def get_request_args(self, get_state=stateID): oauth_state = get_state(self.config["base_url"], rndstr().encode()) request_args = { "redirect_uri": self.redirect_url, "state": oauth_state, } return request_args
def get_request_args(self, get_state=stateID): oauth_state = get_state(self.config["base_url"], rndstr().encode()) request_args = { "client_id": self.config['client_config']['client_id'], "redirect_uri": self.redirect_url, "scope": ' '.join(self.config['scope']), "state": oauth_state, } return request_args
def authn_request(self, context, entity_id): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :rtype: satosa.response.Response :param context: The current context :param entity_id: Target IDP entity id :return: response to the user agent """ # If IDP blacklisting is enabled and the selected IDP is blacklisted, # stop here if self.idp_blacklist_file: with open(self.idp_blacklist_file) as blacklist_file: blacklist_array = json.load(blacklist_file)['blacklist'] if entity_id in blacklist_array: satosa_logging(logger, logging.DEBUG, "IdP with EntityID {} is blacklisted".format(entity_id), context.state, exc_info=False) raise SATOSAAuthenticationError(context.state, "Selected IdP is blacklisted for this backend") kwargs = {} authn_context = self.construct_requested_authn_context(entity_id) if authn_context: kwargs['requested_authn_context'] = authn_context try: binding, destination = self.sp.pick_binding( "single_sign_on_service", None, "idpsso", entity_id=entity_id) satosa_logging(logger, logging.DEBUG, "binding: %s, destination: %s" % (binding, destination), context.state) acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0] req_id, req = self.sp.create_authn_request( destination, binding=response_binding, **kwargs) relay_state = util.rndstr() ht_args = self.sp.apply_binding(binding, "%s" % req, destination, relay_state=relay_state) satosa_logging(logger, logging.DEBUG, "ht_args: %s" % ht_args, context.state) except Exception as exc: satosa_logging(logger, logging.DEBUG, "Failed to construct the AuthnRequest for state", context.state, exc_info=True) raise SATOSAAuthenticationError(context.state, "Failed to construct the AuthnRequest") from exc if self.sp.config.getattr('allow_unsolicited', 'sp') is False: if req_id in self.outstanding_queries: errmsg = "Request with duplicate id {}".format(req_id) satosa_logging(logger, logging.DEBUG, errmsg, context.state) raise SATOSAAuthenticationError(context.state, errmsg) self.outstanding_queries[req_id] = req context.state[self.name] = {"relay_state": relay_state} return make_saml_response(binding, ht_args)
def start_auth(self, context, internal_request, get_state=stateID): """ See super class method satosa.backends.base#start_auth :param get_state: Generates a state to be used in the authentication call. :type get_state: Callable[[str, bytes], str] :type context: satosa.context.Context :type internal_request: satosa.internal.InternalData :rtype satosa.response.Redirect """ oauth_state = get_state(self.config["base_url"], rndstr().encode()) state_data = dict(state=oauth_state) context.state[self.name] = state_data request_args = { "redirect_uri": self.redirect_url, "state": oauth_state } cis = self.consumer.construct_AuthorizationRequest( request_args=request_args) return Redirect(cis.request(self.consumer.authorization_endpoint))
def start_auth(self, context, internal_request, get_state=stateID): """ See super class method satosa.backends.base#start_auth :param get_state: Generates a state to be used in the authentication call. :type get_state: (str, bytes) -> str :type context: satosa.context.Context :type internal_request: satosa.internal_data.InternalRequest :rtype satosa.response.Redirect """ consumer = self.get_consumer() request_args = {"redirect_uri": self.redirect_url, "state": get_state(self.config["base_url"], rndstr().encode())} state_data = { "state": request_args["state"] } state = context.state state.add(self.config["state_id"], state_data) cis = consumer.construct_AuthorizationRequest(request_args=request_args) url, body, ht_args, cis = consumer.uri_and_body(AuthorizationRequest, cis, method="GET", request_args=request_args) return Redirect(url)
