From 05d09bc22cb1d233ca016c6bf1d97f28193d0469 Mon Sep 17 00:00:00 2001 From: rhoerbe Date: Thu, 3 Jul 2014 17:42:53 +0200 Subject: [PATCH 1/4] added AT government SAML profile attributes --- src/saml2/attributemaps/saml_uri.py | 41 +++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/src/saml2/attributemaps/saml_uri.py b/src/saml2/attributemaps/saml_uri.py index 4aa8451..ebe8827 100644 --- a/src/saml2/attributemaps/saml_uri.py +++ b/src/saml2/attributemaps/saml_uri.py @@ -1,5 +1,8 @@ EDUCOURSE_OID = 'urn:oid:1.3.6.1.4.1.5923.1.6.1.' EDUPERSON_OID = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.' +LDAPGVAT_OID = 'urn:oid:1.2.40.0.10.2.1.1.' # ldap.gv.at definitions as specified in http://www.ref.gv.at/AG-IZ-PVP2-Version-2-1-0-2.2754.0.html +LDAPGVAT_UCL_DIR_PILOT = UCL_DIR_PILOT +LDAPGVAT_X500ATTR_OID = X500ATTR_OID NETSCAPE_LDAP = 'urn:oid:2.16.840.1.113730.3.1.' NOREDUPERSON_OID = 'urn:oid:1.3.6.1.4.1.2428.90.1.' PKCS_9 = 'urn:oid:1.2.840.113549.1.9.1.' @@ -26,6 +29,25 @@ MAP = { EDUPERSON_OID+'9': 'eduPersonScopedAffiliation', EDUPERSON_OID+'10': 'eduPersonTargetedID', EDUPERSON_OID+'11': 'eduPersonAssurance', + LDAPGVAT_OID+'1': 'PVP-GID', + LDAPGVAT_OID+'149': 'PVP-BPK', + LDAPGVAT_OID+'153': 'PVP-OU-OKZ', + LDAPGVAT_OID+'261.10': 'PVP-VERSION', + LDAPGVAT_OID+'261.20': 'PVP-PRINCIPAL-NAME', + LDAPGVAT_OID+'261.24': 'PVP-PARTICIPANT-OKZ', + LDAPGVAT_OID+'261.30': 'PVP-ROLES', + LDAPGVAT_OID+'261.40': 'PVP-INVOICE-RECPT-ID', + LDAPGVAT_OID+'261.50': 'PVP-COST-CENTER-ID', + LDAPGVAT_OID+'261.60': 'PVP-CHARGE-CODE', + LDAPGVAT_OID+'3': 'PVP-OU-GV-OU-ID', + LDAPGVAT_OID+'33': 'PVP-FUNCTION', + LDAPGVAT_OID+'55': 'PVP-BIRTHDATE', + LDAPGVAT_OID+'71': 'PVP-PARTICIPANT-ID', + LDAPGVAT_UCL_DIR_PILOT+'1': 'PVP-USERID', + LDAPGVAT_UCL_DIR_PILOT+'3': 'PVP-MAIL', + LDAPGVAT_X500ATTR_OID+'11': 'PVP-OU', + LDAPGVAT_X500ATTR_OID+'20': 'PVP-TEL', + LDAPGVAT_X500ATTR_OID+'42': 'PVP-GIVENNAME', NETSCAPE_LDAP+'1': 'carLicense', NETSCAPE_LDAP+'2': 'departmentNumber', NETSCAPE_LDAP+'3': 'employeeNumber', @@ -197,6 +219,25 @@ MAP = { 'presentationAddress': X500ATTR_OID+'29', 'protocolInformation': X500ATTR_OID+'48', 'pseudonym': X500ATTR_OID+'65', + 'PVP-USERID': LDAPGVAT_UCL_DIR_PILOT+'1', + 'PVP-MAIL': LDAPGVAT_UCL_DIR_PILOT+'3', + 'PVP-GID': LDAPGVAT_OID+'1', + 'PVP-BPK': LDAPGVAT_OID+'149', + 'PVP-OU-OKZ': LDAPGVAT_OID+'153', + 'PVP-VERSION': LDAPGVAT_OID+'261.10', + 'PVP-PRINCIPAL-NAME': LDAPGVAT_OID+'261.20', + 'PVP-PARTICIPANT-OKZ': LDAPGVAT_OID+'261.24', + 'PVP-ROLES': LDAPGVAT_OID+'261.30', + 'PVP-INVOICE-RECPT-ID': LDAPGVAT_OID+'261.40', + 'PVP-COST-CENTER-ID': LDAPGVAT_OID+'261.50', + 'PVP-CHARGE-CODE': LDAPGVAT_OID+'261.60', + 'PVP-OU-GV-OU-ID': LDAPGVAT_OID+'3', + 'PVP-FUNCTION': LDAPGVAT_OID+'33', + 'PVP-BIRTHDATE': LDAPGVAT_OID+'55', + 'PVP-PARTICIPANT-ID': LDAPGVAT_OID+'71', + 'PVP-OU': LDAPGVAT_X500ATTR_OID+'11', + 'PVP-TEL': LDAPGVAT_X500ATTR_OID+'20', + 'PVP-GIVENNAME': LDAPGVAT_X500ATTR_OID+'42', 'registeredAddress': X500ATTR_OID+'26', 'roleOccupant': X500ATTR_OID+'33', 'schacCountryOfCitizenship': SCHAC+'5', From 7110985d9f3ccde9af5d5d4a2d04b2b41f70002f Mon Sep 17 00:00:00 2001 From: rhoerbe Date: Thu, 3 Jul 2014 17:43:28 +0200 Subject: [PATCH 2/4] added a bit ot text --- doc/examples/idp.