Allow configuration of which attribute profile to use in SAML backend and frontend.

Author: Rebecka Gulliksson

doc/README.md

@@ -151,6 +151,7 @@ Common configuration parameters:
 | `key_file` | string | `pki/key.pem` | path to private key used for signing(backend)/decrypting(frontend) SAML2 assertions |
 | `cert_file` | string | `pki/cert.pem` | path to certificate for the public key associated with the private key in `key_file` |
 | `metadata["local"]` | string[] | `[metadata/entity.xml]` | list of paths to metadata for all service providers (frontend)/identity providers (backend) communicating with the proxy |
+| `attribute_profile` | string | `saml` | attribute profile to use for mapping attributes from/to response
 
 The metadata could be loaded in multiple ways in the table above it's loaded from a static 
 file by using the key "local". It's also possible to load read the metadata from a remote URL.

src/satosa/backends/saml2.py

@@ -70,6 +70,7 @@ def __init__(self, outgoing, internal_attributes, config):
         self.sp = Base(sp_config)
         self.idp_disco_query_param = "entityID"
         self.config = config
+        self.attribute_profile = config.get("attribute_profile", "saml")
         self.bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST]
         self.discosrv = None
         self.converter = DataConverter(internal_attributes)
@@ -288,7 +289,7 @@ def _translate_response(self, response, state):
                     raise SATOSAAuthenticationError from error
             internal_resp.set_user_id(user_id)
 
-        internal_resp.add_attributes(self.converter.to_internal("saml", response.ava))
+        internal_resp.add_attributes(self.converter.to_internal(self.attribute_profile, response.ava))
 
         satosa_logging(LOGGER, logging.DEBUG,
                        "received attributes:\n%s" % json.dumps(response.ava, indent=4), state)

src/satosa/frontends/saml2.py

@@ -42,6 +42,7 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf):
         self.base = conf["base"]
         self.state_id = conf["state_id"]
         self.acr_mapping = conf.get("acr_mapping")
+        self.attribute_profile = conf.get("attribute_profile", "saml")
         self.response_bindings = None
         self.idp = None
 
@@ -304,8 +305,9 @@ def get_filter_attributes(self, idp, idp_policy, sp_entity_id, state):
         for aconv in attrconvs:
             if aconv.name_format == name_format:
                 attribute_filter = list(
-                    idp_policy.restrict(aconv._to, sp_entity_id, idp.metadata).keys())
-        attribute_filter = self.converter.to_internal_filter("saml", attribute_filter, True)
+                        idp_policy.restrict(aconv._to, sp_entity_id, idp.metadata).keys())
+        attribute_filter = self.converter.to_internal_filter(self.attribute_profile,
+                                                             attribute_filter, True)
         satosa_logging(LOGGER, logging.DEBUG, "Filter: %s" % attribute_filter, state)
         return attribute_filter
 
@@ -325,7 +327,8 @@ def _handle_authn_response(self, context, internal_response, idp):
         request_state = self.load_state(context.state)
 
         resp_args = request_state["resp_args"]
-        ava = self.converter.from_internal("saml", internal_response.get_attributes())
+        ava = self.converter.from_internal(self.attribute_profile,
+                                           internal_response.get_attributes())
 
         auth_info = {}
         if self.acr_mapping: