From 2cb76814683b605c0cdc9681f04249519058236e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Malthe=20J=C3=B8rgensen?= <malthe.jorgensen@gmail.com>
Date: Tue, 5 Jan 2016 12:57:24 +0100
Subject: [PATCH] [Add] Limited support for <Scoping> in SAML2

The <Scoping>-tag in SAML2 allows service providers (SPs) to specify which
identity providers (IDPs) are allowed/expected to authenticate the
login request.

See: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf,
     page 51
---
 README.md                           |  2 ++
 src/onelogin/saml2/authn_request.py | 18 ++++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8d31d913..64e075af 100644
--- a/README.md
+++ b/README.md
@@ -284,6 +284,8 @@ This is the settings.json file:
         // represent the requested subject.
         // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.
         "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        // List of IdPs (entityIds) allowed to authenticate the request (SAML2 Scoping)
+        "scopingIdpList": ["https://<idp_domain>"],
         // Usually x509cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters
         "x509cert": "",
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 636a6888..f29f9287 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -100,6 +100,19 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
         if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
             attr_consuming_service_str = 'AttributeConsumingServiceIndex="1"'
 
+        scoping_str = ''
+        if 'scopingIdpList' in sp_data:
+            scoping_idp_str = ''
+            for idp in sp_data['scopingIdpList']:
+                scoping_idp_str += '            <samlp:IDPEntry ProviderID="%s" />' % idp
+
+            scoping_str = '''\
+    <samlp:Scoping>
+        <samlp:IDPList>
+            %s
+        </samlp:IDPList>
+    </samlp:Scoping>''' % scoping_idp_str
+
         request = """<samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
@@ -110,7 +123,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
     AssertionConsumerServiceURL="%(assertion_url)s"
     %(attr_consuming_service_str)s>
-    <saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s%(requested_authn_context_str)s
+    <saml:Issuer>%(entity_id)s</saml:Issuer>%(nameid_policy_str)s%(requested_authn_context_str)s%(scoping_str)s
 </samlp:AuthnRequest>""" % \
             {
                 'id': uid,
@@ -123,7 +136,8 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
                 'entity_id': sp_data['entityId'],
                 'nameid_policy_str': nameid_policy_str,
                 'requested_authn_context_str': requested_authn_context_str,
-                'attr_consuming_service_str': attr_consuming_service_str
+                'attr_consuming_service_str': attr_consuming_service_str,
+                'scoping_str': scoping_str
             }
 
         self.__authn_request = request