If no identity information refrain from constructing an AttributeStatement.

4 files changed, 44 insertions, 2 deletions

diff --git a/src/saml2/__init__.py b/src/saml2/__init__.py
index bf9af8fc..93c4521c 100644
--- a/src/saml2/__init__.py
+++ b/src/saml2/__init__.py
@@ -755,6 +755,22 @@ class SamlBase(ExtensionContainer):
     def verify(self):
         return valid_instance(self)
 
+    def empty(self):
+        for prop, _typ, _req in self.c_attributes.values():
+            if getattr(self, prop, None):
+                return False
+
+        for prop, klassdef in self.c_children.values():
+            if getattr(self, prop):
+                return False
+
+        for param in ["text", "extension_elements", "extension_attributes"]:
+            if getattr(self, param):
+                return False
+
+        return True
+
+
 # ----------------------------------------------------------------------------
 
 
diff --git a/src/saml2/assertion.py b/src/saml2/assertion.py
index 60535c55..318b7084 100644
--- a/src/saml2/assertion.py
+++ b/src/saml2/assertion.py
@@ -675,9 +675,9 @@ class Assertion(dict):
         else:
             _authn_statement = None
 
+
         _ass = assertion_factory(
             issuer=issuer,
-            attribute_statement=[attr_statement],
             conditions=conds,
             subject=factory(
                 saml.Subject,
@@ -696,6 +696,9 @@ class Assertion(dict):
         if _authn_statement:
             _ass.authn_statement = [_authn_statement]
 
+        if not attr_statement.empty():
+            _ass.attribute_statement=[attr_statement],
+
         return _ass
     
     def apply_policy(self, sp_entity_id, policy, metadata=None):
diff --git a/src/saml2/client.py b/src/saml2/client.py
index 396f3d20..f5696dfe 100644
--- a/src/saml2/client.py
+++ b/src/saml2/client.py
@@ -433,6 +433,7 @@ class Saml2Client(Base):
                 'method': "POST
             }
         """
+        logger.info("logout request: %s" % request)
 
         _req = self._parse_request(request, LogoutRequest,
                                    "single_logout_service", binding)
diff --git a/tests/test_20_assertion.py b/tests/test_20_assertion.py
index c9ce8ad3..460d4e5a 100644
--- a/tests/test_20_assertion.py
+++ b/tests/test_20_assertion.py
@@ -315,6 +315,7 @@ def test_assertion_2():
                        'urn:oid:2.16.840.1.113730.3.1.241',
                        'urn:oid:0.9.2342.19200300.100.1.1'])
 
+
 # ----------------------------------------------------------------------------
 
 
@@ -751,5 +752,26 @@ def test_filter_ava_5():
     assert ava == {}
 
 
+def test_assertion_with_zero_attributes():
+    ava = {}
+    ast = Assertion(ava)
+    policy = Policy({
+        "default": {
+            "lifetime": {"minutes": 240},
+            "attribute_restrictions": None,  # means all I have
+            "name_form": NAME_FORMAT_URI
+        },
+    })
+    name_id = NameID(format=NAMEID_FORMAT_TRANSIENT, text="foobar")
+    issuer = Issuer(text="entityid", format=NAMEID_FORMAT_ENTITY)
+    msg = ast.construct("sp_entity_id", "in_response_to", "consumer_url",
+                        name_id, [AttributeConverterNOOP(NAME_FORMAT_URI)],
+                        policy, issuer=issuer, authn_decl=ACD ,
+                        authn_auth="authn_authn")
+
+    print msg
+    assert msg.attribute_statement == []
+
+
 if __name__ == "__main__":
-    test_filter_ava_5()
\ No newline at end of file
+    test_assertion_with_zero_attributes()
\ No newline at end of file