Multiple AttributeStatement tags per Assertion

teknott-dod · c00kiemon5ter · commit 59a01c96f798 · 2018-08-29T21:42:49.000+03:00
This was necessary to implement a real-world SSO integration, which required handlinge multiple AttributeStatement elements within a single assertion in a SAML response. Orginally this change was implemented in a private fork by Thomas Knott for pysaml 2.2.0, and has been ported by Sheila Allen for use in pysaml 4.6.0 to hopefully merge upstream. There was a similar PR for the same need by pcrownov: https://github.com/IdentityPython/pysaml2/pull/205/files
diff --git a/src/saml2/response.py b/src/saml2/response.py
@@ -649,7 +649,7 @@ def read_attribute_statement(self, attr_statem):
                         self.allow_unknown_attributes)
 
     def get_identity(self):
-        """ The assertion can contain zero or one attributeStatements
+        """ The assertion can contain zero or more attributeStatements
 
         """
         ava = {}
@@ -662,9 +662,11 @@ def get_identity(self):
                             ava.update(self.read_attribute_statement(
                                 tmp_assertion.attribute_statement[0]))
             if _assertion.attribute_statement:
-                assert len(_assertion.attribute_statement) == 1
-                _attr_statem = _assertion.attribute_statement[0]
-                ava.update(self.read_attribute_statement(_attr_statem))
+                logger.debug("Assertion contains %s attribute statement(s)",
+                             (len(self.assertion.attribute_statement)))
+                for _attr_statem in _assertion.attribute_statement:
+                    logger.debug("Attribute Statement: %s" % (_attr_statem,))
+                    ava.update(self.read_attribute_statement(_attr_statem))
             if not ava:
                 logger.debug("Assertion contains no attribute statements")
         return ava
