Support SAML NameID emailAddress and unspecified in response

skoranda · c00kiemon5ter · commit 570e08a2b187 · 2018-09-26T17:10:52.000+03:00
Add logic that allows support for SAML NameID of types
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
to be sent in the authentication response sent to SAML SPs.

This commit does not add any logic to help set the value for the
NameID but if it is set, say by a microservice, and if the metadata
for the SP specifies one of those types or one of those types is
specified by the SP in the authentication request, then this commit
allows the value to make it through and be set in the response.
diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -16,7 +16,9 @@
 from saml2.config import IdPConfig
 from saml2.extension.ui import NAMESPACE as UI_NAMESPACE
 from saml2.metadata import create_metadata_string
-from saml2.saml import NameID, NAMEID_FORMAT_TRANSIENT, NAMEID_FORMAT_PERSISTENT
+from saml2.saml import NameID, NAMEID_FORMAT_TRANSIENT, \
+    NAMEID_FORMAT_PERSISTENT, NAMEID_FORMAT_EMAILADDRESS, \
+    NAMEID_FORMAT_UNSPECIFIED
 from saml2.samlp import name_id_policy_from_string
 from saml2.server import Server
 
@@ -45,6 +47,10 @@ def saml_name_id_format_to_hash_type(name_format):
     """
     if name_format == NAMEID_FORMAT_PERSISTENT:
         return UserIdHashType.persistent
+    elif name_format == NAMEID_FORMAT_EMAILADDRESS:
+        return UserIdHashType.emailaddress
+    elif name_format == NAMEID_FORMAT_UNSPECIFIED:
+        return UserIdHashType.unspecified
 
     return UserIdHashType.transient
 
@@ -62,6 +68,11 @@ def hash_type_to_saml_name_id_format(hash_type):
         return NAMEID_FORMAT_TRANSIENT
     elif hash_type is UserIdHashType.persistent:
         return NAMEID_FORMAT_PERSISTENT
+    elif hash_type is UserIdHashType.emailaddress:
+        return NAMEID_FORMAT_EMAILADDRESS
+    elif hash_type is UserIdHashType.unspecified:
+        return NAMEID_FORMAT_UNSPECIFIED
+
     return NAMEID_FORMAT_PERSISTENT
 
 
diff --git a/src/satosa/internal_data.py b/src/satosa/internal_data.py
@@ -6,7 +6,6 @@
 import hashlib
 from enum import Enum
 
-
 class UserIdHashType(Enum):
     """
     All different user id hash types
@@ -15,6 +14,8 @@ class UserIdHashType(Enum):
     persistent = 2
     pairwise = 3
     public = 4
+    emailaddress = 5
+    unspecified = 6
 
     @classmethod
     def from_string(cls, str):
@@ -88,6 +89,9 @@ def hash_id(salt, user_id, requester, state):
             user_id = "{req}{id}".format(req=requester, id=user_id)
         elif hash_type == UserIdHashType.public:
             user_id = "{id}".format(id=user_id)
+        elif hash_type == UserIdHashType.emailaddress or \
+             hash_type == UserIdHashType.unspecified:
+            return user_id
         else:
             raise ValueError("Unknown hash type: '{}'".format(hash_type))
 
