diff options
Diffstat (limited to 'ipsilon')
| -rwxr-xr-x | ipsilon/install/ipsilon-server-install | 3 | ||||
| -rw-r--r-- | ipsilon/providers/saml2/auth.py | 13 | ||||
| -rw-r--r-- | ipsilon/providers/saml2idp.py | 16 |
3 files changed, 26 insertions, 6 deletions
diff --git a/ipsilon/install/ipsilon-server-install b/ipsilon/install/ipsilon-server-install index 307f1e4..edcccb6 100755 --- a/ipsilon/install/ipsilon-server-install +++ b/ipsilon/install/ipsilon-server-install @@ -116,7 +116,8 @@ def install(plugins, args): 'transdb': args['database_url'] % { 'datadir': args['data_dir'], 'dbname': 'transactions'}, 'secure': "False" if args['secure'] == "no" else "True", - 'debugging': "True" if args['server_debugging'] else "False"} + 'debugging': "True" if args['server_debugging'] else "False", + } # Testing database sessions if 'session_type' in args: confopts['sesstype'] = args['session_type'] diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 71bfc9a..4bfbc1a 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -28,6 +28,7 @@ import cherrypy import datetime import lasso import uuid +import hashlib class UnknownProvider(ProviderException): @@ -183,8 +184,16 @@ class AuthenticateRequest(ProviderPageBase): nameid = None if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT: - # TODO map to something else ? - nameid = provider.normalize_username(user.name) + idpsalt = self.cfg.idp_nameid_salt + if idpsalt is None: + raise AuthenticationError( + "idp nameid salt is not set in configuration" + ) + value = hashlib.sha512() + value.update(idpsalt) + value.update(login.remoteProviderId) + value.update(user.name) + nameid = '_' + value.hexdigest() elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index 96a7d11..5d8aa03 100644 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -33,6 +33,7 @@ from datetime import timedelta import lasso import os import time +import uuid class Redirect(AuthenticateRequest): @@ -194,6 +195,10 @@ Provides SAML 2.0 authentication infrastructure. """ 'idp key file', 'The IdP Certificate Key genearated at install time.', 'certificate.key'), + pconfig.String( + 'idp nameid salt', + 'The salt used for persistent Name IDs.', + None), pconfig.Condition( 'allow self registration', 'Allow authenticated users to register applications.', @@ -253,6 +258,10 @@ Provides SAML 2.0 authentication infrastructure. """ self.get_config_value('idp key file')) @property + def idp_nameid_salt(self): + return self.get_config_value('idp nameid salt') + + @property def default_allowed_nameids(self): return self.get_config_value('default allowed nameids') @@ -324,10 +333,10 @@ class IdpMetadataGenerator(object): self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'], '%s/saml2/SLO/Redirect' % url) self.meta.add_allowed_name_format( - lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT) - self.meta.add_allowed_name_format( lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT) self.meta.add_allowed_name_format( + lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT) + self.meta.add_allowed_name_format( lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL) def output(self, path=None): @@ -379,7 +388,8 @@ class Installer(ProviderInstaller): config = {'idp storage path': path, 'idp metadata file': 'metadata.xml', 'idp certificate file': cert.cert, - 'idp key file': cert.key} + 'idp key file': cert.key, + 'idp nameid salt': uuid.uuid4().hex} po.save_plugin_config(config) # Update global config to add login plugin |