implement real attribute matching instead of using subject.nameId.content for everything

model/auth_saml.py

@@ -29,6 +29,15 @@
         )
         return lasso.Login(server)
 
+    def _get_matching_attr_for_provider(
+            self, cr, uid, provider_id, context=None
+    ):
+        """internal helper to fetch the matching attribute for this SAML
+        provider. Returns a unicode object.
+        """
+        provider = self.browse(cr, uid, provider_id, context=context)
+        return provider.matching_attribute
+
     def _get_auth_request(self, cr, uid, id_, state, context=None):
         """build an authentication request and give it back to our client
         WARNING: this method cannot be used for multiple ids
@@ -55,6 +64,7 @@
         'sp_pkey': fields.text(
             'Private key of our service provider (this openerpserver)'
         ),
+        'matching_attribute': fields.text('Matching Attribute', required=True),
         'enabled': fields.boolean('Enabled'),
         'css_class': fields.char('CSS class'),
         'body': fields.char(
@@ -66,6 +76,7 @@
 
     _defaults = {
         'enabled': False,
+        'matching_attribute': "subject.nameId",
         'css_class': 'zocial saml',
         'body': 'Authentic',
     }

model/res_users.py

@@ -63,8 +63,9 @@
 
         p = self.pool.get('auth.saml.provider')
         login = p._get_lasso_for_provider(cr, uid, provider, context=context)
+        matching_attribute = p._get_matching_attr_for_provider(cr, uid, provider, context=context)
 
         try:
             login.processAuthnResponseMsg(token)
         except (lasso.DsError, lasso.ProfileCannotVerifySignatureError):
             raise Exception('Lasso Profile cannot verify signature')
@@ -66,10 +67,10 @@
 
         try:
             login.processAuthnResponseMsg(token)
         except (lasso.DsError, lasso.ProfileCannotVerifySignatureError):
             raise Exception('Lasso Profile cannot verify signature')
-        except lasso.Error, e:
+        except lasso.Error as e:
             raise Exception(repr(e))
 
         try:
             login.acceptSso()
@@ -72,7 +73,9 @@
             raise Exception(repr(e))
 
         try:
             login.acceptSso()
-        except lasso.Error:
-            raise Exception('Invalid assertion')
+        except lasso.Error as error:
+            raise Exception(
+                    'Invalid assertion : %s' % lasso.strError(error[0])
+            )
 
@@ -78,5 +81,3 @@
 
-        # TODO use a real token validation from LASSO
-        # TODO push into the validation result a real UPN
-        validation = {'user_id': login.assertion.subject.nameId.content}
+        attrs = {}
 
@@ -82,7 +83,40 @@
 
-        """
-        if p.data_endpoint:
-            data = self._auth_oauth_rpc(cr, uid, p.data_endpoint, access_token)
-            validation.update(data)
-        """
+        for att_statement in login.assertion.attributeStatement:
+            for attribute in att_statement.attribute:
+                name = None
+                lformat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
+                nickname = None
+                try:
+                    name = attribute.name.decode('ascii')
+                except Exception as e:
+                    _logger.warning('sso_after_response: error decoding name of \
+                        attribute %s' % attribute.dump())
+                else:
+                    try:
+                        if attribute.nameFormat:
+                            lformat = attribute.nameFormat.decode('ascii')
+                        if attribute.friendlyName:
+                            nickname = attribute.friendlyName
+                    except Exception as e:
+                        message = 'sso_after_response: name or format of an \
+                            attribute failed to decode as ascii: %s due to %s'
+                        _logger.warning(message % (attribute.dump(), str(e)))
+                    try:
+                        if name:
+                            if lformat:
+                                if nickname:
+                                    key = (name, lformat, nickname)
+                                else:
+                                    key = (name, lformat)
+                            else:
+                                key = name
+                        attrs[key] = list()
+                        for value in attribute.attributeValue:
+                            content = [a.exportToXml() for a in value.any]
+                            content = ''.join(content)
+                            attrs[key].append(content.decode('utf8'))
+                    except Exception as e:
+                        message = 'sso_after_response: value of an \
+                            attribute failed to decode as ascii: %s due to %s'
+                        _logger.warning(message % (attribute.dump(), str(e)))
 
@@ -88,4 +122,22 @@
 
+        matching_value = None
+        for k in attrs:
+            if isinstance(k, tuple) and k[0] == matching_attribute:
+                matching_value = attrs[k][0]
+                break
+
+        if not matching_value and matching_attribute == "subject.nameId":
+            matching_value = login.assertion.subject.nameId.content
+
+        elif not matching_value and matching_attribute != "subject.nameId":
+            raise Exception(
+                    "Matching attribute %s not found in user attrs: %s" % (
+                        matching_attribute,
+                        attrs,
+                    )
+            )
+
+        validation = {'user_id': matching_value}
         return validation
 
     def _auth_saml_signin(

views/auth_saml.xml

@@ -25,6 +25,7 @@
                             <field name="name" />
                             <field name="enabled" />
                             <field name="body" />
+                            <field name="matching_attribute" />
                         </group>
                         <group>
                             <field name="idp_metadata" />