diff options
Diffstat (limited to 'keystone/federation/idp.py')
-rw-r--r-- | keystone/federation/idp.py | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/keystone/federation/idp.py b/keystone/federation/idp.py index e0c983e7b..fd464f5c2 100644 --- a/keystone/federation/idp.py +++ b/keystone/federation/idp.py @@ -48,7 +48,8 @@ class SAMLGenerator(object): self.assertion_id = uuid.uuid4().hex def samlize_token(self, issuer, recipient, user, user_domain_name, roles, - project, project_domain_name, expires_in=None): + project, project_domain_name, groups, + expires_in=None): """Convert Keystone attributes to a SAML assertion. :param issuer: URL of the issuing party @@ -65,6 +66,9 @@ class SAMLGenerator(object): :type project: string :param project_domain_name: Project Domain name :type project_domain_name: string + :param groups: List of strings of user groups and domain name, where + strings are serialized dictionaries. + :type groups: list :param expires_in: Sets how long the assertion is valid for, in seconds :type expires_in: int @@ -76,7 +80,8 @@ class SAMLGenerator(object): saml_issuer = self._create_issuer(issuer) subject = self._create_subject(user, expiration_time, recipient) attribute_statement = self._create_attribute_statement( - user, user_domain_name, roles, project, project_domain_name) + user, user_domain_name, roles, project, project_domain_name, + groups) authn_statement = self._create_authn_statement(issuer, expiration_time) signature = self._create_signature() @@ -162,7 +167,8 @@ class SAMLGenerator(object): return subject def _create_attribute_statement(self, user, user_domain_name, roles, - project, project_domain_name): + project, project_domain_name, + groups): """Create an object that represents a SAML AttributeStatement. <ns0:AttributeStatement> @@ -188,6 +194,15 @@ class SAMLGenerator(object): <ns0:AttributeValue xsi:type="xs:string">Default</ns0:AttributeValue> </ns0:Attribute> + <ns0:Attribute Name="openstack_groups"> + <ns0:AttributeValue + xsi:type="xs:string">JSON:{"name":"group1","domain":{"name":"Default"}} + </ns0:AttributeValue> + <ns0:AttributeValue + xsi:type="xs:string">JSON:{"name":"group2","domain":{"name":"Default"}} + </ns0:AttributeValue> + </ns0:Attribute> + </ns0:AttributeStatement> :returns: XML <AttributeStatement> object @@ -218,6 +233,11 @@ class SAMLGenerator(object): attribute_statement.attribute.append(project_attribute) attribute_statement.attribute.append(project_domain_attribute) attribute_statement.attribute.append(user_domain_attribute) + + if groups: + groups_attribute = _build_attribute( + 'openstack_groups', groups) + attribute_statement.attribute.append(groups_attribute) return attribute_statement def _create_authn_statement(self, issuer, expiration_time): |