def start_auth(self, context, internal_request, get_state=stateID): """ :param get_state: Generates a state to be used in authentication call :type get_state: Callable[[str, bytes], str] :type context: satosa.context.Context :type internal_request: satosa.internal.InternalData :rtype satosa.response.Redirect """ oauth_state = get_state(self.config["base_url"], rndstr().encode()) context.state[self.name] = dict(state=oauth_state) request_args = dict( response_type='code', client_id=self.config['client_config']['client_id'], redirect_uri=self.redirect_url, state=oauth_state) scope = ' '.join(self.config['scope']) if scope: request_args['scope'] = scope cis = self.consumer.construct_AuthorizationRequest( request_args=request_args) return Redirect(cis.request(self.consumer.authorization_endpoint))
def start_auth(self, context, internal_request, get_state=stateID): """ See super class method satosa.backends.base#start_auth :param get_state: Generates a state to be used in the authentication call. :type get_state: (str, bytes) -> str :type context: satosa.context.Context :type internal_request: satosa.internal_data.InternalRequest :rtype satosa.response.Redirect """ consumer = self.get_consumer() request_args = { "redirect_uri": self.redirect_url, "state": get_state(self.config["base_url"], rndstr().encode()) } state_data = {"state": request_args["state"]} state = context.state state.add(self.config["state_id"], state_data) cis = consumer.construct_AuthorizationRequest( request_args=request_args) url, body, ht_args, cis = consumer.uri_and_body( AuthorizationRequest, cis, method="GET", request_args=request_args) return Redirect(url)
def authn_request(self, context, entity_id): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :rtype: satosa.response.Response :param context: The current context :param entity_id: Target IDP entity id :return: response to the user agent """ # If IDP blacklisting is enabled and the selected IDP is blacklisted, # stop here if self.idp_blacklist_file: with open(self.idp_blacklist_file) as blacklist_file: blacklist_array = json.load(blacklist_file)['blacklist'] if entity_id in blacklist_array: msg = "IdP with EntityID {} is blacklisted".format(entity_id) logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg) logger.debug(logline, exc_info=False) raise SATOSAAuthenticationError(context.state, "Selected IdP is blacklisted for this backend") kwargs = {} target_accr = context.state.get(Context.KEY_TARGET_AUTHN_CONTEXT_CLASS_REF) authn_context = self.construct_requested_authn_context(entity_id, target_accr=target_accr) if authn_context: kwargs["requested_authn_context"] = authn_context if self.config.get(SAMLBackend.KEY_MIRROR_FORCE_AUTHN): kwargs["force_authn"] = get_force_authn( context, self.config, self.sp.config ) if self.config.get(SAMLBackend.KEY_SEND_REQUESTER_ID): requester = context.state.state_dict[STATE_KEY_BASE]['requester'] kwargs["scoping"] = Scoping(requester_id=[RequesterID(text=requester)]) try: acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0] relay_state = util.rndstr() req_id, binding, http_info = self.sp.prepare_for_negotiated_authenticate( entityid=entity_id, response_binding=response_binding, relay_state=relay_state, **kwargs, ) except Exception as e: msg = "Failed to construct the AuthnRequest for state" logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg) logger.debug(logline, exc_info=True) raise SATOSAAuthenticationError(context.state, "Failed to construct the AuthnRequest") from e if self.sp.config.getattr('allow_unsolicited', 'sp') is False: if req_id in self.outstanding_queries: msg = "Request with duplicate id {}".format(req_id) logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg) logger.debug(logline) raise SATOSAAuthenticationError(context.state, msg) self.outstanding_queries[req_id] = req_id context.state[self.name] = {"relay_state": relay_state} return make_saml_response(binding, http_info)
