user.auth.clients.saml2

Classes

SAML2Attributes	Holds the required SAML2 Attributes
SAML2Client
SAML2Connections
Mangled	Dict like interface that mangles the name_id that gets passed into the
IdentityCache	Extension to the dict/shelve based default cache to use our

Functions

handle_logout_request(→ tuple[bool, Any])
finish_logout(→ webob.Response)

Module Contents

user.auth.clients.saml2.handle_logout_request(conn: saml2.client.Saml2Client, name_id: str | None, logout_req: Any, relay_state: str | None) → tuple[bool, Any]

user.auth.clients.saml2.finish_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str, local: bool = True) → webob.Response

class user.auth.clients.saml2.SAML2Attributes

Holds the required SAML2 Attributes

source_id: str

username: str

first_name: str

last_name: str

groups: str

classmethod from_cfg(cfg: dict[str, Any]) → Self

class user.auth.clients.saml2.SAML2Client

metadata: str

Paths to the relevant idp metadata XML files

button_text: str

Text to show on login button

treat_as_ldap: bool

Whether or not users created by this provider should show up as being created by LDAP instead. Necessary when using LDAP to sync the users periodically and deactivate old accounts.

want_response_signed: bool

Whether the response from the IdP should be signed

attributes: SAML2Attributes

Mapping of attribute names

primary: bool

Whether or not this is the primary login provider

slo_enabled: bool

Whether or not to enable the SLO service

_connections: dict[str, saml2.client.Saml2Client]

get_binding(request: onegov.core.request.CoreRequest) → str

get_sessions(app: UserApp | Framework) → Mangled

get_redirects(app: UserApp | Framework) → Mangled

connection(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest) → saml2.client.Saml2Client

Returns the SAML2 instance

get_name_id(user: User | None) → str | None

create_logout_request(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest, user: User | None) → tuple[str | None, Any | None]

handle_slo(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest) → webob.Response

class user.auth.clients.saml2.SAML2Connections

connections: dict[str, SAML2Client]

client(app: onegov.user.auth.provider.HasApplicationIdAndNamespace) → SAML2Client | None

classmethod from_cfg(config: dict[str, Any]) → Self

class user.auth.clients.saml2.Mangled(cache: onegov.core.cache.RedisCacheRegion, prefix: str = '')

Dict like interface that mangles the name_id that gets passed into the cache, so valid name_ids cannot be discovered through key listing

_cache

_prefix

mangle(name_id: str) → str

get(name_id: str, default: None = None) → Any | None

get(name_id: str, default: Any) → Any

pop(name_id: str) → Any

pop(name_id: str, default: None) → Any | None

pop(name_id: str, default: Any) → Any

__getitem__(name_id: str) → Any

__setitem__(name_id: str, value: Any) → None

__delitem__(name_id: str) → None

__contains__(name_id: str) → bool

class user.auth.clients.saml2.IdentityCache(app: onegov.core.framework.Framework)

Bases: saml2.cache.Cache

Extension to the dict/shelve based default cache to use our redis based dogpile cache instead

cache

_db

_sync = False

set(name_id: str, entity_id: str, info: dict[str, Any], not_on_or_after: int = 0) → None

Stores session information in the cache. Assumes that the name_id is unique within the context of the Service Provider.

Parameters:

• name_id – The subject identifier, a NameID instance

• entity_id – The identifier of the entity_id/receiver of an assertion

• info – The session info, the assertion is part of this

• not_on_or_after – A time after which the assertion is not valid.