From dd6432197b3da4be32dd00c84bfe413ac04a802d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 5 May 2015 12:37:31 -0400 Subject: Pull the GSSAPI principal out of the userattrs This was originally getting the principal from the user object itself which meant it was looking for it in the database. Look in the attributes instead which are stored in the user session. Signed-off-by: Rob Crittenden --- ipsilon/providers/saml2/auth.py | 3 ++- tests/helpers/http.py | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index b2c9549..8b84bc2 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -197,7 +197,8 @@ class AuthenticateRequest(ProviderPageBase): elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: - nameid = us.get_data('user', 'gssapi_principal_name') + userattrs = us.get_user_attrs() + nameid = userattrs.get('gssapi_principal_name') elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: nameid = us.get_user().email if not nameid: diff --git a/tests/helpers/http.py b/tests/helpers/http.py index 0da7ee2..97098c8 100755 --- a/tests/helpers/http.py +++ b/tests/helpers/http.py @@ -94,8 +94,9 @@ class HttpSessions(object): session = self.get_session(url) allow_redirects = False if krb: - # In at least the test instance we don't get back a negotiate - # blob to do mutual authentication against. + # python-requests-kerberos isn't too bright about doing mutual + # authentication and it tries to do it on any non-401 response + # which doesn't work in our case since we follow redirects. kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL) kwargs['auth'] = kerberos_auth allow_redirects = True -- cgit