Add support for configuring AuthnContextClassRef per backing provider to return from SAML frontend.

Author: Rebecka Gulliksson

doc/README.md

@@ -189,6 +189,30 @@ The **SamlFrontend** module acts like a regular IDP and hides the target identit
 The target is chosen by using a sso endpoint in the frontend IDP associated to a specific backend. 
 It is the backend modules job to pick an identity provider.
 
+##### Providing `AuthnContextClassRef`
+The SAML2 frontends can provide an authenication class reference in the `AuthnStatement` of the
+assertion in the authentication response. This can be used to describe the Level of Assurance,
+as described for example by [eIDAS](https://joinup.ec.europa.eu/sites/default/files/eidas_message_format_v1.0.pdf).
+
+The `AuthnContextClassRef`(ACR) can be specified per backing provider in a mapping under the 
+configuration parameter `acr_mapping`. The mapping must contain a default ACR under the key `""`
+(empty string), other ACR value specific per provider is specified with key-value pairs, where the
+key is the providers id (entity id for SAML IdP behind SAML2 backend, authorization endpoint URL for
+OAuth AS behind OAuth backend, and issuer for OpenID Connect OP behind OpenID Connect backend). 
+
+If no `acr_mapping` is provided in the configuration, the ACR from the backend plugin will
+be used instead. This means that when using a SAML2 backend, the ACR provided by the backing
+provider will preserved and passed on in the authentication response, and when using a OAuth or
+OpenID Connect backend, the ACR will be `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified`.
+
+**Example**
+
+    config:
+        config: [...]
+        acr_mapping:
+            "": default-LoA
+            "https://accounts.google.com": LoA1
+
 #### Backend
 The SAML2 backend acts as an SAML Service Provider (SP), making authentication
 requests to SAML Identity Providers (IdP). The default configuration file can be

example/plugins/frontends/saml2_frontend.yaml.example

@@ -25,6 +25,11 @@ config:
         subject_data: ./idp.subject
         want_authn_requests_signed: false
     xmlsec_binary: /usr/bin/xmlsec1
+
+  acr_mapping:
+    "": default-LoA
+    "https://accounts.google.com": LoA1
+
   state_id: <name>
   base: <base_url>
   endpoints:

src/satosa/frontends/saml2.py

@@ -41,6 +41,7 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf):
         self.endpoints = conf["endpoints"]
         self.base = conf["base"]
         self.state_id = conf["state_id"]
+        self.acr_mapping = conf.get("acr_mapping")
         self.response_bindings = None
         self.idp = None
 
@@ -325,7 +326,12 @@ def _handle_authn_response(self, context, internal_response, idp):
 
         resp_args = request_state["resp_args"]
         ava = self.converter.from_internal("saml", internal_response.get_attributes())
-        auth_info = {"class_ref": internal_response.auth_info.auth_class_ref}
+
+        auth_info = {}
+        if self.acr_mapping:
+            auth_info["class_ref"] = self.acr_mapping.get(internal_response.auth_info.issuer, self.acr_mapping[""])
+        else:
+            auth_info["class_ref"] = internal_response.auth_info.auth_class_ref
 
         name_id = NameID(text=internal_response.get_user_id(),
                          format=get_saml_name_id_format(internal_response.user_id_hash_type),

tests/satosa/frontends/test_saml2.py

@@ -9,7 +9,8 @@
 from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST
 from saml2.authn_context import PASSWORD
 from saml2.config import SPConfig
-from saml2.saml import NAMEID_FORMAT_PERSISTENT
+from saml2.saml import NAMEID_FORMAT_PERSISTENT, NAMEID_FORMAT_TRANSIENT
+from saml2.samlp import NameIDPolicy
 
 from satosa.context import Context
 from satosa.frontends.saml2 import SamlFrontend
@@ -158,3 +159,85 @@ def test_get_filter_attributes_with_sp_requested_attributes_without_friendlyname
         assert set(filtered_attributes) == set(
                 ["edupersontargetedid", "edupersonprincipalname", "edupersonaffiliation", "mail",
                  "displayname", "sn", "givenname"])
+
+    def test_acr_mapping_in_authn_response(self, idp_conf, sp_conf):
+        eidas_loa_low = "http://eidas.europa.eu/LoA/low"
+        loa = {"": eidas_loa_low}
+
+        base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
+        conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base,
+                "state_id": "state_id", "acr_mapping": loa}
+
+        samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf)
+        samlfrontend.register_endpoints(["foo"])
+
+        idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config)
+        sp_conf["metadata"]["inline"].append(idp_metadata_str)
+        fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
+
+        auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml")
+        internal_response = InternalResponse(auth_info=auth_info)
+        context = Context()
+        context.state = State()
+
+        resp_args = {
+            "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
+            "in_response_to": None,
+            "destination": "",
+            "sp_entity_id": None,
+            "binding": BINDING_HTTP_REDIRECT
+
+        }
+        request_state = samlfrontend.save_state(context, resp_args, "")
+        context.state.add(conf["state_id"], request_state)
+
+        resp = samlfrontend.handle_authn_response(context, internal_response)
+        resp_dict = parse_qs(urlparse(resp.message).query)
+        resp = fakesp.parse_authn_request_response(resp_dict['SAMLResponse'][0],
+                                                   BINDING_HTTP_REDIRECT)
+
+        assert len(resp.assertion.authn_statement) == 1
+        authn_context_class_ref = resp.assertion.authn_statement[
+            0].authn_context.authn_context_class_ref
+        assert authn_context_class_ref.text == eidas_loa_low
+
+    def test_acr_mapping_per_idp_in_authn_response(self, idp_conf, sp_conf):
+        expected_loa = "LoA1"
+        loa = {"": "http://eidas.europa.eu/LoA/low", idp_conf["entityid"]: expected_loa}
+
+        base = self.construct_base_url_from_entity_id(idp_conf["entityid"])
+        conf = {"idp_config": idp_conf, "endpoints": ENDPOINTS, "base": base,
+                "state_id": "state_id", "acr_mapping": loa}
+
+        samlfrontend = SamlFrontend(None, INTERNAL_ATTRIBUTES, conf)
+        samlfrontend.register_endpoints(["foo"])
+
+        idp_metadata_str = create_metadata_from_config_dict(samlfrontend.config)
+        sp_conf["metadata"]["inline"].append(idp_metadata_str)
+        fakesp = FakeSP(None, config=SPConfig().load(sp_conf, metadata_construction=False))
+
+        auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", idp_conf["entityid"])
+        internal_response = InternalResponse(auth_info=auth_info)
+        context = Context()
+        context.state = State()
+
+        resp_args = {
+            "name_id_policy": NameIDPolicy(format=NAMEID_FORMAT_TRANSIENT),
+            "in_response_to": None,
+            "destination": "",
+            "sp_entity_id": None,
+            "binding": BINDING_HTTP_REDIRECT
+
+        }
+        request_state = samlfrontend.save_state(context, resp_args, "")
+        context.state.add(conf["state_id"], request_state)
+
+        resp = samlfrontend.handle_authn_response(context, internal_response)
+        resp_dict = parse_qs(urlparse(resp.message).query)
+        resp = fakesp.parse_authn_request_response(resp_dict['SAMLResponse'][0],
+                                                   BINDING_HTTP_REDIRECT)
+
+        assert len(resp.assertion.authn_statement) == 1
+        authn_context_class_ref = resp.assertion.authn_statement[
+            0].authn_context.authn_context_class_ref
+        assert authn_context_class_ref.text == expected_loa