Support AttributeConsumingService

Author: pitbulk

README.md

@@ -214,6 +214,22 @@ This is the settings.json file:
             // only for this endpoint.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
+        // If you need to specify requested attributes, set a 
+        // attributeConsumingService. nameFormat, attributeValue and
+        // friendlyName can be ommited
+        "attributeConsumingService": {
+                "ServiceName": "SP test",
+                "serviceDescription": "Test Service",
+                "requestedAttributes": [
+                    {
+                        "name": "",
+                        "isRequired": false,
+                        "nameFormat": "",
+                        "friendlyName": "",
+                        "attributeValue": ""
+                    }
+                ]
+        },
         // Specifies the constraints on the name identifier to be used to
         // represent the requested subject.
         // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.

src/onelogin/saml2/authn_request.py

@@ -88,6 +88,10 @@ def __init__(self, settings, force_authn=False, is_passive=False):
                     requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
                 requested_authn_context_str += '    </samlp:RequestedAuthnContext>'
 
+        attr_consuming_service_str = ''
+        if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
+            attr_consuming_service_str = "\n    AttributeConsumingServiceIndex=\"1\""
+
         request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
             {
                 'id': uid,
@@ -100,6 +104,7 @@ def __init__(self, settings, force_authn=False, is_passive=False):
                 'entity_id': sp_data['entityId'],
                 'name_id_policy': name_id_policy_format,
                 'requested_authn_context_str': requested_authn_context_str,
+                'attr_consuming_service_str': attr_consuming_service_str,
             }
 
         self.__authn_request = request

src/onelogin/saml2/metadata.py

@@ -57,7 +57,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         :param contacts: Contacts info
         :type contacts: dict
 
-        :param organization: Organization ingo
+        :param organization: Organization info
         :type organization: dict
         """
         if valid_until is None:
@@ -85,8 +85,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
 
         sls = ''
         if 'singleLogoutService' in sp and 'url' in sp['singleLogoutService']:
-            sls = """        <md:SingleLogoutService Binding="%(binding)s"
-                                Location="%(location)s" />\n""" % \
+            sls = OneLogin_Saml2_Templates.MD_SLS % \
                 {
                     'binding': sp['singleLogoutService']['binding'],
                     'location': sp['singleLogoutService']['url'],
@@ -105,9 +104,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
                 organization_displaynames.append("""        <md:OrganizationDisplayName xml:lang="%s">%s</md:OrganizationDisplayName>""" % (lang, info['displayname']))
                 organization_urls.append("""        <md:OrganizationURL xml:lang="%s">%s</md:OrganizationURL>""" % (lang, info['url']))
             org_data = '\n'.join(organization_names) + '\n' + '\n'.join(organization_displaynames) + '\n' + '\n'.join(organization_urls)
-            str_organization = """    <md:Organization>
-            %(org)s
-                </md:Organization>""" % {'org': org_data}
+            str_organization = """    <md:Organization>\n%(org)s\n    </md:Organization>""" % {'org': org_data}
 
         str_contacts = ''
         if len(contacts) > 0:
@@ -122,6 +119,49 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
                 contacts_info.append(contact)
             str_contacts = '\n'.join(contacts_info)
 
+        str_attribute_consuming_service = ''
+
+        if 'attributeConsumingService' in sp and len(sp['attributeConsumingService']):
+            attr_cs_desc_str = ''
+            if "serviceDescription" in sp['attributeConsumingService']:
+                attr_cs_desc_str = """            <md:ServiceDescription xml:lang="en">%s</md:ServiceDescription>\n""" % sp['attributeConsumingService']['serviceDescription']
+
+            requested_attribute_data = []
+            for req_attribs in sp['attributeConsumingService']['requestedAttributes']:
+                req_attr_nameformat_str = req_attr_friendlyname_str = req_attr_isrequired_str = ''
+                req_attr_aux_str = ' \>'
+
+                if 'nameFormat' in req_attribs.keys() and req_attribs['nameFormat']:
+                    req_attr_nameformat_str = " NameFormat=\"%s\"" % req_attribs['nameFormat']
+                if 'friendlyName' in req_attribs.keys() and req_attribs['friendlyName']:
+                    req_attr_nameformat_str = " FriendlyName=\"%s\"" % req_attribs['friendlyName']
+                if 'isRequired' in req_attribs.keys() and req_attribs['isRequired']:
+                    req_attr_isrequired_str = " isRequired=\"%s\"" % req_attribs['isRequired']
+                if 'attributeValue' in req_attribs.keys() and req_attribs['attributeValue']:
+                    req_attr_aux_str = """ >
+            <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion>%(attributeValue)</saml:AttributeValue>
+</md:RequestedAttribute>""" % \
+                        {
+                            'attributeValue': req_attribs['attributeValue']
+                        }
+
+                requested_attribute = OneLogin_Saml2_Templates.MD_REQUESTED_ATTRIBUTE % \
+                    {
+                        'req_attr_name': req_attribs['name'],
+                        'req_attr_nameformat_str': req_attr_nameformat_str,
+                        'req_attr_friendlyname_str': req_attr_friendlyname_str,
+                        'req_attr_isrequired_str': req_attr_isrequired_str,
+                        'req_attr_aux_str': req_attr_aux_str
+                    }
+                requested_attribute_data.append(requested_attribute)
+
+            str_attribute_consuming_service = OneLogin_Saml2_Templates.MD_ATTR_CONSUMER_SERVICE % \
+                {
+                    'service_name': sp['attributeConsumingService']['serviceName'],
+                    'attr_cs_desc': attr_cs_desc_str,
+                    'requested_attribute_str': '\n'.join(requested_attribute_data)
+                }
+
         metadata = OneLogin_Saml2_Templates.MD_ENTITY_DESCRIPTOR % \
             {
                 'valid': ('validUntil="%s"' % valid_until_str) if valid_until_str else '',
@@ -135,6 +175,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
                 'sls': sls,
                 'organization': str_organization,
                 'contacts': str_contacts,
+                'attribute_consuming_service': str_attribute_consuming_service
             }
 
