Merge lp:~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions into lp:canonical-identity-provider/release
Status: | Merged |
---|---|
Approved by: | Daniel Manrique |
Approved revision: | no longer in the source branch. |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | lp:~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions |
Merge into: | lp:canonical-identity-provider/release |
Diff against target: |
50 lines (+34/-0) 2 files modified
src/ubuntu_sso_saml/processors.py (+8/-0) src/ubuntu_sso_saml/tests/test_processors.py (+26/-0) |
To merge this branch: | bzr merge lp:~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Maximiliano Bertacchini | Approve | ||
Review via email: mp+362265@code.launchpad.net |
Commit message
Add two new substitutions to be used in SAML attribute values.
"displayname" is normally the users' Full Name in SSO.
"email" is the e-mail address.
These enable reporting richer SAML attributes to SPs who can then create nicer-looking
local identities.
Additionally, the existence of the e-mail attribute/
for full compliance with the SAML 8.3 "persistent" policy, though this would
require additional implementation work.
Description of the change
Add two new substitutions to be used in SAML attribute values.
These were requested by Canonical's support group because they need a presentable "full name" to create end-user-visible accounts (and their rationale is that e.g. showing "John Peterson" to a user is fine, but "lordofallthati
The new substitutions:
"displayname" is the users' Full Name in SSO.
"email" is the e-mail address.
These enable reporting richer SAML attributes to SPs who can then create nicer-looking
local identities.
Additionally, the existence of the e-mail attribute/
for full compliance with the SAML 8.3 "persistent" policy, though this would
require additional implementation work. With a separate substitution for e-mail, we could send a truly persistent identifier as the SAML subject's NameID, like the OpenID; and then, send the e-mail as a custom attribute.
Looks good to me. +1