Allows the RequestedAuthnContext Comparison attribute to be set via config

pitbulk · pitbulk · commit 590e5aeb6d37 · 2015-08-23T11:17:35.000+02:00
diff --git a/README.md b/README.md
@@ -321,6 +321,8 @@ In addition to the required settings data (idp, sp), there is extra information
         // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
         // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
         'requestedAuthnContext': true,
+        // Allows the authn comparison parameter to be set, defaults to 'exact' if the setting is not present.
+        'requestedAuthnContextComparison': 'exact',
 
         // In some environment you will need to set how long the published metadata of the Service Provider gonna be valid.
         // is possible to not set the 2 following parameters (or set to null) and default values will be set (2 days, 1 week)
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
@@ -74,12 +74,16 @@ def __init__(self, settings, force_authn=False, is_passive=False):
 
         requested_authn_context_str = ''
         if 'requestedAuthnContext' in security.keys() and security['requestedAuthnContext'] is not False:
+            authn_comparison = 'exact'
+            if 'requestedAuthnContextComparison' in security.keys():
+                authn_comparison = security['requestedAuthnContextComparison']
+
             if security['requestedAuthnContext'] is True:
-                requested_authn_context_str = """    <samlp:RequestedAuthnContext Comparison="exact">
+                requested_authn_context_str = """    <samlp:RequestedAuthnContext Comparison="%s">
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
-    </samlp:RequestedAuthnContext>"""
+    </samlp:RequestedAuthnContext>""" % authn_comparison
             else:
-                requested_authn_context_str = '     <samlp:RequestedAuthnContext Comparison="exact">'
+                requested_authn_context_str = '     <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
                 for authn_context in security['requestedAuthnContext']:
                     requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
                 requested_authn_context_str += '    </samlp:RequestedAuthnContext>'
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -117,6 +117,39 @@ def testCreateRequestAuthContext(self):
         self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD_PROTECTED, inflated)
         self.assertIn(OneLogin_Saml2_Constants.AC_X509, inflated)
 
+    def testCreateRequestAuthContextComparision(self):
+        """
+        Tests the OneLogin_Saml2_Authn_Request Constructor.
+        The creation of a deflated SAML Request with defined AuthnContextComparison
+        """
+        saml_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn(OneLogin_Saml2_Constants.AC_PASSWORD, inflated)
+        self.assertNotIn(OneLogin_Saml2_Constants.AC_X509, inflated)
+
+        saml_settings['security']['requestedAuthnContext'] = True
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn('RequestedAuthnContext Comparison="exact"', inflated)
+
+        saml_settings['security']['requestedAuthnContextComparison'] = 'minimun'
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        decoded = b64decode(authn_request_encoded)
+        inflated = decompress(decoded, -15)
+        self.assertRegexpMatches(inflated, '^<samlp:AuthnRequest')
+        self.assertIn('RequestedAuthnContext Comparison="minimun"', inflated)
+
     def testCreateRequestForceAuthN(self):
         """
         Tests the OneLogin_Saml2_Authn_Request Constructor.
