Add support for exposing IdP supported attributes

- Adds support for exposing IdP supported attributes in IDPSSODescriptor
  as Attribute elements. Support is added in the config file under
service->idp->provided_attributes. provided_attributes alread existed as
a valid option for idp config but was not used. Supported attributes
MUST be published as Attribute elements in the metadata of the eIDAS IdP
as stated in eIDAS SAML Message Format v.1.2 spec document
- Adds error validation rule in eIDASIdPConfig to ensure
  provided_attributes MUST be set
- Adds test to verify the provided_attributes are exposed as Attribute
  elements under IDPSSODescriptor and for the error validation rule

Author: ioparaskev

src/saml2/config.py

@@ -739,7 +739,10 @@ def warning_validators(self):
     def error_validators(self):
         idp_error_validators = {
             "want_authn_requests_signed MUST be set to True":
-            getattr(self, "_idp_want_authn_requests_signed", None) is True
+            getattr(self, "_idp_want_authn_requests_signed", None) is True,
+            "provided_attributes MUST be set to denote the supported attributes by "
+            "the IdP":
+            not_empty(getattr(self, "_idp_provided_attributes", None))
         }
         return {**super().error_validators, **idp_error_validators}
 

src/saml2/metadata.py

@@ -594,6 +594,14 @@ def do_idpsso_descriptor(conf, cert=None, enc_cert=None):
         except KeyError:
             setattr(idpsso, key, DEFAULTS[key])
 
+    attributes = [
+        Attribute(name=attribute.get("name", None),
+                  name_format=attribute.get("name_format", None),
+                  friendly_name=attribute.get("friendly_name", None))
+        for attribute in conf.getattr("provided_attributes", "idp")
+    ]
+    idpsso.attribute = attributes
+
     return idpsso
 
 

tests/eidas/eidas_idp_conf.py

@@ -38,7 +38,22 @@
             "node_country": "GR",
             "application_identifier": "CEF:eIDAS-ref:2.0",
             "protocol_version": [1.1, 2.2],
-            "want_authn_requests_signed": True
+            "want_authn_requests_signed": True,
+            "provided_attributes": [
+                {
+                    "name": "http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier",
+                    "friendly_name": "PersonIdentifier",
+                    "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                },
+                {
+                    "name": "http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName",
+                    "friendly_name": "FamilyName",
+                },
+                {
+                    "name": "http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName",
+                    "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                }
+            ],
         },
     },
     "debug": 1,

tests/eidas/test_idp.py

@@ -78,6 +78,20 @@ def test_protocol_version_in_metadata(self, config):
         assert {str(conf._idp_protocol_version)} \
                == set([x.text for x in protocol_version.attribute_value])
 
+    def test_supported_attributes(self, config):
+        entd = metadata.entity_descriptor(self.conf)
+        attributes_published = [
+            set(
+                filter(lambda x: x is not None,
+                       [attribute.name, attribute.name_format, attribute.friendly_name]
+                       )
+            )
+            for attribute in entd.idpsso_descriptor.attribute
+        ]
+        attributes_stated = [set(x.values()) for x
+                             in self.conf._idp_provided_attributes]
+        assert attributes_published == attributes_stated
+
 
 class TestIdPConfig:
     @staticmethod
@@ -250,3 +264,8 @@ def test_want_authn_requests_signed_false(self, config):
         config["service"]["idp"]["want_authn_requests_signed"] = False
 
         self.assert_validation_error(config)
+
+    def test_provided_attributes_unset(self, config):
+        del config["service"]["idp"]["provided_attributes"]
+
+        self.assert_validation_error(config)