summaryrefslogtreecommitdiff
path: root/keystoneclient/contrib/auth/v3/saml2.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystoneclient/contrib/auth/v3/saml2.py')
-rw-r--r--keystoneclient/contrib/auth/v3/saml2.py18
1 files changed, 10 insertions, 8 deletions
diff --git a/keystoneclient/contrib/auth/v3/saml2.py b/keystoneclient/contrib/auth/v3/saml2.py
index 929d99e..3a311d4 100644
--- a/keystoneclient/contrib/auth/v3/saml2.py
+++ b/keystoneclient/contrib/auth/v3/saml2.py
@@ -26,6 +26,8 @@ from keystoneclient.i18n import _
class _BaseSAMLPlugin(v3.AuthConstructor):
HTTP_MOVED_TEMPORARILY = 302
+ HTTP_SEE_OTHER = 303
+
PROTOCOL = 'saml2'
@staticmethod
@@ -192,9 +194,9 @@ class Saml2UnscopedToken(_BaseSAMLPlugin):
# Override to remove deprecation.
self._password = value
- def _handle_http_302_ecp_redirect(self, session, response, method,
- **kwargs):
- if response.status_code != self.HTTP_MOVED_TEMPORARILY:
+ def _handle_http_ecp_redirect(self, session, response, method, **kwargs):
+ if response.status_code not in (self.HTTP_MOVED_TEMPORARILY,
+ self.HTTP_SEE_OTHER):
return response
location = response.headers['location']
@@ -327,7 +329,7 @@ class Saml2UnscopedToken(_BaseSAMLPlugin):
managed URL, for instance: ``https://<host>:<port>/Shibboleth.sso/
SAML2/ECP``.
Upon success the there's a session created and access to the protected
- resource is granted. Many implementations of the SP return HTTP 302
+ resource is granted. Many implementations of the SP return HTTP 302/303
status code pointing to the protected URL (``https://<host>:<port>/v3/
OS-FEDERATION/identity_providers/{identity_provider}/protocols/
{protocol_id}/auth`` in this case). Saml2 plugin should point to that
@@ -344,11 +346,11 @@ class Saml2UnscopedToken(_BaseSAMLPlugin):
data=etree.tostring(self.saml2_idp_authn_response),
authenticated=False, redirect=False)
- # Don't follow HTTP specs - after the HTTP 302 response don't repeat
- # the call directed to the Location URL. In this case, this is an
- # indication that saml2 session is now active and protected resource
+ # Don't follow HTTP specs - after the HTTP 302/303 response don't
+ # repeat the call directed to the Location URL. In this case, this is
+ # an indication that saml2 session is now active and protected resource
# can be accessed.
- response = self._handle_http_302_ecp_redirect(
+ response = self._handle_http_ecp_redirect(
session, response, method='GET',
headers=self.ECP_SP_SAML2_REQUEST_HEADERS)