def authn_request(self, context, entity_id): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :rtype: satosa.response.Response :param context: The current context :param entity_id: Target IDP entity id :return: response to the user agent """ self.check_blacklist(context, entity_id) kwargs = {} # fetch additional kwargs kwargs.update(self.get_kwargs_sign_dig_algs()) authn_context = self.construct_requested_authn_context(entity_id) req_authn_context = authn_context or requested_authn_context( class_ref=self._authn_context) req_authn_context.comparison = self.config.get("spid_acr_comparison", "minimum") # force_auth = true only if SpidL >= 2 if "SpidL1" in authn_context.authn_context_class_ref[0].text: force_authn = "false" else: force_authn = "true" try: binding = saml2.BINDING_HTTP_POST destination = context.internal_data.get("target_entity_id", entity_id) # SPID CUSTOMIZATION # client = saml2.client.Saml2Client(conf) client = self.sp logger.debug(f"binding: {binding}, destination: {destination}") # acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0] # req_id, req = self.sp.create_authn_request( # destination, binding=response_binding, **kwargs) logger.debug(f"Redirecting user to the IdP via {binding} binding.") # use the html provided by pysaml2 if no template was specified or it didn't exist # SPID want the fqdn of the IDP as entityID, not the SSO endpoint # 'http://idpspid.testunical.it:8088' # dovrebbe essere destination ma nel caso di spid-testenv2 è entityid... # binding, destination = self.sp.pick_binding("single_sign_on_service", None, "idpsso", entity_id=entity_id) location = client.sso_location(destination, binding) # location = client.sso_location(entity_id, binding) # not used anymore thanks to avviso 11 # location_fixed = destination # entity_id # ...hope to see the SSO endpoint soon in spid-testenv2 # returns 'http://idpspid.testunical.it:8088/sso' # fixed: https://github.com/italia/spid-testenv2/commit/6041b986ec87ab8515dd0d43fed3619ab4eebbe9 # verificare qui # acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0] authn_req = saml2.samlp.AuthnRequest() authn_req.force_authn = force_authn authn_req.destination = location # spid-testenv2 preleva l'attribute consumer service dalla authnRequest # (anche se questo sta già nei metadati...) authn_req.attribute_consuming_service_index = "0" issuer = saml2.saml.Issuer() issuer.name_qualifier = client.config.entityid issuer.text = client.config.entityid issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" authn_req.issuer = issuer # message id authn_req.id = saml2.s_utils.sid() authn_req.version = saml2.VERSION # "2.0" authn_req.issue_instant = saml2.time_util.instant() name_id_policy = saml2.samlp.NameIDPolicy() # del(name_id_policy.allow_create) name_id_policy.format = NAMEID_FORMAT_TRANSIENT authn_req.name_id_policy = name_id_policy # TODO: use a parameter instead authn_req.requested_authn_context = req_authn_context authn_req.protocol_binding = binding assertion_consumer_service_url = client.config._sp_endpoints[ "assertion_consumer_service"][0][0] authn_req.assertion_consumer_service_url = ( assertion_consumer_service_url # 'http://sp-fqdn/saml2/acs/' ) authn_req_signed = client.sign( authn_req, sign_prepare=False, sign_alg=kwargs["sign_alg"], digest_alg=kwargs["digest_alg"], ) authn_req.id _req_str = authn_req_signed logger.debug(f"AuthRequest to {destination}: {_req_str}") relay_state = util.rndstr() ht_args = client.apply_binding( binding, _req_str, location, sign=True, sigalg=kwargs["sign_alg"], relay_state=relay_state, ) if self.sp.config.getattr("allow_unsolicited", "sp") is False: if authn_req.id in self.outstanding_queries: errmsg = "Request with duplicate id {}".format( authn_req.id) logger.debug(errmsg) raise SATOSAAuthenticationError(context.state, errmsg) self.outstanding_queries[authn_req.id] = authn_req_signed context.state[self.name] = {"relay_state": relay_state} # these will give the way to check compliances between the req and resp context.state["req_args"] = {"id": authn_req.id} logger.info(f"SAMLRequest: {ht_args}") return make_saml_response(binding, ht_args) except Exception as exc: logger.debug("Failed to construct the AuthnRequest for state") raise SATOSAAuthenticationError( context.state, "Failed to construct the AuthnRequest") from exc
def authn_request(self, context, entity_id): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :rtype: satosa.response.Response :param context: The current context :param entity_id: Target IDP entity id :return: response to the user agent """ self.check_blacklist() kwargs = {} # fetch additional kwargs kwargs.update(self.get_kwargs_sign_dig_algs()) authn_context = self.construct_requested_authn_context(entity_id) requested_authn_context = authn_context or requested_authn_context( class_ref=self._authn_context) # force_auth = true only if SpidL >= 2 if 'SpidL1' in authn_context.authn_context_class_ref[0].text: force_authn = 'false' else: force_authn = 'true' try: binding = saml2.BINDING_HTTP_POST destination = context.request['entityID'] # SPID CUSTOMIZATION #client = saml2.client.Saml2Client(conf) client = self.sp satosa_logging( logger, logging.DEBUG, "binding: %s, destination: %s" % (binding, destination), context.state) # acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0] # req_id, req = self.sp.create_authn_request( # destination, binding=response_binding, **kwargs) logger.debug('Redirecting user to the IdP via %s binding.', binding) # use the html provided by pysaml2 if no template was specified or it didn't exist # SPID want the fqdn of the IDP as entityID, not the SSO endpoint # 'http://idpspid.testunical.it:8088' # dovrebbe essere destination ma nel caso di spid-testenv2 è entityid... # binding, destination = self.sp.pick_binding("single_sign_on_service", None, "idpsso", entity_id=entity_id) # location = client.sso_location(destination, binding) location = client.sso_location(entity_id, binding) location_fixed = entity_id # ...hope to see the SSO endpoint soon in spid-testenv2 # returns 'http://idpspid.testunical.it:8088/sso' # fixed: https://github.com/italia/spid-testenv2/commit/6041b986ec87ab8515dd0d43fed3619ab4eebbe9 # verificare qui # acs_endp, response_binding = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"][0] authn_req = saml2.samlp.AuthnRequest() authn_req.force_authn = force_authn authn_req.destination = location # spid-testenv2 preleva l'attribute consumer service dalla authnRequest (anche se questo sta già nei metadati...) authn_req.attribute_consuming_service_index = "0" # import pdb; pdb.set_trace() issuer = saml2.saml.Issuer() issuer.name_qualifier = client.config.entityid issuer.text = client.config.entityid issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" authn_req.issuer = issuer # message id authn_req.id = saml2.s_utils.sid() authn_req.version = saml2.VERSION # "2.0" authn_req.issue_instant = saml2.time_util.instant() name_id_policy = saml2.samlp.NameIDPolicy() # del(name_id_policy.allow_create) name_id_policy.format = NAMEID_FORMAT_TRANSIENT authn_req.name_id_policy = name_id_policy # TODO: use a parameter instead authn_req.requested_authn_context = requested_authn_context authn_req.protocol_binding = binding assertion_consumer_service_url = client.config._sp_endpoints[ 'assertion_consumer_service'][0][0] authn_req.assertion_consumer_service_url = assertion_consumer_service_url #'http://sp-fqdn/saml2/acs/' authn_req_signed = client.sign(authn_req, sign_prepare=False, sign_alg=kwargs['sign_alg'], digest_alg=kwargs['digest_alg']) session_id = authn_req.id _req_str = authn_req_signed logger.debug('AuthRequest to {}: {}'.format( destination, (_req_str))) relay_state = util.rndstr() ht_args = client.apply_binding(binding, _req_str, location, sign=True, sigalg=kwargs['sign_alg'], relay_state=relay_state) if self.sp.config.getattr('allow_unsolicited', 'sp') is False: if authn_req.id in self.outstanding_queries: errmsg = "Request with duplicate id {}".format(req_id) satosa_logging(logger, logging.DEBUG, errmsg, context.state) raise SATOSAAuthenticationError(context.state, errmsg) self.outstanding_queries[authn_req.id] = authn_req_signed context.state[self.name] = {"relay_state": relay_state} satosa_logging(logger, logging.DEBUG, "ht_args: %s" % ht_args, context.state) return make_saml_response(binding, ht_args) except Exception as exc: satosa_logging(logger, logging.DEBUG, "Failed to construct the AuthnRequest for state", context.state, exc_info=True) raise SATOSAAuthenticationError( context.state, "Failed to construct the AuthnRequest") from exc
def authn_request(self, context, entity_id, internal_req): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :type internal_req: satosa.internal_data.InternalRequest :rtype: satosa.response.Response :param context: The curretn context :param entity_id: Target IDP entity id :param internal_req: The request :return: Response """ _cli = self.sp hash_type = UserIdHashType.persistent.name if "hash_type" in self.config: hash_type = self.config["hash_type"] req_args = {"name_id_policy": self.create_name_id_policy(hash_type)} state = context.state try: # Picks a binding to use for sending the Request to the IDP _binding, destination = _cli.pick_binding( "single_sign_on_service", self.bindings, "idpsso", entity_id=entity_id) satosa_logging(LOGGER, logging.DEBUG, "binding: %s, destination: %s" % (_binding, destination), state) # Binding here is the response binding that is which binding the # IDP should use to return the response. acs = _cli.config.getattr("endpoints", "sp")[ "assertion_consumer_service"] # just pick one endp, return_binding = acs[0] req_id, req = _cli.create_authn_request(destination, binding=return_binding, **req_args) relay_state = rndstr() ht_args = _cli.apply_binding(_binding, "%s" % req, destination, relay_state=relay_state) satosa_logging(LOGGER, logging.DEBUG, "ht_args: %s" % ht_args, state) except Exception as exc: satosa_logging(LOGGER, logging.DEBUG, "Failed to construct the AuthnRequest for state", state, exc_info=True) raise SATOSAAuthenticationError(state, "Failed to construct the AuthnRequest") from exc state.add(self.state_id, relay_state) if _binding == BINDING_HTTP_REDIRECT: for param, value in ht_args["headers"]: if param == "Location": resp = SeeOther(str(value)) break else: satosa_logging(LOGGER, logging.DEBUG, "Parameter error for state", state) raise SATOSAAuthenticationError(state, "Parameter error") else: resp = Response(ht_args["data"], headers=ht_args["headers"]) return resp
def authn_request(self, context, entity_id, requested_attributes=None): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :type requested_attributes: list :rtype: satosa.response.Response :param context: The current context :param entity_id: Target IDP entity id :return: response to the user agent """ # If IDP blacklisting is enabled and the selected IDP is blacklisted, # stop here if self.idp_blacklist_file: with open(self.idp_blacklist_file) as blacklist_file: blacklist_array = json.load(blacklist_file)['blacklist'] if entity_id in blacklist_array: msg = "IdP with EntityID {} is blacklisted".format( entity_id) logline = lu.LOG_FMT.format(id=lu.get_session_id( context.state), message=msg) logger.debug(logline, exc_info=False) raise SATOSAAuthenticationError( context.state, "Selected IdP is blacklisted for this backend") try: binding, destination = self.sp.pick_binding( "single_sign_on_service", None, "idpsso", entity_id=entity_id) msg = "binding: {}, destination: {}".format(binding, destination) logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg) logger.debug(logline) kwargs = self._get_authn_request_args( context, entity_id, requested_attributes=requested_attributes) req_id, req = self.sp.create_authn_request(destination, **kwargs) relay_state = util.rndstr() ht_args = self.sp.apply_binding(binding, "%s" % req, destination, relay_state=relay_state) msg = "ht_args: {}".format(ht_args) logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg) logger.debug(logline) except Exception as exc: msg = "Failed to construct the AuthnRequest for state" logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg) logger.debug(logline, exc_info=True) raise SATOSAAuthenticationError( context.state, "Failed to construct the AuthnRequest") from exc if self.sp.config.getattr('allow_unsolicited', 'sp') is False: if req_id in self.outstanding_queries: msg = "Request with duplicate id {}".format(req_id) logline = lu.LOG_FMT.format(id=lu.get_session_id( context.state), message=msg) logger.debug(logline) raise SATOSAAuthenticationError(context.state, msg) self.outstanding_queries[req_id] = req context.state[self.name] = {"relay_state": relay_state} return make_saml_response(binding, ht_args)
def authn_request(self, context, entity_id): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :rtype: satosa.response.Response :param context: The current context :param entity_id: Target IDP entity id :return: response to the user agent """ # If IDP blacklisting is enabled and the selected IDP is blacklisted, # stop here if self.idp_blacklist_file: with open(self.idp_blacklist_file) as blacklist_file: blacklist_array = json.load(blacklist_file)['blacklist'] if entity_id in blacklist_array: satosa_logging( logger, logging.DEBUG, "IdP with EntityID {} is blacklisted".format( entity_id), context.state, exc_info=False) raise SATOSAAuthenticationError( context.state, "Selected IdP is blacklisted for this backend") kwargs = {} authn_context = self.construct_requested_authn_context(entity_id) if authn_context: kwargs['requested_authn_context'] = authn_context try: binding, destination = self.sp.pick_binding( "single_sign_on_service", None, "idpsso", entity_id=entity_id) satosa_logging( logger, logging.DEBUG, "binding: %s, destination: %s" % (binding, destination), context.state) acs_endp, response_binding = self.sp.config.getattr( "endpoints", "sp")["assertion_consumer_service"][0] req_id, req = self.sp.create_authn_request( destination, binding=response_binding, **kwargs) relay_state = util.rndstr() ht_args = self.sp.apply_binding(binding, "%s" % req, destination, relay_state=relay_state) satosa_logging(logger, logging.DEBUG, "ht_args: %s" % ht_args, context.state) except Exception as exc: satosa_logging(logger, logging.DEBUG, "Failed to construct the AuthnRequest for state", context.state, exc_info=True) raise SATOSAAuthenticationError( context.state, "Failed to construct the AuthnRequest") from exc if self.sp.config.getattr('allow_unsolicited', 'sp') is False: if req_id in self.outstanding_queries: errmsg = "Request with duplicate id {}".format(req_id) satosa_logging(logger, logging.DEBUG, errmsg, context.state) raise SATOSAAuthenticationError(context.state, errmsg) self.outstanding_queries[req_id] = req context.state[self.name] = {"relay_state": relay_state} ### rZone Code Start ### requested_attributes = [] for claim_name in self.requested_claims: if claim_name in self.internal_attributes['attributes']: if 'saml' in self.internal_attributes['attributes'][ claim_name]: for saml_attr in self.internal_attributes['attributes'][ claim_name]['saml']: requested_attributes.append(saml_attr) db_uri = self.config.get("db_uri") if db_uri: consent_db = MongoWrapper(db_uri, "satosa", "consents") consent_info = {} consent_info['relay_state'] = relay_state consent_info['requester'] = self.internal_req.requester consent_info['requested_attributes'] = requested_attributes consent_db[relay_state] = consent_info ''' logger.info('======= proin:satosa:samlbackend =========') logger.info('proin:satosa:samlbackend:attribute ' + str(requested_attributes)) logger.info('proin:satosa:samlbackend:requester ' + self.internal_req.requester) logger.info('proin:satosa:samlbackend:requester_name ' + self.internal_req.requester_name[0]['text']) logger.info('proin:satosa:samlbackend:relay ' + relay_state) ''' ### rZone Code End ### return make_saml_response(binding, ht_args)
def authn_request(self, context, entity_id, internal_req): """ Do an authorization request on idp with given entity id. This is the start of the authorization. :type context: satosa.context.Context :type entity_id: str :type internal_req: satosa.internal_data.InternalRequest :rtype: satosa.response.Response :param context: The curretn context :param entity_id: Target IDP entity id :param internal_req: The request :return: Response """ _cli = self.sp hash_type = UserIdHashType.persistent.name if "hash_type" in self.config: hash_type = self.config["hash_type"] req_args = {"name_id_policy": self.create_name_id_policy(hash_type)} state = context.state try: # Picks a binding to use for sending the Request to the IDP _binding, destination = _cli.pick_binding("single_sign_on_service", self.bindings, "idpsso", entity_id=entity_id) satosa_logging( LOGGER, logging.DEBUG, "binding: %s, destination: %s" % (_binding, destination), state) # Binding here is the response binding that is which binding the # IDP should use to return the response. acs = _cli.config.getattr("endpoints", "sp")["assertion_consumer_service"] # just pick one endp, return_binding = acs[0] req_id, req = _cli.create_authn_request(destination, binding=return_binding, **req_args) relay_state = rndstr() ht_args = _cli.apply_binding(_binding, "%s" % req, destination, relay_state=relay_state) satosa_logging(LOGGER, logging.DEBUG, "ht_args: %s" % ht_args, state) except Exception as exc: satosa_logging(LOGGER, logging.DEBUG, "Failed to construct the AuthnRequest for state", state, exc_info=True) raise SATOSAAuthenticationError( state, "Failed to construct the AuthnRequest") from exc state.add(self.state_id, relay_state) if _binding == BINDING_HTTP_REDIRECT: for param, value in ht_args["headers"]: if param == "Location": resp = SeeOther(str(value)) break else: satosa_logging(LOGGER, logging.DEBUG, "Parameter error for state", state) raise SATOSAAuthenticationError(state, "Parameter error") else: resp = Response(ht_args["data"], headers=ht_args["headers"]) return resp