keystoneclient.contrib.auth.v3 package

Submodules

keystoneclient.contrib.auth.v3.saml2 module

class keystoneclient.contrib.auth.v3.saml2.ADFSUnscopedToken(auth_url, identity_provider, identity_provider_url, service_provider_endpoint, username, password, **kwargs)

Bases: keystoneclient.contrib.auth.v3.saml2._BaseSAMLPlugin

Authentication plugin for Microsoft ADFS2.0 IdPs.

Parameters:
  • auth_url (string) – URL of the Identity Service
  • identity_provider (string) – name of the Identity Provider the client will authenticate against. This parameter will be used to build a dynamic URL used to obtain unscoped OpenStack token.
  • identity_provider_url (string) – An Identity Provider URL, where the SAML2 authentication request will be sent.
  • service_provider_endpoint (string) – Endpoint where an assertion is being sent, for instance: https://host.domain/Shibboleth.sso/ADFS
  • username (string) – User’s login
  • password (string) – User’s password
ADFS_ASSERTION_XPATH = '/s:Envelope/s:Body/t:RequestSecurityTokenResponseCollection/t:RequestSecurityTokenResponse'
ADFS_TOKEN_NAMESPACES = {'s': 'http://www.w3.org/2003/05/soap-envelope', 't': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512'}
DEFAULT_ADFS_TOKEN_EXPIRATION = 120
HEADER_SOAP = {'Content-Type': 'application/soap+xml; charset=utf-8'}
HEADER_X_FORM = {'Content-Type': 'application/x-www-form-urlencoded'}
NAMESPACES = {'a': 'http://www.w3.org/2005/08/addressing', 's': 'http://www.w3.org/2003/05/soap-envelope', 'u': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'}
get_auth_ref(session, **kwargs)
classmethod get_options()
class keystoneclient.contrib.auth.v3.saml2.Saml2ScopedToken(auth_url, token, **kwargs)

Bases: keystoneclient.auth.identity.v3.token.Token

Class for scoping unscoped saml2 token.

class keystoneclient.contrib.auth.v3.saml2.Saml2ScopedTokenMethod(**kwargs)

Bases: keystoneclient.auth.identity.v3.token.TokenMethod

get_auth_data(session, auth, headers, **kwargs)

Build and return request body for token scoping step.

class keystoneclient.contrib.auth.v3.saml2.Saml2UnscopedToken(auth_url, identity_provider, identity_provider_url, username, password, **kwargs)

Bases: keystoneclient.contrib.auth.v3.saml2._BaseSAMLPlugin

Implement authentication plugin for SAML2 protocol.

ECP stands for Enhanced Client or Proxy and is a SAML2 extension for federated authentication where a transportation layer consists of HTTP protocol and XML SOAP messages.

Read for more information on ECP.

Reference the SAML2 ECP specification.

Currently only HTTPBasicAuth mechanism is available for the IdP authenication.

Parameters:
  • auth_url (string) – URL of the Identity Service
  • identity_provider (string) – name of the Identity Provider the client will authenticate against. This parameter will be used to build a dynamic URL used to obtain unscoped OpenStack token.
  • identity_provider_url (string) – An Identity Provider URL, where the SAML2 authn request will be sent.
  • username (string) – User’s login
  • password (string) – User’s password
ECP_IDP_CONSUMER_URL = '/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL'
ECP_RELAY_STATE = '//ecp:RelayState'
ECP_SAML2_NAMESPACES = {'S': 'http://schemas.xmlsoap.org/soap/envelope/', 'paos': 'urn:liberty:paos:2003-08', 'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'}
ECP_SERVICE_PROVIDER_CONSUMER_URL = '/S:Envelope/S:Header/paos:Request/@responseConsumerURL'
ECP_SP_EMPTY_REQUEST_HEADERS = {'PAOS': 'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"', 'Accept': 'text/html; application/vnd.paos+xml'}
ECP_SP_SAML2_REQUEST_HEADERS = {'Content-Type': 'application/vnd.paos+xml'}
SAML2_HEADER_INDEX = 0
SOAP_FAULT = '\n <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">\n <S:Body>\n <S:Fault>\n <faultcode>S:Server</faultcode>\n <faultstring>responseConsumerURL from SP and\n assertionConsumerServiceURL from IdP do not match\n </faultstring>\n </S:Fault>\n </S:Body>\n </S:Envelope>\n '
get_auth_ref(session, **kwargs)

Authenticate via SAML2 protocol and retrieve unscoped token.

This is a multi-step process where a client does federated authn receives an unscoped token.

Federated authentication utilizing SAML2 Enhanced Client or Proxy extension. See Saml2UnscopedToken_get_unscoped_token() for more information on that step. Upon successful authentication and assertion mapping an unscoped token is returned and stored within the plugin object for further use.

:param session : a session object to send out HTTP requests. :type session: keystoneclient.session.Session

Returns:an object with scoped token’s id and unscoped token json included.
Return type:keystoneclient.access.AccessInfoV3
class keystoneclient.contrib.auth.v3.saml2.Saml2UnscopedTokenAuthMethod(**kwargs)

Bases: keystoneclient.auth.identity.v3.base.AuthMethod

get_auth_data(session, auth, headers, **kwargs)

Module contents