         return metadata

src/onelogin/saml2/settings.py

@@ -438,6 +438,31 @@ def check_sp_settings(self, settings):
                 elif not validate_url(sp['assertionConsumerService']['url']):
                     errors.append('sp_acs_url_invalid')
 
+                if 'attributeConsumingService' in sp and len(sp['attributeConsumingService']):
+                    attributeConsumingService = sp['attributeConsumingService']
+                    if 'serviceName' not in attributeConsumingService:
+                        errors.append('sp_attributeConsumingService_serviceName_not_found')
+                    elif not isinstance(attributeConsumingService['serviceName'], basestring):
+                        errors.append('sp_attributeConsumingService_serviceName_type_invalid')
+
+                    if 'requestedAttributes' not in attributeConsumingService:
+                        errors.append('sp_attributeConsumingService_requestedAttributes_not_found')
+                    elif not isinstance(attributeConsumingService['requestedAttributes'], list):
+                        errors.append('sp_attributeConsumingService_serviceName_type_invalid')
+                    else:
+                        for req_attrib in attributeConsumingService['requestedAttributes']:
+                            if 'name' not in req_attrib:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_name_not_found')
+                            if 'name' in req_attrib and not req_attrib['name'].strip():
+                                errors.append('sp_attributeConsumingService_requestedAttributes_name_invalid')
+                            if 'attributeValue' in req_attrib and type(req_attrib['attributeValue']) != list:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_attributeValue_type_invalid')
+                            if 'isRequired' in req_attrib and type(req_attrib['isRequired']) != bool:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_isRequired_type_invalid')
+
+                    if "serviceDescription" in attributeConsumingService and not isinstance(attributeConsumingService['serviceDescription'], basestring):
+                        errors.append('sp_attributeConsumingService_serviceDescription_type_invalid')
+
                 if 'singleLogoutService' in sp and \
                     'url' in sp['singleLogoutService'] and \
                     len(sp['singleLogoutService']['url']) > 0 and \

src/onelogin/saml2/xml_templates.py

@@ -31,8 +31,9 @@ class OneLogin_Saml2_Templates(object):
     IssueInstant="%(issue_instant)s"
     Destination="%(destination)s"
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-    AssertionConsumerServiceURL="%(assertion_url)s">
+    AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s>
     <saml:Issuer>%(entity_id)s</saml:Issuer>
+
     <samlp:NameIDPolicy
         Format="%(name_id_policy)s"
         AllowCreate="true" />
@@ -73,6 +74,19 @@ class OneLogin_Saml2_Templates(object):
         <md:EmailAddress>%(email)s</md:EmailAddress>
     </md:ContactPerson>"""
 
+    MD_SLS = """\
+        <md:SingleLogoutService Binding="%(binding)s"
+                                Location="%(location)s" />\n"""
+
+    MD_REQUESTED_ATTRIBUTE = """\
+            <md:RequestedAttribute Name="%(req_attr_name)s"%(req_attr_nameformat_str)s%(req_attr_isrequired_str)s%(req_attr_aux_str)s"""
+
+    MD_ATTR_CONSUMER_SERVICE = """\
+        <md:AttributeConsumingService index="1">
+            <md:ServiceName xml:lang="en">%(service_name)s</md:ServiceName>
+%(attr_cs_desc)s%(requested_attribute_str)s
+        </md:AttributeConsumingService>\n"""
+
     MD_ENTITY_DESCRIPTOR = """\
 <?xml version="1.0"?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -84,7 +98,7 @@ class OneLogin_Saml2_Templates(object):
         <md:AssertionConsumerService Binding="%(binding)s"
                                      Location="%(location)s"
                                      index="1" />
-    </md:SPSSODescriptor>
+%(attribute_consuming_service)s    </md:SPSSODescriptor>
 %(organization)s
 %(contacts)s
 </md:EntityDescriptor>"""

