Add support for exposing IdP supported attributes

- Adds support for exposing IdP supported attributes in IDPSSODescriptor as Attribute elements. Support is added in the config file under service->idp->provided_attributes. provided_attributes alread existed as a valid option for idp config but was not used. Supported attributes MUST be published as Attribute elements in the metadata of the eIDAS IdP as stated in eIDAS SAML Message Format v.1.2 spec document - Adds error validation rule in eIDASIdPConfig to ensure provided_attributes MUST be set - Adds test to verify the provided_attributes are exposed as Attribute elements under IDPSSODescriptor and for the error validation rule
IdentityPython · Feb 11, 2020 · ce24c34 · ce24c34
1 parent d544328
commit ce24c34
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 2 deletions.
diff --git a/src/saml2/config.py b/src/saml2/config.py
@@ -739,7 +739,10 @@ def warning_validators(self):
     def error_validators(self):
         idp_error_validators = {
             "want_authn_requests_signed MUST be set to True":
-            getattr(self, "_idp_want_authn_requests_signed", None) is True
+            getattr(self, "_idp_want_authn_requests_signed", None) is True,
+            "provided_attributes MUST be set to denote the supported attributes by "
+            "the IdP":
+            not_empty(getattr(self, "_idp_provided_attributes", None))
         }
         return {**super().error_validators, **idp_error_validators}
 

diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
@@ -594,6 +594,14 @@ def do_idpsso_descriptor(conf, cert=None, enc_cert=None):
         except KeyError:
             setattr(idpsso, key, DEFAULTS[key])
 
+    attributes = [
+        Attribute(name=attribute.get("name", None),
+                  name_format=attribute.get("name_format", None),
+                  friendly_name=attribute.get("friendly_name", None))
+        for attribute in conf.getattr("provided_attributes", "idp")
+    ]
+    idpsso.attribute = attributes
+
     return idpsso
 
 

diff --git a/tests/eidas/eidas_idp_conf.py b/tests/eidas/eidas_idp_conf.py
@@ -38,7 +38,22 @@
             "node_country": "GR",
             "application_identifier": "CEF:eIDAS-ref:2.0",
             "protocol_version": [1.1, 2.2],
-            "want_authn_requests_signed": True
+            "want_authn_requests_signed": True,
+            "provided_attributes": [
+                {
+                    "name": "http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier",
+                    "friendly_name": "PersonIdentifier",
+                    "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                },
+                {
+                    "name": "http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName",
+                    "friendly_name": "FamilyName",
+                },
+                {
+                    "name": "http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName",
+                    "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                }
+            ],
         },
     },
     "debug": 1,

diff --git a/tests/eidas/test_idp.py b/tests/eidas/test_idp.py
@@ -78,6 +78,20 @@ def test_protocol_version_in_metadata(self, config):
         assert {str(conf._idp_protocol_version)} \
                == set([x.text for x in protocol_version.attribute_value])
 
+    def test_supported_attributes(self, config):
+        entd = metadata.entity_descriptor(self.conf)
+        attributes_published = [
+            set(
+                filter(lambda x: x is not None,
+                       [attribute.name, attribute.name_format, attribute.friendly_name]
+                       )
+            )
+            for attribute in entd.idpsso_descriptor.attribute
+        ]
+        attributes_stated = [set(x.values()) for x
+                             in self.conf._idp_provided_attributes]
+        assert attributes_published == attributes_stated
+
 
 class TestIdPConfig:
     @staticmethod
@@ -250,3 +264,8 @@ def test_want_authn_requests_signed_false(self, config):
         config["service"]["idp"]["want_authn_requests_signed"] = False
 
         self.assert_validation_error(config)
+
+    def test_provided_attributes_unset(self, config):
+        del config["service"]["idp"]["provided_attributes"]
+
+        self.assert_validation_error(config)