From 171a516a8b54eaf97103429973c5d149177f59ec Mon Sep 17 00:00:00 2001 From: Josue Kouka Date: Fri, 21 Apr 2017 11:21:37 +0200 Subject: [PATCH 6/6] saml2: check if user is authorized through the client --- src/authentic2/idp/saml/saml2_endpoints.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/authentic2/idp/saml/saml2_endpoints.py b/src/authentic2/idp/saml/saml2_endpoints.py index 5e797ca7..04222206 100644 --- a/src/authentic2/idp/saml/saml2_endpoints.py +++ b/src/authentic2/idp/saml/saml2_endpoints.py @@ -46,7 +46,7 @@ from django.contrib import messages from authentic2.compat import get_user_model import authentic2.views as a2_views from authentic2.saml.models import (LibertyArtifact, - LibertySession, LibertyFederation, + LibertySession, LibertyFederation, nameid2kwargs, saml2_urn_to_nidformat, nidformat_to_saml2_urn, save_key_values, get_and_delete_key_values, LibertyProvider, LibertyServiceProvider, SAMLAttribute, NAME_ID_FORMATS) @@ -674,6 +674,12 @@ def sso_after_process_request(request, login, consent_obtained=False, lasso.SAML2_STATUS_CODE_NO_PASSIVE) return finish_sso(request, login) + # check if user is authorized through this service + service = LibertyServiceProvider.objects.get( + liberty_provider__entity_id=login.remoteProviderId).liberty_provider + if not service.authorize(request): + return redirect_to_unauthorized(request, service) + #Do not ask consent for federation if a transient nameID is provided transient = False if nid_format == 'transient': @@ -1551,7 +1557,7 @@ def slo_return(request): logger.info('return from redirect') relay_state = request.REQUEST.get('RelayState') if not relay_state: - return error_redirect(request, N_('slo no relay state in response'), + return error_redirect(request, N_('slo no relay state in response'), default_url=icon_url('ko')) logger.debug('relay_state %r', relay_state) try: -- 2.11.0