Adding AuthnContextClassRef support #34

Author: pitbulk

README.md

@@ -212,10 +212,12 @@ This is the settings.json file:
         // represent the requested subject.
         // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.
         "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
+        // Specifies the AuthnContextClassRef that will be sent in the login request 
+        'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
         // Usually x509cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters
         'x509cert' => '',
-        'privateKey' > ''
+        'privateKey' => ''
     },
 
     // Identity Provider Data that we want connected with our SP.

src/onelogin/saml2/authn_request.py

@@ -58,6 +58,8 @@ def __init__(self, settings):
             if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
                 provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
 
+        auth_context_class_ref = sp_data['AuthnContextClassRef']
+
         request = """<samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
@@ -73,7 +75,7 @@ def __init__(self, settings):
         Format="%(name_id_policy)s"
         AllowCreate="true" />
     <samlp:RequestedAuthnContext Comparison="exact">
-        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+        <saml:AuthnContextClassRef>%(auth_context_class_ref)s</saml:AuthnContextClassRef>
     </samlp:RequestedAuthnContext>
 </samlp:AuthnRequest>""" % \
             {
@@ -84,6 +86,7 @@ def __init__(self, settings):
                 'assertion_url': sp_data['assertionConsumerService']['url'],
                 'entity_id': sp_data['entityId'],
                 'name_id_policy': name_id_policy_format,
+                'auth_context_class_ref': auth_context_class_ref,
             }
 
         self.__authn_request = request

src/onelogin/saml2/settings.py

@@ -266,6 +266,10 @@ def __add_default_values(self):
         if 'nameIdEncrypted' not in self.__security:
             self.__security['nameIdEncrypted'] = False
 
+        # AuthnContextClassRef
+        if 'AuthnContextClassRef' not in self.__sp:
+            self.__sp['AuthnContextClassRef'] = OneLogin_Saml2_Constants.AC_PASSWORD
+
         # Sign provided
         if 'authnRequestsSigned' not in self.__security.keys():
             self.__security['authnRequestsSigned'] = False

tests/src/OneLogin/saml2_tests/authn_request_test.py

@@ -11,6 +11,7 @@
 from zlib import decompress
 
 from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
 
@@ -61,6 +62,31 @@ def testCreateRequest(self):
         self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
         self.assertNotIn('ProviderName="SP test"', inflated)
 
+    def testCreateRequestAuthContext(self):
+        """
+        Tests the OneLogin_Saml2_Authn_Request Constructor.
+        The creation of a deflated SAML Request with defined AuthContext
+        """
+        saml_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD, inflated)
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_X509, inflated)
+
+        saml_settings['sp']['AuthnContextClassRef'] = OneLogin_Saml2_Constants.AC_X509
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_PASSWORD, inflated)
+        self.assertIn(OneLogin_Saml2_Constants.AC_X509, inflated)
+
     def testCreateDeflatedSAMLRequestURLParameter(self):
         """
         Tests the OneLogin_Saml2_Authn_Request Constructor.