def _create_base_saml_assertion(self, context, auth):
issuer = CONF.saml.idp_entity_id
sp_id = auth['scope']['service_provider']['id']
service_provider = self.federation_api.get_sp(sp_id)
utils.assert_enabled_service_provider_object(service_provider)
sp_url = service_provider.get('sp_url')
token_id = auth['identity']['token']['id']
token_data = self.token_provider_api.validate_token(token_id)
token_ref = token_model.KeystoneToken(token_id, token_data)
if not token_ref.project_scoped:
action = _('Use a project scoped token when attempting to create '
'a SAML assertion')
raise exception.ForbiddenAction(action=action)
subject = token_ref.user_name
roles = token_ref.role_names
project = token_ref.project_name
# NOTE(rodrigods): the domain name is necessary in order to distinguish
# between projects and users with the same name in different domains.
project_domain_name = token_ref.project_domain_name
subject_domain_name = token_ref.user_domain_name
generator = keystone_idp.SAMLGenerator()
response = generator.samlize_token(issuer, sp_url, subject,
subject_domain_name, roles, project,
project_domain_name)
return (response, service_provider)
def create_saml_assertion(self, context, auth):
"""Exchange a scoped token for a SAML assertion.
:param auth: Dictionary that contains a token id and region id
:returns: SAML Assertion based on properties from the token
"""
issuer = CONF.saml.idp_entity_id
region_id = auth['scope']['region']['id']
region = self.catalog_api.get_region(region_id)
recipient = region['url']
token_id = auth['identity']['token']['id']
token_data = self.token_provider_api.validate_token(token_id)
token_ref = token_model.KeystoneToken(token_id, token_data)
subject = token_ref.user_name
roles = token_ref.role_names
if token_ref.project_scoped:
project = token_ref.project_name
else:
raise ValueError(
_('Use a project scoped token when attempting to'
'create a SAML assertion'))
generator = keystone_idp.SAMLGenerator()
response = generator.samlize_token(issuer, recipient, subject, roles,
project)
return wsgi.render_response(body=response.to_string(),
status=('200', 'OK'),
headers=[('Content-Type', 'text/xml')])
def create_saml_assertion(self, context, auth):
"""Exchange a scoped token for a SAML assertion.
:param auth: Dictionary that contains a token and service provider id
:returns: SAML Assertion based on properties from the token
"""
issuer = CONF.saml.idp_entity_id
sp_id = auth['scope']['service_provider']['id']
service_provider = self.federation_api.get_sp(sp_id)
utils.assert_enabled_service_provider_object(service_provider)
sp_url = service_provider.get('sp_url')
auth_url = service_provider.get('auth_url')
token_id = auth['identity']['token']['id']
token_data = self.token_provider_api.validate_token(token_id)
token_ref = token_model.KeystoneToken(token_id, token_data)
subject = token_ref.user_name
roles = token_ref.role_names
if not token_ref.project_scoped:
action = _('Use a project scoped token when attempting to create '
'a SAML assertion')
raise exception.ForbiddenAction(action=action)
project = token_ref.project_name
generator = keystone_idp.SAMLGenerator()
response = generator.samlize_token(issuer, sp_url, subject, roles,
project)
return wsgi.render_response(body=response.to_string(),
status=('200', 'OK'),
headers=[('Content-Type', 'text/xml'),
('X-sp-url',
six.binary_type(sp_url)),
('X-auth-url',
six.binary_type(auth_url))])
def _create_base_saml_assertion(self, context, auth):
issuer = CONF.saml.idp_entity_id
sp_id = auth['scope']['service_provider']['id']
service_provider = self.federation_api.get_sp(sp_id)
utils.assert_enabled_service_provider_object(service_provider)
sp_url = service_provider.get('sp_url')
token_id = auth['identity']['token']['id']
token_data = self.token_provider_api.validate_token(token_id)
token_ref = token_model.KeystoneToken(token_id, token_data)
subject = token_ref.user_name
roles = token_ref.role_names
if not token_ref.project_scoped:
action = _('Use a project scoped token when attempting to create '
'a SAML assertion')
raise exception.ForbiddenAction(action=action)
project = token_ref.project_name
generator = keystone_idp.SAMLGenerator()
response = generator.samlize_token(issuer, sp_url, subject, roles,
project)
return (response, service_provider)