Merge pull request #434 from c00kiemon5ter/feature-hide-assertion-consumer-service

c00kiemon5ter · web-flow · commit 5d7f27eeb81f · 2017-07-26T05:08:18.000-07:00
Add configuration option to hide assertion consumer service on authn requests

This kind of functionality is required for the eIDAS SAML profile that dictates that

&gt; eIDAS-Connectors SHOULD NOT provide AssertionConsumerServiceURL.
diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py
@@ -235,26 +235,30 @@ def create_authn_request(self, destination, vorg="", scoping=None,
 
         args = {}
 
-        try:
-            args["assertion_consumer_service_url"] = kwargs[
-                "assertion_consumer_service_urls"][0]
-            del kwargs["assertion_consumer_service_urls"]
-        except KeyError:
+        if self.config.getattr('hide_assertion_consumer_service', 'sp'):
+            args["assertion_consumer_service_url"] = None
+            binding = None
+        else:
             try:
                 args["assertion_consumer_service_url"] = kwargs[
-                    "assertion_consumer_service_url"]
-                del kwargs["assertion_consumer_service_url"]
+                    "assertion_consumer_service_urls"][0]
+                del kwargs["assertion_consumer_service_urls"]
             except KeyError:
                 try:
-                    args["assertion_consumer_service_index"] = str(
-                        kwargs["assertion_consumer_service_index"])
-                    del kwargs["assertion_consumer_service_index"]
+                    args["assertion_consumer_service_url"] = kwargs[
+                        "assertion_consumer_service_url"]
+                    del kwargs["assertion_consumer_service_url"]
                 except KeyError:
-                    if service_url_binding is None:
-                        service_urls = self.service_urls(binding)
-                    else:
-                        service_urls = self.service_urls(service_url_binding)
-                    args["assertion_consumer_service_url"] = service_urls[0]
+                    try:
+                        args["assertion_consumer_service_index"] = str(
+                            kwargs["assertion_consumer_service_index"])
+                        del kwargs["assertion_consumer_service_index"]
+                    except KeyError:
+                        if service_url_binding is None:
+                            service_urls = self.service_urls(binding)
+                        else:
+                            service_urls = self.service_urls(service_url_binding)
+                        args["assertion_consumer_service_url"] = service_urls[0]
 
         try:
             args["provider_name"] = kwargs["provider_name"]
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -76,6 +76,7 @@
     "name_id_format_allow_create",
     "logout_requests_signed",
     "requested_attribute_name_format",
+    "hide_assertion_consumer_service",
     "force_authn",
 ]
 

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@`
`76`	`76`	`"name_id_format_allow_create",`
`77`	`77`	`"logout_requests_signed",`
`78`	`78`	`"requested_attribute_name_format",`
	`79`	`+ "hide_assertion_consumer_service",`
`79`	`80`	`"force_authn",`
`80`	`81`	`]`
`81`	`82`