summaryrefslogtreecommitdiffstats
path: root/ipsilon/providers/saml2/auth.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipsilon/providers/saml2/auth.py')
-rw-r--r--ipsilon/providers/saml2/auth.py11
1 files changed, 9 insertions, 2 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index a65b52a..95751aa 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -21,6 +21,7 @@ from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
from ipsilon.providers.saml2.sessions import SAMLSessionsContainer
+from ipsilon.util.policy import Policy
from ipsilon.util.user import UserSession
from ipsilon.util.trans import Transaction
import cherrypy
@@ -201,7 +202,6 @@ class AuthenticateRequest(ProviderPageBase):
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- # TODO: filter user attributes as policy requires from 'usersession'
if not login.assertion.attributeStatement:
attrstat = lasso.Saml2AttributeStatement()
login.assertion.attributeStatement = [attrstat]
@@ -210,7 +210,14 @@ class AuthenticateRequest(ProviderPageBase):
if not attrstat.attribute:
attrstat.attribute = ()
- attributes = us.get_user_attrs()
+ # Check attribute policy and perform mapping and filtering
+ policy = Policy(self.cfg.default_attribute_mapping,
+ self.cfg.default_allowed_attributes)
+ userattrs = us.get_user_attrs()
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
+
+ self.debug("%s's attributes: %s" % (user.name, attributes))
for key in attributes:
values = attributes[key]
generated by cgit (git 2.34.1) at 2024-05-02 05:48:15 +0000