def _create_base_saml_assertion(self, context, auth): issuer = CONF.saml.idp_entity_id sp_id = auth['scope']['service_provider']['id'] service_provider = self.federation_api.get_sp(sp_id) utils.assert_enabled_service_provider_object(service_provider) sp_url = service_provider.get('sp_url') token_id = auth['identity']['token']['id'] token_data = self.token_provider_api.validate_token(token_id) token_ref = token_model.KeystoneToken(token_id, token_data) if not token_ref.project_scoped: action = _('Use a project scoped token when attempting to create ' 'a SAML assertion') raise exception.ForbiddenAction(action=action) subject = token_ref.user_name roles = token_ref.role_names project = token_ref.project_name # NOTE(rodrigods): the domain name is necessary in order to distinguish # between projects and users with the same name in different domains. project_domain_name = token_ref.project_domain_name subject_domain_name = token_ref.user_domain_name generator = keystone_idp.SAMLGenerator() response = generator.samlize_token( issuer, sp_url, subject, subject_domain_name, roles, project, project_domain_name) return (response, service_provider)
def _create_base_saml_assertion(self, context, auth): issuer = CONF.saml.idp_entity_id sp_id = auth['scope']['service_provider']['id'] service_provider = self.federation_api.get_sp(sp_id) utils.assert_enabled_service_provider_object(service_provider) sp_url = service_provider['sp_url'] token_id = auth['identity']['token']['id'] token_data = self.token_provider_api.validate_token(token_id) token_ref = token_model.KeystoneToken(token_id, token_data) if not token_ref.project_scoped: action = _('Use a project scoped token when attempting to create ' 'a SAML assertion') raise exception.ForbiddenAction(action=action) subject = token_ref.user_name roles = token_ref.role_names project = token_ref.project_name # NOTE(rodrigods): the domain name is necessary in order to distinguish # between projects and users with the same name in different domains. project_domain_name = token_ref.project_domain_name subject_domain_name = token_ref.user_domain_name generator = keystone_idp.SAMLGenerator() response = generator.samlize_token(issuer, sp_url, subject, subject_domain_name, roles, project, project_domain_name) return (response, service_provider)
def create_base_saml_assertion(auth): issuer = CONF.saml.idp_entity_id sp_id = auth['scope']['service_provider']['id'] service_provider = PROVIDERS.federation_api.get_sp(sp_id) federation_utils.assert_enabled_service_provider_object(service_provider) sp_url = service_provider['sp_url'] token_id = auth['identity']['token']['id'] token = PROVIDERS.token_provider_api.validate_token(token_id) if not token.project_scoped: action = _('Use a project scoped token when attempting to create ' 'a SAML assertion') raise exception.ForbiddenAction(action=action) subject = token.user['name'] role_names = [] for role in token.roles: role_names.append(role['name']) project = token.project['name'] # NOTE(rodrigods): the domain name is necessary in order to distinguish # between projects and users with the same name in different domains. project_domain_name = token.project_domain['name'] subject_domain_name = token.user_domain['name'] generator = keystone_idp.SAMLGenerator() response = generator.samlize_token(issuer, sp_url, subject, subject_domain_name, role_names, project, project_domain_name) return response, service_provider
def create_base_saml_assertion(auth): issuer = CONF.saml.idp_entity_id sp_id = auth['scope']['service_provider']['id'] service_provider = PROVIDERS.federation_api.get_sp(sp_id) federation_utils.assert_enabled_service_provider_object(service_provider) sp_url = service_provider['sp_url'] token_id = auth['identity']['token']['id'] token = PROVIDERS.token_provider_api.validate_token(token_id) if not token.project_scoped: action = _('Use a project scoped token when attempting to create ' 'a SAML assertion') raise exception.ForbiddenAction(action=action) subject = token.user['name'] role_names = [] for role in token.roles: role_names.append(role['name']) project = token.project['name'] # NOTE(rodrigods): the domain name is necessary in order to distinguish # between projects and users with the same name in different domains. project_domain_name = token.project_domain['name'] subject_domain_name = token.user_domain['name'] generator = keystone_idp.SAMLGenerator() response = generator.samlize_token( issuer, sp_url, subject, subject_domain_name, role_names, project, project_domain_name) return response, service_provider
def create_base_saml_assertion(auth): issuer = CONF.saml.idp_entity_id sp_id = auth['scope']['service_provider']['id'] service_provider = PROVIDERS.federation_api.get_sp(sp_id) federation_utils.assert_enabled_service_provider_object(service_provider) sp_url = service_provider['sp_url'] token_id = auth['identity']['token']['id'] token = PROVIDERS.token_provider_api.validate_token(token_id) if not token.project_scoped: action = _('Use a project scoped token when attempting to create ' 'a SAML assertion') raise exception.ForbiddenAction(action=action) subject = token.user['name'] role_names = [] for role in token.roles: role_names.append(role['name']) project = token.project['name'] # NOTE(rodrigods): the domain name is necessary in order to distinguish # between projects and users with the same name in different domains. project_domain_name = token.project_domain['name'] subject_domain_name = token.user_domain['name'] def group_membership(): """Return a list of dictionaries serialized as strings. The expected return structure is:: ['JSON:{"name":"group1","domain":{"name":"Default"}}', 'JSON:{"name":"group2","domain":{"name":"Default"}}'] """ user_groups = [] groups = PROVIDERS.identity_api.list_groups_for_user(token.user_id) for group in groups: user_group = {} group_domain_name = PROVIDERS.resource_api.get_domain( group['domain_id'])['name'] user_group["name"] = group['name'] user_group["domain"] = {'name': group_domain_name} user_groups.append('JSON:' + jsonutils.dumps(user_group)) return user_groups groups = group_membership() generator = keystone_idp.SAMLGenerator() response = generator.samlize_token(issuer, sp_url, subject, subject_domain_name, role_names, project, project_domain_name, groups) return response, service_provider