diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-03-19 15:15:26 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-03-23 18:00:15 -0400 |
commit | 217cabe5a2b0950b9ac4090568aa8986d51f4fc5 (patch) | |
tree | e8dc27cb25ba009234f96a0b4689119f55ae6c46 /ipsilon/providers/saml2/auth.py | |
parent | 2ab0852570e3e18dfd7d959ae7c3bd62ea33dcca (diff) | |
download | ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.tar.gz ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.tar.xz ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.zip |
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'ipsilon/providers/saml2/auth.py')
-rw-r--r-- | ipsilon/providers/saml2/auth.py | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 71bfc9a..4bfbc1a 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -28,6 +28,7 @@ import cherrypy import datetime import lasso import uuid +import hashlib class UnknownProvider(ProviderException): @@ -183,8 +184,16 @@ class AuthenticateRequest(ProviderPageBase): nameid = None if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT: - # TODO map to something else ? - nameid = provider.normalize_username(user.name) + idpsalt = self.cfg.idp_nameid_salt + if idpsalt is None: + raise AuthenticationError( + "idp nameid salt is not set in configuration" + ) + value = hashlib.sha512() + value.update(idpsalt) + value.update(login.remoteProviderId) + value.update(user.name) + nameid = '_' + value.hexdigest() elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: |