Add assurance_certification configuration option

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>

3 files changed, 36 insertions, 5 deletions

diff --git a/docs/howto/config.rst b/docs/howto/config.rst
index ee4e403f..274da303 100644
--- a/docs/howto/config.rst
+++ b/docs/howto/config.rst
@@ -55,6 +55,24 @@ Configuration directives
 General directives
 ------------------
 
+assurance_certification
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Format::
+
+    "assurance_specification": [
+        "https://refeds.org/sirtfi",
+    ]
+
+Generates an `Attribute` element with name-format
+`urn:oasis:names:tc:SAML:2.0:attrname-format:uri` and name
+`urn:oasis:names:tc:SAML:attribute:assurance-certification` that contains
+`AttributeValue` elements with the given values from the list.
+The element is added under the generated metadata `EntityDescriptor` as an
+`Extension` element under the `EntityAttributes` element.
+
+Read more about `representing assurance information at the specification <https://wiki.oasis-open.org/security/SAML2IDAssuranceProfile>`_.
+
 attribute_map_dir
 ^^^^^^^^^^^^^^^^^
 
@@ -666,7 +684,7 @@ Where the endpoints for the services provided are.
 This directive has as value a dictionary with one or more of the following keys:
 
 * artifact_resolution_service (aa, idp and sp)
-* `assertion_consumer_service <https://wiki.shibboleth.net/confluence/display/CONCEPT/AssertionConsumerService>`_ (sp) 
+* `assertion_consumer_service <https://wiki.shibboleth.net/confluence/display/CONCEPT/AssertionConsumerService>`_ (sp)
 * assertion_id_request_service (aa, idp)
 * attribute_service (aa)
 * manage_name_id_service (aa, idp)
diff --git a/src/saml2/config.py b/src/saml2/config.py
index d210397c..4278935f 100644
--- a/src/saml2/config.py
+++ b/src/saml2/config.py
@@ -52,6 +52,7 @@ COMMON_ARGS = [
     "disable_ssl_certificate_validation",
     "preferred_binding",
     "session_storage",
+    "assurance_certification",
     "entity_category",
     "xmlsec_path",
     "extension_schemas",
@@ -221,7 +222,8 @@ class Config(object):
         self.preferred_binding = PREFERRED_BINDING
         self.domain = ""
         self.name_qualifier = ""
-        self.entity_category = ""
+        self.assurance_certification = []
+        self.entity_category = []
         self.crypto_backend = 'xmlsec1'
         self.id_attr_name = None
         self.scope = ""
@@ -568,11 +570,11 @@ def config_factory(_type, config):
     """
 
     :type _type: str
-    :param _type: 
-    
+    :param _type:
+
     :type config: str or dict
     :param config: Name of file with pysaml2 config or CONFIG dict
-    
+
     :return:
     """
     if _type == "sp":
diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
index a5c35c9e..10f06d67 100644
--- a/src/saml2/metadata.py
+++ b/src/saml2/metadata.py
@@ -692,6 +692,17 @@ def entity_descriptor(confd):
     if confd.contact_person is not None:
         entd.contact_person = do_contact_persons_info(confd.contact_person)
 
+    if confd.assurance_certification:
+        if not entd.extensions:
+            entd.extensions = md.Extensions()
+        ava = [AttributeValue(text=c) for c in confd.assurance_certification]
+        attr = Attribute(
+            attribute_value=ava,
+            name="urn:oasis:names:tc:SAML:attribute:assurance-certification"
+        )
+        item = mdattr.EntityAttributes(attribute=attr)
+        entd.extensions.add_extension_element(item)
+
     if confd.entity_category:
         if not entd.extensions:
             entd.extensions = md.Extensions()