51 |
51 |
from django.shortcuts import redirect, render
|
52 |
52 |
from django.urls import reverse
|
53 |
53 |
from django.utils.encoding import force_bytes, force_str, force_text
|
|
54 |
from django.utils.timezone import utc
|
54 |
55 |
from django.utils.translation import ugettext as _
|
55 |
56 |
from django.utils.translation import ugettext_noop as N_
|
56 |
57 |
from django.views.decorators.cache import never_cache
|
... | ... | |
411 |
412 |
"""
|
412 |
413 |
entity_id = get_entity_id(request)
|
413 |
414 |
now = datetime.datetime.utcnow()
|
|
415 |
timezone_now = now.replace(tzinfo=utc)
|
414 |
416 |
logger.debug('NameIDFormat is %s', nid_format)
|
415 |
417 |
# 1 minute ago
|
416 |
418 |
notBefore = now - datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
|
... | ... | |
453 |
455 |
)
|
454 |
456 |
assertion = login.assertion
|
455 |
457 |
assertion.conditions.notOnOrAfter = notOnOrAfter.isoformat() + 'Z'
|
456 |
|
# Set SessionNotOnOrAfter to expiry date of the current session, so we are sure no session on
|
457 |
|
# service providers can outlive the IdP session.
|
|
458 |
# Set SessionNotOnOrAfter to half of the expire duration of the current
|
|
459 |
# session, so we are sure no session on service providers can outlive the
|
|
460 |
# IdP session but people are asked to reauthenticate before the end of the
|
|
461 |
# IdP session to prolongate it.
|
458 |
462 |
expiry_date = request.session.get_expiry_date()
|
459 |
|
assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(expiry_date)
|
|
463 |
session_not_on_or_after = timezone_now + (expiry_date - timezone_now) * 0.5
|
|
464 |
assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(session_not_on_or_after)
|
460 |
465 |
logger.debug('assertion building in progress %s', force_text(assertion.dump()))
|
461 |
466 |
fill_assertion(request, login.request, assertion, login.remoteProviderId, nid_format)
|
462 |
467 |
# Save federation and new session
|