Skip to content

set downstream nameID #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from

Conversation

pcaskey
Copy link

@pcaskey pcaskey commented Mar 7, 2019

Set the downstream NameID to the value of a specific attribute
regardless of what was received from the upstream IdP.

All Submissions:

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you added an explanation of what problem you are trying to solve with this PR?
  • Have you added information on what your changes do and why you chose this as your solution?
  • Have you written new tests for your changes?
  • Does your submission pass tests?
  • This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

Set the downstream NameID to the value of a specific attribute
regardless of what was received from the upstream IdP.
@c00kiemon5ter
Copy link
Member

c00kiemon5ter commented Apr 2, 2019

Hello, this should be done through a plugin. Plugins/micro-services receive the internal representation of the attributes and other elements of the requests/responses. The NameID value is mapped from internal.InternalData.subject_id and the NameID Format from internal.InternalData.subject_type. Such a micro-service would look like (untested):

from saml2.saml import NAMEID_FORMAT_PERSISTENT

from satosa.micro_services.base import ResponseMicroService


class NameIDFromAttribute(ResponseMicroService):
    """
    example configuration:

      module: nameid_from_attribute.NameIDFromAttribute
      name: NameIDFromAttribute
      config:
        persistent_nameid_from_attribute: eptid
    """

    def __init__(self, config, internal_attributes, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.from_attribute = config["persistent_nameid_from_attribute"]

    def process(self, context, internal_data):
        # remember, attributes can have multiple values
        # - either concat: "".join(internal_data.attributes.get(self.from_attribute, []))
        # - or select the first one: internal_data.attributes.get(self.from_attribute, [None])[0]
        internal_data.subject_id = "".join(internal_data.attributes.get(self.from_attribute, []))
        internal_data.subject_type = NAMEID_FORMAT_PERSISTENT
        return super().process(context, internal_data)

Another option you have is to use the user_id_from_attrs option in internal_attributes.yaml. This effectively does the same as the plugin above, but I'm skeptical if it will remain or it will be removed and replaced by such a plugin.

@c00kiemon5ter
Copy link
Member

The other problematic thing with what you have is that you use a configuration option that is not declared anywhere, it is searched in the part of the configuration that belongs to pysaml2 but it is handled by satosa.
The same thing, with the configuration option, happens in the other PR #206.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants