From 81ad559af403d4d62f21209d34ba00833e007300 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 7 Apr 2015 15:34:43 -0400 Subject: Add per-SP attribute mapping and allowed attributes The per-SP values are considered overrides and the global values are default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden Reviewed-by: Simo Sorce --- ipsilon/providers/saml2/auth.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'ipsilon/providers/saml2/auth.py') diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index d895f43..12af16b 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -213,9 +213,20 @@ class AuthenticateRequest(ProviderPageBase): raise AuthenticationError("Unavailable Name ID type", lasso.SAML2_STATUS_CODE_AUTHN_FAILED) - # Check attribute policy and perform mapping and filtering - policy = Policy(self.cfg.default_attribute_mapping, - self.cfg.default_allowed_attributes) + # Check attribute policy and perform mapping and filtering. + # If the SP has its own mapping or filtering policy use that + # instead of the global policy. + if (provider.attribute_mappings is not None and + len(provider.attribute_mappings) > 0): + attribute_mappings = provider.attribute_mappings + else: + attribute_mappings = self.cfg.default_attribute_mapping + if (provider.allowed_attributes is not None and + len(provider.allowed_attributes) > 0): + allowed_attributes = provider.allowed_attributes + else: + allowed_attributes = self.cfg.default_allowed_attributes + policy = Policy(attribute_mappings, allowed_attributes) userattrs = us.get_user_attrs() mappedattrs, _ = policy.map_attributes(userattrs) attributes = policy.filter_attributes(mappedattrs) -- cgit