From ac49e97ea9178f5ca9f484e3d5df603dc0c9d910 Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 16 Apr 2019 10:12:55 +0200
Subject: [PATCH 4/5] idp_saml: send authentication level in SAML assertion

C'est moyen moyen, mais est-ce que c'est le moins pire ?
---
 src/authentic2/idp/saml/app_settings.py    |  1 +
 src/authentic2/idp/saml/saml2_endpoints.py | 20 ++++++++++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/authentic2/idp/saml/app_settings.py b/src/authentic2/idp/saml/app_settings.py
index 63a1c865..98e1821a 100644
--- a/src/authentic2/idp/saml/app_settings.py
+++ b/src/authentic2/idp/saml/app_settings.py
@@ -51,6 +51,7 @@ wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
 TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
 -----END RSA PRIVATE KEY-----''',
             ADD_CERTIFICATE_TO_KEY_INFO=True,
+            AUTHN_CLASSREF_LEVELS='https://entrouvert.org/auth-level/',
     )
 
     def __init__(self, prefix):
diff --git a/src/authentic2/idp/saml/saml2_endpoints.py b/src/authentic2/idp/saml/saml2_endpoints.py
index c8f28270..8d947c1d 100644
--- a/src/authentic2/idp/saml/saml2_endpoints.py
+++ b/src/authentic2/idp/saml/saml2_endpoints.py
@@ -325,15 +325,19 @@ def build_assertion(request, login, nid_format='transient'):
     notOnOrAfter = now + datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
     ssl = 'HTTPS' in request.environ
     if app_settings.AUTHN_CONTEXT_FROM_SESSION:
-        backend = request.session[BACKEND_SESSION_KEY]
-        logger.debug('authentication from session with backend %s', backend)
-        backend = load_backend(backend)
-        if hasattr(backend, 'get_saml2_authn_context'):
-            authn_context = backend.get_saml2_authn_context()
+        auth_level = request.session.get('auth_level', 1)
+        if auth_level > 1:
+            authn_context = app_settings.AUTHN_CLASSREF_LEVELS + str(auth_level)
         else:
-            raise Exception('backend unsupported: ' + backend)
-        if authn_context == lasso.SAML2_AUTHN_CONTEXT_PASSWORD and ssl:
-            authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
+            backend = request.session[BACKEND_SESSION_KEY]
+            logger.debug('authentication from session with backend %s', backend)
+            backend = load_backend(backend)
+            if hasattr(backend, 'get_saml2_authn_context'):
+                authn_context = backend.get_saml2_authn_context()
+            else:
+                raise Exception('backend unsupported: ' + backend)
+            if authn_context == lasso.SAML2_AUTHN_CONTEXT_PASSWORD and ssl:
+                authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
     else:
         try:
             event = find_authentication_event(request, login.request.id)
-- 
2.20.1