Merge "Allow setting EndpointReference in ADFSPassword"

keystoneauth1/extras/_saml2/_loading.py

@@ -52,8 +52,13 @@ class ADFSPassword(loading.BaseFederationLoader):
         options = super(ADFSPassword, self).get_options()
 
         options.extend([
+            loading.Opt('identity-provider-url',
+                        help=('An Identity Provider URL, where the SAML '
+                              'authentication request will be sent.')),
             loading.Opt('service-provider-endpoint',
                         help="Service Provider's Endpoint"),
+            loading.Opt('service-provider-entity-id',
+                        help="Service Provider's SAML Entity ID"),
             loading.Opt('username', help='Username'),
             loading.Opt('password', secret=True, help='Password')
         ])

keystoneauth1/extras/_saml2/v3/adfs.py

@@ -50,7 +50,7 @@ class Password(base.BaseSAMLPlugin):
 
     def __init__(self, auth_url, identity_provider, identity_provider_url,
                  service_provider_endpoint, username, password,
-                 protocol, **kwargs):
+                 protocol, service_provider_entity_id=None, **kwargs):
         """Constructor for ``ADFSPassword``.
 
         :param auth_url: URL of the Identity Service
@@ -69,6 +69,8 @@ class Password(base.BaseSAMLPlugin):
         :param service_provider_endpoint: Endpoint where an assertion is being
             sent, for instance: ``https://host.domain/Shibboleth.sso/ADFS``
         :type service_provider_endpoint: string
+        :param service_provider_entity_id: Service Provider SAML Entity ID
+        :type service_provider_entity_id: string
 
         :param username: User's login
         :type username: string
@@ -83,6 +85,7 @@ class Password(base.BaseSAMLPlugin):
             username=username, password=password, protocol=protocol, **kwargs)
 
         self.service_provider_endpoint = service_provider_endpoint
+        self.service_provider_entity_id = service_provider_entity_id
 
     def _cookies(self, session):
         """Check if cookie jar is not empty.
@@ -256,7 +259,8 @@ class Password(base.BaseSAMLPlugin):
         username.text = self.username
         password.text = self.password
         to.text = self.identity_provider_url
-        wsa_address.text = self.service_provider_endpoint
+        wsa_address.text = (self.service_provider_entity_id or
+                            self.service_provider_endpoint)
 
         self.prepared_request = root
 

keystoneauth1/tests/unit/extras/saml2/test_auth_adfs.py

@@ -70,6 +70,7 @@ class AuthenticateviaADFSTests(utils.TestCase):
             self.TEST_URL,
             'OS-FEDERATION/identity_providers/adfs/protocols/saml2/auth')
         self.SP_ENDPOINT = 'https://openstack4.local/Shibboleth.sso/ADFS'
+        self.SP_ENTITYID = 'https://openstack4.local'
 
         self.adfsplugin = saml2.V3ADFSPassword(
             self.TEST_URL, self.IDENTITY_PROVIDER,
@@ -120,6 +121,16 @@ class AuthenticateviaADFSTests(utils.TestCase):
             self.ADDRESS_XPATH, namespaces=self.NAMESPACES)[0]
         self.assertEqual(self.SP_ENDPOINT, address.text)
 
+    def test_prepare_adfs_request_custom_endpointreference(self):
+        self.adfsplugin = saml2.V3ADFSPassword(
+            self.TEST_URL, self.IDENTITY_PROVIDER,
+            self.IDENTITY_PROVIDER_URL, self.SP_ENDPOINT,
+            self.TEST_USER, self.TEST_TOKEN, self.PROTOCOL, self.SP_ENTITYID)
+        self.adfsplugin._prepare_adfs_request()
+        address = self.adfsplugin.prepared_request.xpath(
+            self.ADDRESS_XPATH, namespaces=self.NAMESPACES)[0]
+        self.assertEqual(self.SP_ENTITYID, address.text)
+
     def test_prepare_sp_request(self):
         assertion = etree.XML(self.ADFS_SECURITY_TOKEN_RESPONSE)
         assertion = assertion.xpath(

releasenotes/notes/bug-1689424-set-adfspassword-endpointreference-f186d84a54007b09.yaml

@@ -0,0 +1,13 @@
+---
+prelude: >
+    Allow setting EndpointReference in ADFSPassword
+features:
+  - >
+    Add the ability to specify the WS-Policy EndpointReference used in the
+    ADFSPassword plugin's RequestSecurityToken message via the
+    'service-provider-entity-id' option. Also added 'identity-provider-url'
+    option which was required, but missing from option list.
+fixes:
+  - >
+    [`bug 1689424 <https://bugs.launchpad.net/keystoneauth/+bug/1689424>`_]
+    Allow setting EndpointReference in ADFSPassword.