diff options
| author | Scott Koranda <skoranda@gmail.com> | 2018-08-16 13:20:34 -0500 |
|---|---|---|
| committer | Scott Koranda <skoranda@gmail.com> | 2018-08-16 13:20:34 -0500 |
| commit | c30582068d100f6b416a4d8ca52a8f9e233bd6d0 (patch) | |
| tree | 334fba79a3c226bf04846f02c30f18ada1585c96 /src/saml2/client_base.py | |
| parent | a17f233c7a845105913ee4c72c33eb6c60a6d5c6 (diff) | |
| download | pysaml2-c30582068d100f6b416a4d8ca52a8f9e233bd6d0.tar.gz | |
SP class should not assume SAML NameID in assertion
The basic pySAML2 service provider class upon which SPs are built should
not require that a SAML authentication request response from an IdP
contains a SAML NameID element since it is not required by the SAML 2.0
specification. This change enables the parse_authn_request_response
method for the basic pySAML2 service provider class to successfully
parse a SAML authentication request response that does not contain a
SAML NameID element.
Diffstat (limited to 'src/saml2/client_base.py')
| -rw-r--r-- | src/saml2/client_base.py | 83 |
1 files changed, 41 insertions, 42 deletions
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py index f8704c20..d0a8e82c 100644 --- a/src/saml2/client_base.py +++ b/src/saml2/client_base.py @@ -676,50 +676,49 @@ class Base(Entity): :return: An response.AuthnResponse or None """ - try: - _ = self.config.entityid - except KeyError: + if not getattr(self.config, 'entityid', None): raise SAMLError("Missing entity_id specification") - resp = None - if xmlstr: - kwargs = { - "outstanding_queries": outstanding, - "outstanding_certs": outstanding_certs, - "allow_unsolicited": self.allow_unsolicited, - "want_assertions_signed": self.want_assertions_signed, - "want_response_signed": self.want_response_signed, - "return_addrs": self.service_urls(binding=binding), - "entity_id": self.config.entityid, - "attribute_converters": self.config.attribute_converters, - "allow_unknown_attributes": - self.config.allow_unknown_attributes, - 'conv_info': conv_info - } - try: - resp = self._parse_response(xmlstr, AuthnResponse, - "assertion_consumer_service", - binding, **kwargs) - except StatusError as err: - logger.error("SAML status error: %s", err) - raise - except UnravelError: - return None - except Exception as err: - logger.error("XML parse error: %s", err) - raise - - if resp is None: - return None - elif isinstance(resp, AuthnResponse): - if resp.assertion is not None and len( - resp.response.encrypted_assertion) == 0: - self.users.add_information_about_person(resp.session_info()) - logger.info("--- ADDED person info ----") - pass - else: - logger.error("Response type not supported: %s", - saml2.class_name(resp)) + if not xmlstr: + return None + + kwargs = { + "outstanding_queries": outstanding, + "outstanding_certs": outstanding_certs, + "allow_unsolicited": self.allow_unsolicited, + "want_assertions_signed": self.want_assertions_signed, + "want_response_signed": self.want_response_signed, + "return_addrs": self.service_urls(binding=binding), + "entity_id": self.config.entityid, + "attribute_converters": self.config.attribute_converters, + "allow_unknown_attributes": + self.config.allow_unknown_attributes, + 'conv_info': conv_info + } + + try: + resp = self._parse_response(xmlstr, AuthnResponse, + "assertion_consumer_service", + binding, **kwargs) + except StatusError as err: + logger.error("SAML status error: %s", err) + raise + except UnravelError: + return None + except Exception as err: + logger.error("XML parse error: %s", err) + raise + + if not isinstance(resp, AuthnResponse): + logger.error("Response type not supported: %s", + saml2.class_name(resp)) + return None + + if (resp.assertion and len(resp.response.encrypted_assertion) == 0 and + resp.assertion.subject.name_id): + self.users.add_information_about_person(resp.session_info()) + logger.info("--- ADDED person info ----") + return resp # ------------------------------------------------------------------------ |