added saml authentication

app/views.py

@@ -172,10 +172,15 @@ def github_login():
 def saml_login():
     if not app.config.get('SAML_ENABLED'):
         return abort(400)
-    return abort(400)
+    req = utils.prepare_flask_request(request)
+    auth = utils.init_saml_auth(req)
+    redirect_url=OneLogin_Saml2_Utils.get_self_url(req) + url_for('saml_authorized')
+    return redirect(auth.login(return_to=redirect_url))
 
-@app.route('/saml/metadata/')
+@app.route('/saml/metadata')
 def saml_metadata():
+    if not app.config.get('SAML_ENABLED'):
+        return abort(400)
     req = utils.prepare_flask_request(request)
     auth = utils.init_saml_auth(req)
     settings = auth.get_settings()
@@ -189,6 +194,45 @@ def saml_metadata():
         resp = make_response(errors.join(', '), 500)
     return resp
 
+@app.route('/saml/authorized', methods=['GET', 'POST'])
+def saml_authorized():
+    errors = []
+    if not app.config.get('SAML_ENABLED'):
+        return abort(400)
+    req = utils.prepare_flask_request(request)
+    auth = utils.init_saml_auth(req)
+    auth.process_response()
+    attributes = auth.get_attributes();
+    not_auth_warn = not auth.is_authenticated()
+    if len(errors) == 0:
+        session['samlUserdata'] = auth.get_attributes()
+        session['samlNameId'] = auth.get_nameid()
+        session['samlSessionIndex'] = auth.get_session_index()
+        self_url = OneLogin_Saml2_Utils.get_self_url(req)
+        self_url = self_url+req['script_name']
+        if 'RelayState' in request.form and self_url != request.form['RelayState']:
+            return redirect(auth.redirect_to(request.form['RelayState']))
+        user = User.query.filter_by(username=session['samlNameId'].lower()).first()
+        if not user:
+            # create user
+            user = User(username=session['samlNameId'],
+                        plain_text_password=gen_salt(7),
+                        email=session['samlNameId'])
+            user.create_local_user()
+        session['user_id'] = user.id
+        if session['samlUserdata'].has_key("email"):
+            user.email = session['samlUserdata']["email"][0].lower()
+        if session['samlUserdata'].has_key("givenname"):
+            user.firstname = session['samlUserdata']["givenname"][0]
+        if session['samlUserdata'].has_key("surname"):
+            user.lastname = session['samlUserdata']["surname"][0]
+        user.plain_text_password = gen_salt(7)
+        user.update_profile()
+        login_user(user, remember=False)
+        return redirect(url_for('index'))
+    else:
+        return error(401,"an error occourred processing SAML response")
+
 @app.route('/login', methods=['GET', 'POST'])
 @login_manager.unauthorized_handler
 def login():
@@ -288,6 +332,7 @@ def login():
 def logout():
     session.pop('user_id', None)
     session.pop('github_token', None)
+    session.clear()
     logout_user()
     return redirect(url_for('login'))
 

saml/advanced_settings.json

@@ -0,0 +1,29 @@
+{
+    "security": {
+        "nameIdEncrypted": false,
+        "authnRequestsSigned": false,
+        "logoutRequestSigned": false,
+        "logoutResponseSigned": false,
+        "signMetadata": false,
+        "wantMessagesSigned": true,
+        "wantAssertionsSigned": true,
+        "wantNameIdEncrypted": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "ahd Service Operation Center",
+            "emailAddress": "servicedesk@ahd.de"
+        },
+        "support": {
+            "givenName" : "ahd Service Operation Center",
+            "emailAddress": "servicedesk@ahd.de"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "PowerDNS-Admin",
+            "displayname": "PowerDNS-Admin",
+            "url": "https://10.12.95.95"
+        }
+    }
+}

saml/settings.json

@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "http://10.12.95.95",
+        "assertionConsumerService": {
+            "url": "https://10.12.95.95/saml/authorized",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "https://10.12.95.95/saml/sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "http://fs.ahd-vcloud.biz/adfs/services/trust",
+        "singleSignOnService": {
+            "url": "https://fs.ahd-vcloud.biz/adfs/ls/",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "https://fs.ahd-vcloud.biz/adfs/ls/",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "-----BEGIN CERTIFICATE-----MIIC3jCCAcagAwIBAgIQPD7o11EBtLZDvWevCYeIGjANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBmcy5haGQtdmNsb3VkLmJpejAeFw0xNzAyMjQwOTI5MTBaFw0xODAyMjQwOTI5MTBaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGZzLmFoZC12Y2xvdWQuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs8c+Yde1AQpBSikjKMXRY3FmvG64YT8MgJGPJ0CuTr0jyvsARvK51v0FiMsQh48uQ+KtXWNfBTrFee1CkpHQHw1UVRWQVToZzhiTgVBWc3XXzjfxThUe5IGfSQa11+s+/qxlfQZi2V1JhKUpXfYehbQIEJ5n0kzRzGfmZwZ8/A4gSOJGvFOLx0QTQ6scRUvgsDKJbmD3YWDweZwUGZkKSjKDbyNNNQKhwmpwFT2BLNadlscrgxjzDUQIaLnMQabE+DlQqYkxhM4LPvWcwL23dBIRRxIZlJ4oE/ZohtWtaHJewUTtWT3yfeDRD4d4Gxr5cgczwDhhlJtcrcmEmpHzkwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBU0ADCWI+W1uwXUPL7OXw90VHHQMxuMdClIK2Bwc0De0eaFFHvKWCk3mkdNf+SwxtPHnfAWDO7daxnY6HrqQbcO66gcMgDvgFkC3o5Ml9LBsFv/NmNCeB7+9xxkiYiCe68oitN5iR50JcwhZekpM9MtH8t36p6AWmnhfBt8LMxreuWobDRefx4aIIst8SPP13p4AOk5gTz07YbdMLYsUiTImBbLCcbqdFNMYPiZmUo7jEUnax05oh9vruFj3SltsR21S78ifUN/AmlpYvm+q3mW1q6ikltp6/HoVNMOCsEJqq7VL5jtdOmj2YpFf/twZF5pnbSqe3AZClBp4BufsKp-----END CERTIFICATE-----"
+    }
+}