Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

This also makes persistent the default NameID format when generating metadata. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
author: Rob Crittenden <rcritten@redhat.com> 2015-03-19 15:15:26 -0400
committer: Simo Sorce <simo@redhat.com> 2015-03-23 18:00:15 -0400
commit: 217cabe5a2b0950b9ac4090568aa8986d51f4fc5 (patch)
tree: e8dc27cb25ba009234f96a0b4689119f55ae6c46 /ipsilon/providers/saml2idp.py
parent: 2ab0852570e3e18dfd7d959ae7c3bd62ea33dcca (diff)
download: ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.tar.gz
ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.tar.xz
ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.zip
1 files changed, 13 insertions, 3 deletions
diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py
index 96a7d11..5d8aa03 100644
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -33,6 +33,7 @@ from datetime import timedelta
 import lasso
 import os
 import time
+import uuid
 
 
 class Redirect(AuthenticateRequest):
@@ -194,6 +195,10 @@ Provides SAML 2.0 authentication infrastructure. """
                 'idp key file',
                 'The IdP Certificate Key genearated at install time.',
                 'certificate.key'),
+            pconfig.String(
+                'idp nameid salt',
+                'The salt used for persistent Name IDs.',
+                None),
             pconfig.Condition(
                 'allow self registration',
                 'Allow authenticated users to register applications.',
@@ -253,6 +258,10 @@ Provides SAML 2.0 authentication infrastructure. """
                             self.get_config_value('idp key file'))
 
     @property
+    def idp_nameid_salt(self):
+        return self.get_config_value('idp nameid salt')
+
+    @property
     def default_allowed_nameids(self):
         return self.get_config_value('default allowed nameids')
 
@@ -324,10 +333,10 @@ class IdpMetadataGenerator(object):
         self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
                               '%s/saml2/SLO/Redirect' % url)
         self.meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
-        self.meta.add_allowed_name_format(
             lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
         self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
+        self.meta.add_allowed_name_format(
             lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
 
     def output(self, path=None):
@@ -379,7 +388,8 @@ class Installer(ProviderInstaller):
         config = {'idp storage path': path,
                   'idp metadata file': 'metadata.xml',
                   'idp certificate file': cert.cert,
-                  'idp key file': cert.key}
+                  'idp key file': cert.key,
+                  'idp nameid salt': uuid.uuid4().hex}
         po.save_plugin_config(config)
 
         # Update global config to add login plugin
author	Rob Crittenden <rcritten@redhat.com>	2015-03-19 15:15:26 -0400
committer	Simo Sorce <simo@redhat.com>	2015-03-23 18:00:15 -0400
commit	217cabe5a2b0950b9ac4090568aa8986d51f4fc5 (patch)
tree	e8dc27cb25ba009234f96a0b4689119f55ae6c46 /ipsilon/providers/saml2idp.py
parent	2ab0852570e3e18dfd7d959ae7c3bd62ea33dcca (diff)
download	ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.tar.gz ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.tar.xz ipsilon-217cabe5a2b0950b9ac4090568aa8986d51f4fc5.zip