Multiple AttributeStatement tags per Assertion

This was necessary to implement a real-world SSO integration,
which required handlinge multiple AttributeStatement elements
within a single assertion in a SAML response.

Orginally this change was implemented in a private fork
by Thomas Knott for pysaml 2.2.0, and has been ported
by Sheila Allen for use in pysaml 4.6.0 to hopefully
merge upstream.

There was a similar PR for the same need by pcrownov:
https://github.com/IdentityPython/pysaml2/pull/205/files

1 files changed, 6 insertions, 4 deletions

diff --git a/src/saml2/response.py b/src/saml2/response.py
index 6de8723b..cb3deac5 100644
--- a/src/saml2/response.py
+++ b/src/saml2/response.py
@@ -649,7 +649,7 @@ class AuthnResponse(StatusResponse):
                         self.allow_unknown_attributes)
 
     def get_identity(self):
-        """ The assertion can contain zero or one attributeStatements
+        """ The assertion can contain zero or more attributeStatements
 
         """
         ava = {}
@@ -662,9 +662,11 @@ class AuthnResponse(StatusResponse):
                             ava.update(self.read_attribute_statement(
                                 tmp_assertion.attribute_statement[0]))
             if _assertion.attribute_statement:
-                assert len(_assertion.attribute_statement) == 1
-                _attr_statem = _assertion.attribute_statement[0]
-                ava.update(self.read_attribute_statement(_attr_statem))
+                logger.debug("Assertion contains %s attribute statement(s)",
+                             (len(self.assertion.attribute_statement)))
+                for _attr_statem in _assertion.attribute_statement:
+                    logger.debug("Attribute Statement: %s" % (_attr_statem,))
+                    ava.update(self.read_attribute_statement(_attr_statem))
             if not ava:
                 logger.debug("Assertion contains no attribute statements")
         return ava