user.auth.clients.saml2

Classes

SAML2Attributes

Holds the required SAML2 Attributes

SAML2Client

SAML2Connections

Mangled

Dict like interface that mangles the name_id that gets passed into the

IdentityCache

Extension to the dict/shelve based default cache to use our

Functions

handle_logout_request(→ tuple[bool, Any])

finish_logout(→ webob.Response)

Module Contents

user.auth.clients.saml2.handle_logout_request(conn: saml2.client.Saml2Client, name_id: str | None, logout_req: Any, relay_state: str | None) tuple[bool, Any][source]
user.auth.clients.saml2.finish_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str, local: bool = True) webob.Response[source]
class user.auth.clients.saml2.SAML2Attributes[source]

Holds the required SAML2 Attributes

source_id: str[source]
username: str[source]
first_name: str[source]
last_name: str[source]
groups: str[source]
classmethod from_cfg(cfg: dict[str, Any]) Self[source]
class user.auth.clients.saml2.SAML2Client[source]
metadata: str[source]

Paths to the relevant idp metadata XML files

button_text: str[source]

Text to show on login button

treat_as_ldap: bool[source]

Whether or not users created by this provider should show up as being created by LDAP instead. Necessary when using LDAP to sync the users periodically and deactivate old accounts.

want_response_signed: bool[source]

Whether the response from the IdP should be signed

attributes: SAML2Attributes[source]

Mapping of attribute names

primary: bool[source]

Whether or not this is the primary login provider

slo_enabled: bool[source]

Whether or not to enable the SLO service

_connections: dict[str, saml2.client.Saml2Client][source]
get_binding(request: onegov.core.request.CoreRequest) str[source]
get_sessions(app: UserApp | Framework) Mangled[source]
get_redirects(app: UserApp | Framework) Mangled[source]
connection(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest) saml2.client.Saml2Client[source]

Returns the SAML2 instance

get_name_id(user: User | None) str | None[source]
create_logout_request(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest, user: User | None) tuple[str | None, Any | None][source]
handle_slo(provider: onegov.user.auth.provider.SAML2Provider, request: onegov.core.request.CoreRequest) webob.Response[source]
class user.auth.clients.saml2.SAML2Connections[source]
connections: dict[str, SAML2Client][source]
client(app: onegov.user.auth.provider.HasApplicationIdAndNamespace) SAML2Client | None[source]
classmethod from_cfg(config: dict[str, Any]) Self[source]
class user.auth.clients.saml2.Mangled(cache: onegov.core.cache.RedisCacheRegion, prefix: str = '')[source]

Dict like interface that mangles the name_id that gets passed into the cache, so valid name_ids cannot be discovered through key listing

_cache[source]
_prefix[source]
mangle(name_id: str) str[source]
get(name_id: str, default: None = None) Any | None[source]
get(name_id: str, default: Any) Any
pop(name_id: str) Any[source]
pop(name_id: str, default: None) Any | None
pop(name_id: str, default: Any) Any
__getitem__(name_id: str) Any[source]
__setitem__(name_id: str, value: Any) None[source]
__delitem__(name_id: str) None[source]
__contains__(name_id: str) bool[source]
class user.auth.clients.saml2.IdentityCache(app: onegov.core.framework.Framework)[source]

Bases: saml2.cache.Cache

Extension to the dict/shelve based default cache to use our redis based dogpile cache instead

cache[source]
_db[source]
_sync = False[source]
set(name_id: str, entity_id: str, info: dict[str, Any], not_on_or_after: int = 0) None[source]

Stores session information in the cache. Assumes that the name_id is unique within the context of the Service Provider.

Parameters:
  • name_id – The subject identifier, a NameID instance

  • entity_id – The identifier of the entity_id/receiver of an assertion

  • info – The session info, the assertion is part of this

  • not_on_or_after – A time after which the assertion is not valid.