diff options
| -rwxr-xr-x | ipsilon/login/authkrb.py | 6 | ||||
| -rwxr-xr-x | ipsilon/providers/saml2/auth.py | 5 |
2 files changed, 8 insertions, 3 deletions
diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py index b6ff99c..77b907b 100755 --- a/ipsilon/login/authkrb.py +++ b/ipsilon/login/authkrb.py @@ -18,6 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipsilon.login.common import LoginPageBase, LoginManagerBase +from ipsilon.util.user import UserSession import cherrypy @@ -33,9 +34,10 @@ class KrbAuth(LoginPageBase): def root(self, *args, **kwargs): # If we can get here, we must be authenticated and remote_user - # was set. Check the session has a use set already or error. + # was set. Check the session has a user set already or error. if self.user and self.user.name: - return self.lm.auth_successful(self.user.name) + userdata = { 'krb_principal_name': self.user.name } + return self.lm.auth_successful(self.user.name, userdata) else: return self.lm.auth_failed() diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 9d796c5..955f01f 100755 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -159,7 +159,8 @@ class AuthenticateRequest(ProviderPageBase): authtime_notbefore = authtime - skew authtime_notafter = authtime + skew - user = UserSession().get_user() + us = UserSession() + user = us.get_user() # TODO: get authentication type fnd name format from session # need to save which login manager authenticated and map it to a @@ -178,6 +179,8 @@ class AuthenticateRequest(ProviderPageBase): nameid = user.name ## TODO map to something else ? elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = user.name ## TODO map to something else ? + elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: + nameid = us.get_data('user', 'krb_principal_name') if nameid: login.assertion.subject.nameId.format = self.nameidfmt |