Related to #34. Implemented the AuthNRequestContext in a different way

Author: pitbulk

README.md

@@ -212,8 +212,6 @@ This is the settings.json file:
         // represent the requested subject.
         // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.
         "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
-        // Specifies the AuthnContextClassRef that will be sent in the login request 
-        'AuthnContextClassRef' => 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
         // Usually x509cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters
         'x509cert' => '',
@@ -300,7 +298,13 @@ In addition to the required settings data (idp, sp), there is extra information
 
         // Indicates a requirement for the NameID received by
         // this SP to be encrypted.
-        "wantNameIdEncrypted": false
+        "wantNameIdEncrypted": false,
+
+        // Authentication context.
+        // Set to false and no AuthContext will be sent in the AuthNRequest,
+        // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
+        'requestedAuthnContext' => true,
     },
 
     // Contact information template, it is recommended to suply a

src/onelogin/saml2/authn_request.py

@@ -58,7 +58,17 @@ def __init__(self, settings):
             if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
                 provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
 
-        auth_context_class_ref = sp_data['AuthnContextClassRef']
+        requested_authn_context_str = ''
+        if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] != False:
+            if security['requestedAuthnContext'] == True:
+                requested_authn_context_str = """    <samlp:RequestedAuthnContext Comparison="exact">
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+    </samlp:RequestedAuthnContext>"""
+            else:
+                requested_authn_context_str = '     <samlp:RequestedAuthnContext Comparison="exact">'
+                for authn_context in security['requestedAuthnContext']:
+                    requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
+                requested_authn_context_str += '    </samlp:RequestedAuthnContext>'
 
         request = """<samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@ -74,9 +84,7 @@ def __init__(self, settings):
     <samlp:NameIDPolicy
         Format="%(name_id_policy)s"
         AllowCreate="true" />
-    <samlp:RequestedAuthnContext Comparison="exact">
-        <saml:AuthnContextClassRef>%(auth_context_class_ref)s</saml:AuthnContextClassRef>
-    </samlp:RequestedAuthnContext>
+%(requested_authn_context_str)s
 </samlp:AuthnRequest>""" % \
             {
                 'id': uid,
@@ -86,7 +94,7 @@ def __init__(self, settings):
                 'assertion_url': sp_data['assertionConsumerService']['url'],
                 'entity_id': sp_data['entityId'],
                 'name_id_policy': name_id_policy_format,
-                'auth_context_class_ref': auth_context_class_ref,
+                'requested_authn_context_str': requested_authn_context_str,
             }
 
         self.__authn_request = request

src/onelogin/saml2/constants.py

@@ -57,6 +57,7 @@ class OneLogin_Saml2_Constants(object):
     # Auth Context Class
     AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'
     AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
+    AC_PASSWORD_PROTECTED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
     AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'
     AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'
     AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'

src/onelogin/saml2/settings.py

@@ -266,10 +266,6 @@ def __add_default_values(self):
         if 'nameIdEncrypted' not in self.__security:
             self.__security['nameIdEncrypted'] = False
 
-        # AuthnContextClassRef
-        if 'AuthnContextClassRef' not in self.__sp:
-            self.__sp['AuthnContextClassRef'] = OneLogin_Saml2_Constants.AC_PASSWORD
-
         # Sign provided
         if 'authnRequestsSigned' not in self.__security.keys():
             self.__security['authnRequestsSigned'] = False
@@ -302,6 +298,9 @@ def __add_default_values(self):
         if 'privateKey' not in self.__sp:
             self.__sp['privateKey'] = ''
 
+        if 'requestedAuthnContext' not in self.__security.keys():
+            self.__security['requestedAuthnContext'] = True
+
     def check_settings(self, settings):
         """
         Checks the settings info.

tests/src/OneLogin/saml2_tests/authn_request_test.py

@@ -77,14 +77,44 @@ def testCreateRequestAuthContext(self):
         self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD, inflated)
         self.assertNotIn(OneLogin_Saml2_Constants.AC_X509, inflated)
 
-        saml_settings['sp']['AuthnContextClassRef'] = OneLogin_Saml2_Constants.AC_X509
+        saml_settings['security']['requestedAuthnContext'] = True
         settings = OneLogin_Saml2_Settings(saml_settings)
         authn_request = OneLogin_Saml2_Authn_Request(settings)
         authn_request_encoded = authn_request.get_request()
         decoded = b64decode(authn_request_encoded)
         inflated = decompress(decoded, -15)
         self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
-        self.assertNotIn(OneLogin_Saml2_Constants.AC_PASSWORD, inflated)
+        self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, inflated)
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_X509, inflated)
+
+        del saml_settings['security']['requestedAuthnContext']
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, inflated)
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_X509, inflated)
+
+        saml_settings['security']['requestedAuthnContext'] = False
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, inflated)
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_X509, inflated)
+
+        saml_settings['security']['requestedAuthnContext'] = (OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, OneLogin_Saml2_Constants.AC_X509)
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, inflated)
         self.assertIn(OneLogin_Saml2_Constants.AC_X509, inflated)
 
     def testCreateDeflatedSAMLRequestURLParameter(self):