From 9a47a219a9b0280ad0474c18b4edb687a334d1dd Mon Sep 17 00:00:00 2001 From: Alessandro Date: Thu, 27 Feb 2025 16:52:14 +0100 Subject: [PATCH 1/4] removed unused sso_session parameter in response_authn() --- src/eduid/webapp/idp/assurance.py | 2 +- src/eduid/webapp/idp/login.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/eduid/webapp/idp/assurance.py b/src/eduid/webapp/idp/assurance.py index 044abd08d..37fda1972 100644 --- a/src/eduid/webapp/idp/assurance.py +++ b/src/eduid/webapp/idp/assurance.py @@ -214,7 +214,7 @@ def credentials(self) -> list[UsedCredential]: return self._credentials -def response_authn(authn: AuthnState, ticket: LoginContext, user: IdPUser, sso_session: SSOSession) -> AuthnInfo: +def response_authn(authn: AuthnState, ticket: LoginContext, user: IdPUser) -> AuthnInfo: """ Figure out what AuthnContext to assert in a SAML response, given the RequestedAuthnContext from the SAML request. diff --git a/src/eduid/webapp/idp/login.py b/src/eduid/webapp/idp/login.py index 5dfd96ed0..def64defc 100644 --- a/src/eduid/webapp/idp/login.py +++ b/src/eduid/webapp/idp/login.py @@ -197,7 +197,7 @@ def login_next_step(ticket: LoginContext, sso_session: SSOSession | None) -> Nex try: authn_state = AuthnState(user, sso_session, ticket) - authn_info = assurance.response_authn(authn_state, ticket, user, sso_session) + authn_info = assurance.response_authn(authn_state, ticket, user) res = NextResult(message=IdPMsg.proceed, authn_info=authn_info, authn_state=authn_state) except MissingPasswordFactor: res = NextResult(message=IdPMsg.must_authenticate) From e5e069f29c2c565069f6747b8ba01586a5e32054 Mon Sep 17 00:00:00 2001 From: Alessandro Date: Thu, 27 Feb 2025 17:06:22 +0100 Subject: [PATCH 2/4] added DIGG_UNCERTIFIED_LOA2 to EduidAuthnContextClass --- src/eduid/common/models/saml2.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/eduid/common/models/saml2.py b/src/eduid/common/models/saml2.py index 1ed1a2cfd..cefe3850e 100644 --- a/src/eduid/common/models/saml2.py +++ b/src/eduid/common/models/saml2.py @@ -6,6 +6,7 @@ @unique class EduidAuthnContextClass(StrEnum): DIGG_LOA2 = "http://id.elegnamnden.se/loa/1.0/loa2" + DIGG_UNCERTIFIED_LOA2 = "http://id.swedenconnect.se/loa/1.0/uncertified-loa2" REFEDS_MFA = "https://refeds.org/profile/mfa" REFEDS_SFA = "https://refeds.org/profile/sfa" FIDO_U2F = "https://www.swamid.se/specs/id-fido-u2f-ce-transports" From c14bf6000b195abf7f641cab69eca2560f0d6435 Mon Sep 17 00:00:00 2001 From: Alessandro Date: Mon, 3 Mar 2025 14:43:21 +0100 Subject: [PATCH 3/4] add control on EduidAuthnContextClass.DIGG_LOA2 at the same level as ticket.reauthn_required in _gather_credentials() --- src/eduid/webapp/idp/assurance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/eduid/webapp/idp/assurance.py b/src/eduid/webapp/idp/assurance.py index 37fda1972..4a99cd22b 100644 --- a/src/eduid/webapp/idp/assurance.py +++ b/src/eduid/webapp/idp/assurance.py @@ -150,7 +150,8 @@ def _gather_credentials(self, sso_session: SSOSession, ticket: LoginContext, use _used_request = [x for x in _used_credentials.values() if x.source == UsedWhere.REQUEST] logger.debug(f"Number of credentials used with this very request: {len(_used_request)}") - if ticket.reauthn_required: + req_authn_ctx = ticket.get_requested_authn_context() + if ticket.reauthn_required or req_authn_ctx is EduidAuthnContextClass.DIGG_LOA2: logger.debug("Request requires authentication, not even considering credentials from the SSO session") return list(_used_credentials.values()) From 7a33482ac718ce29f32912342fd2c468bb25aee3 Mon Sep 17 00:00:00 2001 From: Alessandro Date: Mon, 3 Mar 2025 14:50:04 +0100 Subject: [PATCH 4/4] removed unused DIGG_UNCERTIFIED_LOA2 in EduidAuthnContextClass --- src/eduid/common/models/saml2.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/eduid/common/models/saml2.py b/src/eduid/common/models/saml2.py index cefe3850e..1ed1a2cfd 100644 --- a/src/eduid/common/models/saml2.py +++ b/src/eduid/common/models/saml2.py @@ -6,7 +6,6 @@ @unique class EduidAuthnContextClass(StrEnum): DIGG_LOA2 = "http://id.elegnamnden.se/loa/1.0/loa2" - DIGG_UNCERTIFIED_LOA2 = "http://id.swedenconnect.se/loa/1.0/uncertified-loa2" REFEDS_MFA = "https://refeds.org/profile/mfa" REFEDS_SFA = "https://refeds.org/profile/sfa" FIDO_U2F = "https://www.swamid.se/specs/id-fido-u2f-ce-transports"