providers/saml: add support for WindowsDomainQualifiedName, add docs for NameID
This commit is contained in:
parent
605213821c
commit
f4bb22138c
|
@ -3,6 +3,7 @@ from hashlib import sha256
|
|||
from types import GeneratorType
|
||||
|
||||
import xmlsec
|
||||
from django.conf import settings
|
||||
from django.http import HttpRequest
|
||||
from lxml import etree # nosec
|
||||
from lxml.etree import Element, SubElement # nosec
|
||||
|
@ -23,6 +24,7 @@ from authentik.sources.saml.processors.constants import (
|
|||
SAML_NAME_ID_FORMAT_EMAIL,
|
||||
SAML_NAME_ID_FORMAT_PERSISTENT,
|
||||
SAML_NAME_ID_FORMAT_TRANSIENT,
|
||||
SAML_NAME_ID_FORMAT_WINDOWS,
|
||||
SAML_NAME_ID_FORMAT_X509,
|
||||
SIGN_ALGORITHM_TRANSFORM_MAP,
|
||||
)
|
||||
|
@ -141,20 +143,27 @@ class AssertionProcessor:
|
|||
"""Get NameID Element"""
|
||||
name_id = Element(f"{{{NS_SAML_ASSERTION}}}NameID")
|
||||
name_id.attrib["Format"] = self.auth_n_request.name_id_policy
|
||||
persistent = sha256(
|
||||
f"{self.http_request.user.id}-{settings.SECRET_KEY}".encode("ascii")
|
||||
).hexdigest()
|
||||
if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_EMAIL:
|
||||
name_id.text = self.http_request.user.email
|
||||
return name_id
|
||||
if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_PERSISTENT:
|
||||
name_id.text = self.http_request.user.username
|
||||
name_id.text = persistent
|
||||
return name_id
|
||||
if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_X509:
|
||||
# This attribute is statically set by the LDAP source
|
||||
name_id.text = self.http_request.user.attributes.get(
|
||||
"distinguishedName", ""
|
||||
"distinguishedName", persistent
|
||||
)
|
||||
return name_id
|
||||
if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
|
||||
if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_WINDOWS:
|
||||
# This attribute is statically set by the LDAP source
|
||||
name_id.text = self.http_request.user.attributes.get("upn", persistent)
|
||||
return name_id
|
||||
if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
|
||||
# Use the hash of the user's session, which changes every session
|
||||
session_key: str = self.http_request.user.session.session_key
|
||||
name_id.text = sha256(session_key.encode()).hexdigest()
|
||||
return name_id
|
||||
|
|
|
@ -11,3 +11,13 @@ Default fields are exposed through auto-generated Property Mappings, which are p
|
|||
| SSO (POST binding) | `/application/saml/<application slug>/sso/binding/post/` |
|
||||
| IdP-initiated login | `/application/saml/<application slug>/sso/binding/init/` |
|
||||
| Metadata Download | `/application/saml/<application slug>/metadata/` |
|
||||
|
||||
## Name ID
|
||||
|
||||
You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:
|
||||
|
||||
- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
|
||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
|
||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
|
||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
|
||||
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.
|
||||
|
|
Reference in a new issue