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/examples/idp.rst b/doc/examples/idp.rst index 849045c..fcb636a 100644 --- a/doc/examples/idp.rst +++ b/doc/examples/idp.rst @@ -3,6 +3,18 @@ An extremly simple example of a SAML2 identity provider. ======================================================== +There are 2 example IDPs in the project's example directory: +* idp2 has a static definition of users: + * user attributes are defined in idp_user.py + * the password is defined in the PASSWD dict in idp.py +* idp2_repoze is using repoze.who middleware to perform authentication and attribute retrieval + +Configuration +------------- +Entity configuration is described in "Configuration of pysaml2 entities" +Server parameters like host and port and various command line parameters are +defined in the main part of idp.py + Setup: ****** From b4d9ece1e35888eb7642fde3aece0f7bc28f5550 Mon Sep 17 00:00:00 2001 From: rhoerbe Date: Thu, 3 Jul 2014 17:44:51 +0200 Subject: [PATCH 3/4] changed message text for improved failure experience --- src/saml2/mdstore.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/saml2/mdstore.py b/src/saml2/mdstore.py index 4d82e81..7ce337b 100644 --- a/src/saml2/mdstore.py +++ b/src/saml2/mdstore.py @@ -197,7 +197,7 @@ class MetaData(object): try: if not valid(self.entities_descr.valid_until): raise ToOld( - "Metadata not valid anymore, it's after %s" % ( + "Metadata not valid anymore, it's only valid until %s" % ( self.entities_descr.valid_until,)) except AttributeError: pass From 456045dd1f9a77f53f03e8854503d11a70e73262 Mon Sep 17 00:00:00 2001 From: rhoerbe Date: Thu, 3 Jul 2014 17:47:46 +0200 Subject: [PATCH 4/4] changed message text for improved failure experience; removed unused get_eptid() --- example/idp2/idp.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/example/idp2/idp.py b/example/idp2/idp.py index 4c50df3..255e6de 100755 --- a/example/idp2/idp.py +++ b/example/idp2/idp.py @@ -49,7 +49,7 @@ from idp_user import EXTRA from mako.lookup import TemplateLookup logger = logging.getLogger("saml2.idp") - +logger.setLevel(logging.WARNING) class Cache(object): def __init__(self): @@ -73,11 +73,6 @@ def _expiration(timeout, tformat="%a, %d-%b-%Y %H:%M:%S GMT"): return time_util.in_a_while(minutes=timeout, format=tformat) -def get_eptid(idp, req_info, session): - return idp.eptid.get(idp.config.entityid, - req_info.sender(), session["permanent_id"], - session["authn_auth"]) - # -----------------------------------------------------------------------------