1:47 p.m.
Hi,
I require the SATOSA SAMLFrontend to assert the following XML for
eduPersonTargetedID as part of an <AttributeStatement>
<Attribute FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<AttributeValue>
<NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://proxy.my.org/idp/satosa"
SPNameQualifier="https://service.my.org/sp/shibboleth">
1088878806
</NameID>
</AttributeValue>
</Attribute>
Here the value 1088878806 for <NameID> is to be taken from a database (I will
be using an LDAP directory, but in general it is being pulled from some
storage), the NameQualifier is the entityID for the SATOSA proxy IdP frontend
(the SAMLFrontend instance), and the SPNameQualifier is the entityID for the SP
that sent the <AuthnRequest> to the SATOSA proxy IdP frontend.
Has anybody configured the existing SATOSA and pysaml2 code to assert such
XML? If so can you share some details of your configuration?
If not, is anybody using modified SATOSA or pysaml2 code that has not been
contributed yet to assert such XML and is willing to share and/or collaborate
on getting it contributed (relatively quickly)?
Thanks,
Scott K
P.S. I am fully aware that there are reasons to deprecate the use of
eduPersonTargetedID. For this particular deployment I need to assert this
attribute for the time being using SATOSA.
9:27 a.m.
Hello Scott and everyone,
On Tue, 21 May 2019 at 16:47, Scott Koranda <skoranda at gmail.com> wrote:
Hi,
I require the SATOSA SAMLFrontend to assert the following XML for
eduPersonTargetedID as part of an <AttributeStatement>
<Attribute FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<AttributeValue>
<NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://proxy.my.org/idp/satosa"
SPNameQualifier="https://service.my.org/sp/shibboleth">
1088878806
</NameID>
</AttributeValue>
</Attribute>
Here the value 1088878806 for <NameID> is to be taken from a database (I will
be using an LDAP directory, but in general it is being pulled from some
storage), the NameQualifier is the entityID for the SATOSA proxy IdP frontend
(the SAMLFrontend instance), and the SPNameQualifier is the entityID for the SP
that sent the <AuthnRequest> to the SATOSA proxy IdP frontend.
Has anybody configured the existing SATOSA and pysaml2 code to assert such
XML? If so can you share some details of your configuration?
What does _assert_ mean in this context?
This is how you can parse such a node (which hints how to create one).
Notice below the added namespace
(xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" and 'saml2:'
before the tag names)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In [1]: import saml2 as s2
In [2]: import saml2.saml as s
In [3]: data = """
...: <saml2:Attribute
...: xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
...: FriendlyName="eduPersonTargetedID"
...: Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
...: NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
...: <saml2:AttributeValue>
...: <saml2:NameID
...:
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
...: NameQualifier="https://proxy.my.org/idp/satosa"
...: SPNameQualifier="https://service.my.org/sp/shibboleth">
...: 1088878806
...: </saml2:NameID>
...: </saml2:AttributeValue>
...: </saml2:Attribute>
...: """
In [5]: s2.create_class_from_xml_string(s.Attribute, data)
Out[5]: <saml2.saml.Attribute at 0x106a56cc0>
In [6]: attr = s2.create_class_from_xml_string(s.Attribute, data)
In [7]: attr.to_string()
Out[7]: b'<ns0:Attribute
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">\n
<ns0:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">\n <ns0:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://proxy.my.org/idp/satosa"
SPNameQualifier="https://service.my.org/sp/shibboleth">\n
1088878806\n
</ns0:NameID></ns0:AttributeValue></ns0:Attribute>'
In [8]: attr.attribute_value
Out[8]: [<saml2.saml.AttributeValue at 0x106a76320>]
In [9]: attr_v = attr.attribute_value[0]
In [10]: attr_v.extension_elements
Out[10]: [<saml2.ExtensionElement at 0x106a76080>]
In [11]: nid = attr_v.extension_elements[0]
In [12]: nid
Out[12]: <saml2.ExtensionElement at 0x106a76080>
In [13]: nid.attributes
Out[13]:
{'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'NameQualifier': 'https://proxy.my.org/idp/satosa',
'SPNameQualifier': 'https://service.my.org/sp/shibboleth'}
In [14]: nid.text.strip()
Out[14]: '1088878806'
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
To create such a node:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In [1]: import saml2 as s2
In [2]: import saml2.saml as s
In [3]: nid = s.NameID(name_qualifier="https://proxy.my.org/idp/satosa",
sp_name_qualifier="https://service.my.org/sp/shibboleth",
format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
text="1088878806")
In [4]: attr_v = s.AttributeValue(extension_elements=[nid])
In [5]: attr = s.Attribute(attribute_value=attr_v,
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
friendly_name="eduPersonTargetedID",
name_format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri")
In [6]: attr.to_string()
Out[6]: b'<ns0:Attribute
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion"
FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue><ns0:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://proxy.my.org/idp/satosa"
SPNameQualifier="https://service.my.org/sp/shibboleth">1088878…
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I hope this helps.
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
2176
days inactive
2178
days old
2 comments
2 participants
participants (2)
-
ivan.kanak@gmail.com -
skoranda@gmail.com