Canonical SSO provider

Merge lp:~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions into lp:canonical-identity-provider/release

saml-extra-attribute-substitutions
Merge into trunk

Proposed by Daniel Manrique on 2019-01-25

Status:	Merged
Approved by:	Daniel Manrique on 2019-01-28
Approved revision:	no longer in the source branch.
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	lp:~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions
Merge into:	lp:canonical-identity-provider/release
Diff against target:	50 lines (+34/-0) 2 files modified src/ubuntu_sso_saml/processors.py (+8/-0) src/ubuntu_sso_saml/tests/test_processors.py (+26/-0)
To merge this branch:	bzr merge lp:~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Maximiliano Bertacchini		2019-01-25	Approve on 2019-01-28
Review via email: mp+362265@code.launchpad.net

Commit message

Add two new substitutions to be used in SAML attribute values.

"displayname" is normally the users' Full Name in SSO.
"email" is the e-mail address.

These enable reporting richer SAML attributes to SPs who can then create nicer-looking
local identities.

Additionally, the existence of the e-mail attribute/substitution might allow
for full compliance with the SAML 8.3 "persistent" policy, though this would
require additional implementation work.

Description of the change

Add two new substitutions to be used in SAML attribute values.

These were requested by Canonical's support group because they need a presentable "full name" to create end-user-visible accounts (and their rationale is that e.g. showing "John Peterson" to a user is fine, but "lordofallthatisunholyandfun" might not be - and the latter is the best we can do currently, since we only support substitutions for "subject" (which is usually the e-mail) and "personname" (which is the username)).

The new substitutions:

"displayname" is the users' Full Name in SSO.
"email" is the e-mail address.

These enable reporting richer SAML attributes to SPs who can then create nicer-looking
local identities.

Additionally, the existence of the e-mail attribute/substitution might allow
for full compliance with the SAML 8.3 "persistent" policy, though this would
require additional implementation work. With a separate substitution for e-mail, we could send a truly persistent identifier as the SAML subject's NameID, like the OpenID; and then, send the e-mail as a custom attribute.

Revision history for this message

Maximiliano Bertacchini (maxiberta) wrote on 2019-01-28:

Looks good to me. +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Daniel Manrique

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file 'src/ubuntu_sso_saml/processors.py'
 --- src/ubuntu_sso_saml/processors.py	2019-01-18 17:46:34 +0000
 +++ src/ubuntu_sso_saml/processors.py	2019-01-25 21:10:18 +0000
@@ -461,4 +461,12 @@
                  request = self._django_request
                  attributes[key] = request.build_absolute_uri(
                      request.user.get_absolute_url())
++            elif value == '{{displayname}}':
++                displayname = self._django_request.user.displayname
++                if displayname:
++                    attributes[key] = displayname
++            elif value == '{{email}}':
++                email = self._subject
++                if email:
++                    attributes[key] = email
          return attributes
 === modified file 'src/ubuntu_sso_saml/tests/test_processors.py'
 --- src/ubuntu_sso_saml/tests/test_processors.py	2019-01-18 17:46:34 +0000
 +++ src/ubuntu_sso_saml/tests/test_processors.py	2019-01-25 21:10:18 +0000
@@ -1799,3 +1799,29 @@
                      '{}</saml:AttributeValue></saml:Attribute>'.format(
                          openid_url))
          self.assertIn(expected, samlresponse)
++
++    def test_email_as_attribute(self):
++        self.setup_saml_sp(attributes=json.dumps({
++            'email-from-attrib': '{{email}}',
++        }))
++        email = self.setup_saml_emails()
++
++        samlresponse = self.do_saml_request()
++        expected = ('<saml:Attribute Name="email-from-attrib">'
++                    '<saml:AttributeValue>'
++                    '{}</saml:AttributeValue></saml:Attribute>'.format(
++                        email))
++        self.assertIn(expected, samlresponse)
++
++    def test_displayname_as_attribute(self):
++        self.setup_saml_sp(attributes=json.dumps({
++            'fullname': '{{displayname}}',
++        }))
++        displayname = self.account.displayname
++
++        samlresponse = self.do_saml_request()
++        expected = ('<saml:Attribute Name="fullname">'
++                    '<saml:AttributeValue>'
++                    '{}</saml:AttributeValue></saml:Attribute>'.format(
++                        displayname))
++        self.assertIn(expected, samlresponse)