspecified NameID format")
            except Exception:
                pass

        to_sign = []

        if identity:
            farg = self.update_farg(in_response_to, sp_entity_id, farg=farg)

            _issuer = self._issuer(issuer)
            ast = Assertion(identity)
            if policy:
                ast.apply_policy(sp_entity_id, policy, self.metadata)
            else:
                policy = Policy()

            if attributes:
                restr = restriction_from_attribute_spec(attributes)
                ast = filter_attribute_value_assertions(ast)

            assertion = ast.construct(sp_entity_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      name_id=name_id,
                                      farg=farg['assertion'])

            if sign_assertion:
                assertion.signature = pre_signature_part(assertion.id,
                                                         self.sec.my_cert,
                                                         1,
                                                         sign_alg=sign_alg,
                                                         digest_alg=digest_alg)
                # Just the assertion or the response and the assertion ?
                to_sign = [(class_name(assertion), assertion.id)]
                kwargs['sign_assertion'] = True

            kwargs["assertion"] = assertion

        if sp_entity_id:
            kwargs['sp_entity_id'] = sp_entity_id

        return self._response(in_response_to,
                              destination,
                              status,
                              issuer,
                              sign_response,
                              to_sign,
                              sign_alg=sign_alg,
                              digest_alg=digest_alg,
                              **kwargs)
Exemplo n.º 13
0
    def setup_assertion(self,
                        authn,
                        sp_entity_id,
                        in_response_to,
                        consumer_url,
                        name_id,
                        policy,
                        _issuer,
                        authn_statement,
                        identity,
                        best_effort,
                        sign_response,
                        farg=None,
                        session_not_on_or_after=None,
                        **kwargs):
        """
        Construct and return the Assertion

        :param authn: Authentication information
        :param sp_entity_id:
        :param in_response_to: The ID of the request this is an answer to
        :param consumer_url: The recipient of the assertion
        :param name_id: The NameID of the subject
        :param policy: Assertion policies
        :param _issuer: Issuer of the statement
        :param authn_statement: An AuthnStatement instance
        :param identity: Identity information about the Subject
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :param sign_response: Sign the response, only applicable if
            ErrorResponse
        :param kwargs: Extra keyword arguments
        :return: An Assertion instance
        """

        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        farg = self.update_farg(in_response_to, consumer_url, farg)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict([(AUTHN_DICT_MAP[k], v)
                               for k, v in authn.items()
                               if k in AUTHN_DICT_MAP])
            authn_args.update(kwargs)

            assertion = ast.construct(
                sp_entity_id,
                self.config.attribute_converters,
                policy,
                issuer=_issuer,
                farg=farg['assertion'],
                name_id=name_id,
                session_not_on_or_after=session_not_on_or_after,
                **authn_args)

        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(sp_entity_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      authn_statem=authn_statement,
                                      farg=farg['assertion'],
                                      name_id=name_id,
                                      **kwargs)
        else:
            assertion = ast.construct(
                sp_entity_id,
                self.config.attribute_converters,
                policy,
                issuer=_issuer,
                farg=farg['assertion'],
                name_id=name_id,
                session_not_on_or_after=session_not_on_or_after,
                **kwargs)
        return assertion
Exemplo n.º 14
0
    def _response(self, in_response_to, consumer_url=None, sp_entity_id=None, 
                    identity=None, name_id=None, status=None, sign=False,
                    policy=Policy(), authn=None, authn_decl=None, issuer=None):
        """ Create a Response that adhers to the ??? profile.
        
        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param sign: Whether the assertion should be signed or not 
        :param policy: The attribute release policy for this instance
        :param authn: A 2-tuple denoting the authn class and the authn
            authority
        :param authn_decl:
        :param issuer: The issuer of the response
        :return: A Response instance
        """
                
        to_sign = []

        if not status: 
            status = success_status_factory()

        _issuer = self.issuer(issuer)

        response = response_factory(
            issuer=_issuer,
            in_response_to = in_response_to,
            status = status,
            )

        if consumer_url:
            response.destination = consumer_url

        if identity:            
            ast = Assertion(identity)
            try:
                ast.apply_policy(sp_entity_id, policy, self.metadata)
            except MissingValue, exc:
                return self.error_response(in_response_to, consumer_url, 
                                               sp_entity_id, exc, name_id)

            if authn: # expected to be a 2-tuple class+authority
                (authn_class, authn_authn) = authn
                assertion = ast.construct(sp_entity_id, in_response_to, 
                                            consumer_url, name_id,
                                            self.conf.attribute_converters,
                                            policy, issuer=_issuer, 
                                            authn_class=authn_class, 
                                            authn_auth=authn_authn)
            elif authn_decl:
                assertion = ast.construct(sp_entity_id, in_response_to, 
                                            consumer_url, name_id,
                                            self.conf.attribute_converters,
                                            policy, issuer=_issuer, 
                                            authn_decl=authn_decl)
            else:
                assertion = ast.construct(sp_entity_id, in_response_to, 
                                            consumer_url, name_id,
                                            self.conf.attribute_converters,
                                            policy, issuer=_issuer)
            
            if sign:
                assertion.signature = pre_signature_part(assertion.id,
                                                        self.sec.my_cert, 1)
                # Just the assertion or the response and the assertion ?
                to_sign = [(class_name(assertion), assertion.id)]

            # Store which assertion that has been sent to which SP about which
            # subject.
            
            # self.cache.set(assertion.subject.name_id.text, 
            #                 sp_entity_id, {"ava": identity, "authn": authn}, 
            #                 assertion.conditions.not_on_or_after)
            
            response.assertion = assertion