diff --git a/README.md b/README.md index 8d31d913..64e075af 100644 --- a/README.md +++ b/README.md @@ -284,6 +284,8 @@ This is the settings.json file: // represent the requested subject. // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported. "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + // List of IdPs (entityIds) allowed to authenticate the request (SAML2 Scoping) + "scopingIdpList": ["https://"], // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters "x509cert": "", diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py index 636a6888..f29f9287 100644 --- a/src/onelogin/saml2/authn_request.py +++ b/src/onelogin/saml2/authn_request.py @@ -100,6 +100,19 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']: attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"' + scoping_str = '' + if 'scopingIdpList' in sp_data: + scoping_idp_str = '' + for idp in sp_data['scopingIdpList']: + scoping_idp_str += ' ' % idp + + scoping_str = '''\ + + + %s + + ''' % scoping_idp_str + request = """ - %(entity_id)s%(nameid_policy_str)s%(requested_authn_context_str)s + %(entity_id)s%(nameid_policy_str)s%(requested_authn_context_str)s%(scoping_str)s """ % \ { 'id': uid, @@ -123,7 +136,8 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol 'entity_id': sp_data['entityId'], 'nameid_policy_str': nameid_policy_str, 'requested_authn_context_str': requested_authn_context_str, - 'attr_consuming_service_str': attr_consuming_service_str + 'attr_consuming_service_str': attr_consuming_service_str, + 'scoping_str': scoping_str } self.__authn_request = request