keystoneclient.contrib.auth.v3 package

Submodules

keystoneclient.contrib.auth.v3.saml2 module

class keystoneclient.contrib.auth.v3.saml2.Saml2ScopedToken(auth_url, token, **kwargs)

Bases: keystoneclient.auth.identity.v3.Token

Class for scoping unscoped saml2 token.

class keystoneclient.contrib.auth.v3.saml2.Saml2ScopedTokenMethod(**kwargs)

Bases: keystoneclient.auth.identity.v3.TokenMethod

get_auth_data(session, auth, headers, **kwargs)

Build and return request body for token scoping step.

class keystoneclient.contrib.auth.v3.saml2.Saml2UnscopedToken(auth_url, identity_provider, identity_provider_url, username, password, **kwargs)

Bases: keystoneclient.auth.identity.v3.AuthConstructor

Implement authentication plugin for SAML2 protocol.

ECP stands for Enhanced Client or Proxy and is a SAML2 extension for federated authentication where a transportation layer consists of HTTP protocol and XML SOAP messages.

Read for more information:: https://wiki.shibboleth.net/confluence/display/SHIB2/ECP

The SAML2 ECP specification can be found at:: https://www.oasis-open.org/committees/download.php/ 49979/saml-ecp-v2.0-wd09.pdf

Currently only HTTPBasicAuth mechanism is available for the IdP authenication.

ECP_IDP_CONSUMER_URL = '/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL'
ECP_RELAY_STATE = '//ecp:RelayState'
ECP_SAML2_NAMESPACES = {'S': 'http://schemas.xmlsoap.org/soap/envelope/', 'paos': 'urn:liberty:paos:2003-08', 'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'}
ECP_SERVICE_PROVIDER_CONSUMER_URL = '/S:Envelope/S:Header/paos:Request/@responseConsumerURL'
ECP_SP_EMPTY_REQUEST_HEADERS = {'PAOS': 'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"', 'Accept': 'text/html; application/vnd.paos+xml'}
ECP_SP_SAML2_REQUEST_HEADERS = {'Content-Type': 'application/vnd.paos+xml'}
HTTP_MOVED_TEMPORARILY = 302
PROTOCOL = 'saml2'
SAML2_HEADER_INDEX = 0
SOAP_FAULT = '\n <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">\n <S:Body>\n <S:Fault>\n <faultcode>S:Server</faultcode>\n <faultstring>responseConsumerURL from SP and\n assertionConsumerServiceURL from IdP do not match\n </faultstring>\n </S:Fault>\n </S:Body>\n </S:Envelope>\n '
get_auth_ref(session, **kwargs)

Authenticate via SAML2 protocol and retrieve unscoped token.

This is a multi-step process where a client does federated authn receives an unscoped token.

Federated authentication utilizing SAML2 Enhanced Client or Proxy extension. See Saml2UnscopedToken_get_unscoped_token() for more information on that step. Upon successful authentication and assertion mapping an unscoped token is returned and stored within the plugin object for further use.

:param session : a session object to send out HTTP requests. :type session: keystoneclient.session.Session

Return access.AccessInfoV3:
 an object with scoped token’s id and unscoped token json included.
classmethod get_options()
token_url

Return full URL where authorization data is sent.

class keystoneclient.contrib.auth.v3.saml2.Saml2UnscopedTokenAuthMethod(**kwargs)

Bases: keystoneclient.auth.identity.v3.AuthMethod

get_auth_data(session, auth, headers, **kwargs)

Module contents