user.auth.clients.saml2 ======================= .. py:module:: user.auth.clients.saml2 Classes ------- .. autoapisummary:: user.auth.clients.saml2.SAML2Attributes user.auth.clients.saml2.SAML2Client user.auth.clients.saml2.SAML2Connections user.auth.clients.saml2.Mangled user.auth.clients.saml2.IdentityCache Functions --------- .. autoapisummary:: user.auth.clients.saml2.handle_logout_request user.auth.clients.saml2.finish_logout Module Contents --------------- .. py:function:: handle_logout_request(conn: saml2.client.Saml2Client, name_id: str | None, logout_req: Any, relay_state: str | None) -> tuple[bool, Any] .. py:function:: finish_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str, local: bool = True) -> webob.Response .. py:class:: SAML2Attributes Holds the required SAML2 Attributes .. py:attribute:: source_id :type: str .. py:attribute:: username :type: str .. py:attribute:: first_name :type: str .. py:attribute:: last_name :type: str .. py:attribute:: groups :type: str .. py:method:: from_cfg(cfg: dict[str, Any]) -> Self :classmethod: .. py:class:: SAML2Client .. py:attribute:: metadata :type: str Paths to the relevant idp metadata XML files .. py:attribute:: button_text :type: str Text to show on login button .. py:attribute:: treat_as_ldap :type: bool Whether or not users created by this provider should show up as being created by LDAP instead. Necessary when using LDAP to sync the users periodically and deactivate old accounts. .. py:attribute:: want_response_signed :type: bool Whether the response from the IdP should be signed .. py:attribute:: attributes :type: SAML2Attributes Mapping of attribute names .. py:attribute:: primary :type: bool Whether or not this is the primary login provider .. py:attribute:: slo_enabled :type: bool Whether or not to enable the SLO service .. py:attribute:: _connections :type: dict[str, saml2.client.Saml2Client] .. py:method:: get_binding(request: onegov.core.request.CoreRequest) -> str .. py:method:: get_sessions(app: onegov.user.UserApp | onegov.core.framework.Framework) -> Mangled .. py:method:: get_redirects(app: onegov.user.UserApp | onegov.core.framework.Framework) -> Mangled .. py:method:: connection(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest) -> saml2.client.Saml2Client Returns the SAML2 instance .. py:method:: get_name_id(user: onegov.user.User | None) -> str | None .. py:method:: create_logout_request(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest, user: onegov.user.User | None) -> tuple[str | None, Any | None] .. py:method:: handle_slo(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest) -> webob.Response .. py:class:: SAML2Connections .. py:attribute:: connections :type: dict[str, SAML2Client] .. py:method:: client(app: onegov.user.auth.provider.HasApplicationIdAndNamespace) -> SAML2Client | None .. py:method:: from_cfg(config: dict[str, Any]) -> Self :classmethod: .. py:class:: Mangled(cache: onegov.core.cache.RedisCacheRegion, prefix: str = '') Dict like interface that mangles the name_id that gets passed into the cache, so valid name_ids cannot be discovered through key listing .. py:attribute:: _cache .. py:attribute:: _prefix :value: '' .. py:method:: mangle(name_id: str) -> str .. py:method:: get(name_id: str, default: None = None) -> Any | None get(name_id: str, default: Any) -> Any .. py:method:: pop(name_id: str) -> Any pop(name_id: str, default: None) -> Any | None pop(name_id: str, default: Any) -> Any .. py:method:: __getitem__(name_id: str) -> Any .. py:method:: __setitem__(name_id: str, value: Any) -> None .. py:method:: __delitem__(name_id: str) -> None .. py:method:: __contains__(name_id: str) -> bool .. py:class:: IdentityCache(app: onegov.core.framework.Framework) Bases: :py:obj:`saml2.cache.Cache` Extension to the dict/shelve based default cache to use our redis based dogpile cache instead .. py:attribute:: _db .. py:attribute:: _sync :value: False .. py:method:: set(name_id: str, entity_id: str, info: dict[str, Any], not_on_or_after: int = 0) -> None Stores session information in the cache. Assumes that the name_id is unique within the context of the Service Provider. :param name_id: The subject identifier, a NameID instance :param entity_id: The identifier of the entity_id/receiver of an assertion :param info: The session info, the assertion is part of this :param not_on_or_after: A time after which the assertion is not valid.