Navigation

Classes representing Service Provider instances

Author:Roland Hedberg
Version:1.2

Module

Contains classes and functions that a SAML2.0 Service Provider (SP) may use to conclude its tasks.

class saml2.client.Saml2Client(config=None, identity_cache=None, state_cache=None, virtual_organization='', config_file='')

The basic pySAML2 service provider class

do_attribute_query(entityid, subject_id, attribute=None, sp_name_qualifier=None, name_qualifier=None, nameid_format=None, real_id=None, consent=None, extensions=None, sign=False, binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP')

Does a attribute request to an attribute authority, this is by default done over SOAP.

Parameters:
  • entityid – To whom the query should be sent
  • subject_id – The identifier of the subject
  • attribute – A dictionary of attributes and values that is asked for
  • sp_name_qualifier – The unique identifier of the service provider or affiliation of providers for whom the identifier was generated.
  • name_qualifier – The unique identifier of the identity provider that generated the identifier.
  • nameid_format – The format of the name ID
  • real_id – The identifier which is the key to this entity in the identity database
  • binding – Which binding to use
Returns:

The attributes returned if BINDING_SOAP was used. HTTP args if BINDING_HTT_POST was used.
do_logout(name_id, entity_ids, reason, expire, sign=None, expected_binding=None)
Parameters:
  • name_id – Identifier of the Subject (a NameID instance)
  • entity_ids – List of entity ids for the IdPs that have provided information concerning the subject
  • reason – The reason for doing the logout
  • expire – Try to logout before this time.
  • sign – Whether to sign the request or not
  • expected_binding – Specify the expected binding then not try it all
Returns:
global_logout(name_id, reason='', expire=None, sign=None)

More or less a layer of indirection :-/ Bootstrapping the whole thing by finding all the IdPs that should be notified.

Parameters:
  • name_id – The identifier of the subject that wants to be logged out.
  • reason – Why the subject wants to log out
  • expire – The latest the log out should happen. If this time has passed don’t bother.
  • sign – Whether the request should be signed or not. This also depends on what binding is used.
Returns:

Depends on which binding is used: If the HTTP redirect binding then a HTTP redirect, if SOAP binding has been used the just the result of that conversation.
handle_logout_request(request, name_id, binding, sign=False, relay_state='')

Deal with a LogoutRequest

Parameters:
  • request – The request as text string
  • name_id – The id of the current user
  • binding – Which binding the message came in over
  • sign – Whether the response will be signed or not
Returns:

Keyword arguments which can be used to send the response what’s returned follow different patterns for different bindings. If the binding is BINDIND_SOAP, what is returned looks like this:

{
    "data": <the SOAP enveloped response>
    "url": "",
    'headers': [('content-type', 'application/soap+xml')]
    'method': "POST
}
handle_logout_response(response)

handles a Logout response

Parameters:response – A response.Response instance
Returns:4-tuple of (session_id of the last sent logout request, response message, response headers and message)
is_logged_in(name_id)

Check if user is in the cache

Parameters:name_id – The identifier of the subject
local_logout(name_id)

Remove the user from the cache, equals local logout

Parameters:name_id – The identifier of the subject
prepare_for_authenticate(entityid=None, relay_state='', binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', vorg='', nameid_format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', scoping=None, consent=None, extensions=None, sign=None, response_binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', **kwargs)

Makes all necessary preparations for an authentication request.

Parameters:
  • entityid – The entity ID of the IdP to send the request to
  • relay_state – To where the user should be returned after successfull log in.
  • binding – Which binding to use for sending the request
  • vorg – The entity_id of the virtual organization I’m a member of
  • scoping – For which IdPs this query are aimed.
  • consent – Whether the principal have given her consent
  • extensions – Possible extensions
  • sign – Whether the request should be signed or not.
  • response_binding – Which binding to use for receiving the response
  • kwargs – Extra key word arguments
Returns:

session id and AuthnRequest info

Table Of Contents

Previous topic

Classes representing xmlenc elements

Next topic

Classes representing Identity Provider or Attribute Authority instances

This Page

Navigation

© Copyright 2010-2011, Roland Hedberg. Created using Sphinx 1.1.3.