diff options
-rw-r--r-- | ipsilon/providers/saml2/auth.py | 3 | ||||
-rwxr-xr-x | tests/helpers/http.py | 5 |
2 files changed, 5 insertions, 3 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index b2c9549..8b84bc2 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -197,7 +197,8 @@ class AuthenticateRequest(ProviderPageBase): elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: - nameid = us.get_data('user', 'gssapi_principal_name') + userattrs = us.get_user_attrs() + nameid = userattrs.get('gssapi_principal_name') elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: nameid = us.get_user().email if not nameid: diff --git a/tests/helpers/http.py b/tests/helpers/http.py index 0da7ee2..97098c8 100755 --- a/tests/helpers/http.py +++ b/tests/helpers/http.py @@ -94,8 +94,9 @@ class HttpSessions(object): session = self.get_session(url) allow_redirects = False if krb: - # In at least the test instance we don't get back a negotiate - # blob to do mutual authentication against. + # python-requests-kerberos isn't too bright about doing mutual + # authentication and it tries to do it on any non-401 response + # which doesn't work in our case since we follow redirects. kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL) kwargs['auth'] = kerberos_auth allow_redirects = True |