Add ability to strip domain/realm per provider

This allows to return (hopefully) the same name whether the user
authenticated via ESSO or form based authentication.

Crude for now, may be augmented with some regex configuration in the future.

Signed-off-by: Simo Sorce <simo@redhat.com>

2 files changed, 9 insertions, 2 deletions

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 64d9835..7f92d77 100755
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -170,9 +170,11 @@ class AuthenticateRequest(ProviderPageBase):
 
         nameid = None
         if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
-            nameid = user.name  ## TODO map to something else ?
+            ## TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
-            nameid = user.name  ## TODO map to something else ?
+            ## TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
             nameid = us.get_data('user', 'krb_principal_name')
         elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
diff --git a/ipsilon/providers/saml2/provider.py b/ipsilon/providers/saml2/provider.py
index c738ac2..acf2ee7 100755
--- a/ipsilon/providers/saml2/provider.py
+++ b/ipsilon/providers/saml2/provider.py
@@ -106,3 +106,8 @@ class ServiceProvider(object):
     def _debug(self, fact):
         if cherrypy.config.get('debug', False):
             cherrypy.log(fact)
+
+    def normalize_username(self, username):
+        if 'strip domain' in self._properties:
+            return username.split('@', 1)[0]
+        return username