Fixed name_format bug. Modified test to check for name_format specification.

Author: Roland Hedberg

src/saml2/assertion.py

@@ -405,7 +405,7 @@ def get_name_form(self, sp_entity_id):
         :retur: The format
         """
 
-        return self.get("name_format", sp_entity_id, NAME_FORMAT_URI)
+        return self.get("name_form", sp_entity_id, NAME_FORMAT_URI)
 
     def get_lifetime(self, sp_entity_id):
         """ The lifetime of the assertion

tests/idp_conf.py

@@ -1,7 +1,7 @@
 from saml2 import BINDING_SOAP
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
-from saml2.saml import NAMEID_FORMAT_PERSISTENT
+from saml2.saml import NAMEID_FORMAT_PERSISTENT, NAME_FORMAT_BASIC
 from saml2.saml import NAME_FORMAT_URI
 
 from pathutils import full_path
@@ -30,10 +30,11 @@
                 "urn:mace:example.com:saml:roland:sp": {
                     "lifetime": {"minutes": 5},
                     "nameid_format": NAMEID_FORMAT_PERSISTENT,
-                    # "attribute_restrictions":{
-                    #     "givenName": None,
-                    #     "surName": None,
-                    # }
+                },
+                "https://example.com/sp": {
+                    "lifetime": {"minutes": 5},
+                    "nameid_format": NAMEID_FORMAT_PERSISTENT,
+                    "name_form": NAME_FORMAT_BASIC
                 }
             },
             "subject_data": full_path("subject_data.db"),
@@ -48,6 +49,7 @@
     "metadata": [{
         "class": "saml2.mdstore.MetaDataFile",
         "metadata": [(full_path("metadata_sp_1.xml"), ),
+                     (full_path("metadata_sp_2.xml"), ),
                      (full_path("vo_metadata.xml"), )],
     }],
     "attribute_map_dir": full_path("attributemaps"),

tests/metadata_sp_2.xml

@@ -0,0 +1,114 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<ns0:EntitiesDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
+                        xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
+    <ns0:EntityDescriptor entityID="https://example.com/sp">
+        <ns0:SPSSODescriptor AuthnRequestsSigned="false"
+                             WantAssertionsSigned="true"
+                             protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+            <ns0:KeyDescriptor use="signing">
+                <ns1:KeyInfo>
+                    <ns1:X509Data>
+                        <ns1:X509Certificate>
+                            MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+                            BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+                            aWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBF
+                            MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+                            ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+                            gQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy
+                            3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaN
+                            efiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0G
+                            A1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJs
+                            iojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
+                            U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSw
+                            mDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6
+                            h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5
+                            U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6
+                            mrPzGzk3ECbupFnqyREH3+ZPSdk=
+                        </ns1:X509Certificate>
+                    </ns1:X509Data>
+                </ns1:KeyInfo>
+            </ns0:KeyDescriptor>
+            <ns0:KeyDescriptor  use="encryption">
+                <ns1:KeyInfo>
+                    <ns1:X509Data>
+                        <ns1:X509Certificate>
+                            MIICHzCCAYgCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNV
+                            BAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwF
+                            Wnp6enoxDTALBgNVBAMMBHRlc3QwHhcNMTUwNjAyMDc0MzAxWhcNMjUwNTMwMDc0
+                            MzAxWjBYMQswCQYDVQQGEwJ6ejELMAkGA1UECAwCenoxDTALBgNVBAcMBHp6enox
+                            DjAMBgNVBAoMBVp6enp6MQ4wDAYDVQQLDAVaenp6ejENMAsGA1UEAwwEdGVzdDCB
+                            nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA41tJCTPuG2lirbztuGbBlzbzSipM
+                            EzM+zluWegUaoUjqtlgNHOTQqTJOqw/GdjkxRKJT6IxI3/HVcnfw7P4a4xSkL/ME
+                            IG3VyzedWEyLIHeofoQSTvr84ZdD0+Gk+zNCSqOQC7UuqpOLbMKK1tgZ8Mr7BkgI
+                            p8H3lreLf29Sd5MCAwEAATANBgkqhkiG9w0BAQsFAAOBgQB0EXxy5+hsB7Rid7Gy
+                            CZrAObpaC4nbyPPW/vccFKmEkYtlygEPgky7D9AGsVSaTc/YxPZcanY+vKoRIsiR
+                            6ZitIUU5b+NnHcdj6289tUQ0iHj5jgVyv8wYHvPntTnqH2S7he0talLER8ITYToh
+                            2wz3u7waz/GypMeA/suhoEfxew==
+                        </ns1:X509Certificate>
+                    </ns1:X509Data>
+                </ns1:KeyInfo>
+            </ns0:KeyDescriptor>
+            <ns0:KeyDescriptor  use="encryption">
+                <ns1:KeyInfo>
+                    <ns1:X509Data>
+                        <ns1:X509Certificate>
+                            MIICHzCCAYgCAQEwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCenoxCzAJBgNV
+                            BAgMAnp6MQ0wCwYDVQQHDAR6enp6MQ4wDAYDVQQKDAVaenp6ejEOMAwGA1UECwwF
+                            Wnp6enoxDTALBgNVBAMMBHRlc3QwHhcNMTUwNjAyMDc0MjI2WhcNMjUwNTMwMDc0
+                            MjI2WjBYMQswCQYDVQQGEwJ6ejELMAkGA1UECAwCenoxDTALBgNVBAcMBHp6enox
+                            DjAMBgNVBAoMBVp6enp6MQ4wDAYDVQQLDAVaenp6ejENMAsGA1UEAwwEdGVzdDCB
+                            nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx3I/NFlP1wbHfRZckJn4z1HX5nnY
+                            QhQ3ekxEJmTTaj/1BvlZBmvgV40SBzH4nP1sT02xoQo7+vHItFAzaJlF2oBXsSxj
+                            aZMGu/gkVbaHP9cYKvskhOjOJ4XArrUnKMTb1jZ+XkkOuot1NLE7/dTILF8ahHU2
+                            omYNASLnxHN3bnkCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCQam1Oz7iQcD9+OurB
+                            M5a+Hth53m5hbAFuguSvERPCuJ/CfP1+g7CIZN/GnsIsg9QW77NvdOyxjXxzoJJm
+                            okl1qz/qy3FY3mJ0gIUxDyPD9DL3c9/03MDv5YmWsoP+HNqK8QtNJ/JDEOhBr/Eo
+                            /MokRo4gtMNeLF/soveWNoNiUg==
+                        </ns1:X509Certificate>
+                    </ns1:X509Data>
+                </ns1:KeyInfo>
+            </ns0:KeyDescriptor>
+            <ns0:AssertionConsumerService
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                    Location="http://lingon.catalogix.se:8087/" index="1"/>
+            <ns0:AttributeConsumingService index="1">
+                <ns0:ServiceName xml:lang="en">
+                    urn:mace:example.com:saml:roland:sp
+                </ns0:ServiceName>
+                <ns0:ServiceDescription xml:lang="en">My own SP
+                </ns0:ServiceDescription>
+                <ns0:RequestedAttribute FriendlyName="surName"
+                                        Name="urn:oid:2.5.4.4"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="true"/>
+                <ns0:RequestedAttribute FriendlyName="givenName"
+                                        Name="urn:oid:2.5.4.42"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="true"/>
+                <ns0:RequestedAttribute FriendlyName="mail"
+                                        Name="urn:oid:0.9.2342.19200300.100.1.3"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="true"/>
+                <ns0:RequestedAttribute FriendlyName="title"
+                                        Name="urn:oid:2.5.4.12"
+                                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                        isRequired="false"/>
+            </ns0:AttributeConsumingService>
+        </ns0:SPSSODescriptor>
+        <ns0:Organization>
+            <ns0:OrganizationName xml:lang="se">AB Exempel
+            </ns0:OrganizationName>
+            <ns0:OrganizationDisplayName xml:lang="se">AB Exempel
+            </ns0:OrganizationDisplayName>
+            <ns0:OrganizationURL xml:lang="en">http://www.example.org
+            </ns0:OrganizationURL>
+        </ns0:Organization>
+        <ns0:ContactPerson contactType="technical">
+            <ns0:GivenName>Roland</ns0:GivenName>
+            <ns0:SurName>Hedberg</ns0:SurName>
+            <ns0:EmailAddress>[email protected]</ns0:EmailAddress>
+            <ns0:EmailAddress>[email protected]</ns0:EmailAddress>
+            <ns0:TelephoneNumber>+46 70 100 0000</ns0:TelephoneNumber>
+        </ns0:ContactPerson>
+    </ns0:EntityDescriptor>
+</ns0:EntitiesDescriptor>

tests/test_50_server.py

@@ -271,7 +271,7 @@ def test_parse_ok_request(self):
 
     def test_sso_response_with_identity(self):
         name_id = self.server.ident.transient_nameid(
-            "urn:mace:example.com:saml:roland:sp", "id12")
+            "https://example.com/sp", "id12")
         resp = self.server.create_authn_response(
             {
                 "eduPersonEntitlement": "Short stop",
@@ -282,7 +282,7 @@ def test_sso_response_with_identity(self):
             },
             "id12",  # in_response_to
             "http://localhost:8087/",  # destination
-            "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
+            "https://example.com/sp",  # sp_entity_id
             name_id=name_id,
             authn=AUTHN
         )
@@ -310,8 +310,8 @@ def test_sso_response_with_identity(self):
             if attr.friendly_name == "givenName":
                 break
         assert len(attr.attribute_value) == 1
-        assert attr.name == "urn:oid:2.5.4.42"
-        assert attr.name_format == "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+        assert attr.name == "urn:mace:dir:attribute-def:givenName"
+        assert attr.name_format == "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
         value = attr.attribute_value[0]
         assert value.text.strip() == "Derek"
         assert value.get_type() == "xs:string"