tests/settings/settings4.json

@@ -0,0 +1,83 @@
+{
+    "strict": false,
+    "debug": false,
+    "custom_base_path": "../../../tests/data/customPath/",
+    "sp": {
+        "entityId": "http://pytoolkit.com:8000/metadata/",
+        "assertionConsumerService": {
+            "url": "http://pytoolkit.com:8000/?acs"
+        },
+        "attributeConsumingService": {
+            "isDefault": false,
+            "serviceName": "Test Service",
+            "serviceDescription": "Test Service",
+            "requestedAttributes": [ {
+                    "name": "urn:oid:2.5.4.42",
+                    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendlyName": "givenName",
+                    "isRequired": false
+                },
+                {
+                    "name": "urn:oid:2.5.4.4",
+                    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendlyName": "sn",
+                    "isRequired": false
+                },
+                {
+                    "name": "urn:oid:2.16.840.1.113730.3.1.241",
+                    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendlyName": "displayName",
+                    "isRequired": false
+                },
+                {
+                    "name": "urn:oid:0.9.2342.19200300.100.1.3",
+                    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendlyName": "mail",
+                    "isRequired": false
+                },
+                {
+                    "name": "urn:oid:0.9.2342.19200300.100.1.1",
+                    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+                    "friendlyName": "uid",
+                    "isRequired": false
+                }
+            ]
+        },
+        "singleLogoutService": {
+            "url": "http://pytoolkit.com:8000/?sls"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php",
+        "singleSignOnService": {
+            "url": "http://pitbulk.no-ip.org/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://pitbulk.no-ip.org/SingleLogoutService.php"
+        },
+        "x509cert": "MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m"
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}

tests/src/OneLogin/saml2_tests/authn_request_test.py

@@ -22,8 +22,8 @@
 
 
 class OneLogin_Saml2_Authn_Request_Test(unittest.TestCase):
-    def loadSettingsJSON(self):
-        filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json')
+    def loadSettingsJSON(self, filename='settings1.json'):
+        filename = join(dirname(__file__), '..', '..', '..', 'settings', filename)
         if exists(filename):
             stream = open(filename, 'r')
             settings = json.load(stream)
@@ -255,3 +255,24 @@ def testGetID(self):
         inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded))
         document = OneLogin_Saml2_XML.to_etree(inflated)
         self.assertEqual(authn_request.get_id(), document.get('ID', None))
+
+    def testAttributeConsumingService(self):
+        """
+        Tests that the attributeConsumingServiceIndex is present as an attribute
+        """
+        saml_settings = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(saml_settings)
+
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded))
+
+        self.assertNotIn('AttributeConsumingServiceIndex="1"', inflated)
+
+        saml_settings = self.loadSettingsJSON('settings4.json')
+        settings = OneLogin_Saml2_Settings(saml_settings)
+
+        authn_request = OneLogin_Saml2_Authn_Request(settings)
+        authn_request_encoded = authn_request.get_request()
+        inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded))
+        self.assertRegexpMatches(inflated, 'AttributeConsumingServiceIndex="1"')

tests/src/OneLogin/saml2_tests/metadata_test.py

@@ -15,8 +15,8 @@
 
 
 class OneLogin_Saml2_Metadata_Test(unittest.TestCase):
-    def loadSettingsJSON(self):
-        filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json')
+    def loadSettingsJSON(self, filename='settings1.json'):
+        filename = join(dirname(__file__), '..', '..', '..', 'settings', filename)
         if exists(filename):
             stream = open(filename, 'r')
             settings = json.load(stream)
@@ -139,6 +139,28 @@ def testBuilder(self):
         parsed_datetime = strftime(r'%Y-%m-%dT%H:%M:%SZ', datetime_value.timetuple())
         self.assertIn('validUntil="%s"' % parsed_datetime, metadata6)
 
+    def testBuilderAttributeConsumingService(self):
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings4.json'))
+        sp_data = settings.get_sp_data()
+        security = settings.get_security_data()
+        organization = settings.get_organization()
+        contacts = settings.get_contacts()
+
+        metadata = OneLogin_Saml2_Metadata.builder(
+            sp_data, security['authnRequestsSigned'],
+            security['wantAssertionsSigned'], None, None, contacts,
+            organization
+        )
+        self.assertIn("""        <md:AttributeConsumingService index="1">
+            <md:ServiceName xml:lang="en">Test Service</md:ServiceName>
+            <md:ServiceDescription xml:lang="en">Test Service</md:ServiceDescription>
+            <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" \>
+            <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" \>
+            <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" \>
+            <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" \>
+            <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid" \>
+        </md:AttributeConsumingService>""", metadata)
+
     def testSignMetadata(self):
         """
         Tests the signMetadata method of the OneLogin_Saml2_Metadata