fix: 修复 saml2 登陆的问题

apps/authentication/backends/saml2/backends.py

@@ -17,8 +17,7 @@ logger = get_logger(__file__)
 
 
 class SAML2Backend(ModelBackend):
-    @staticmethod
-    def user_can_authenticate(user):
+    def user_can_authenticate(self, user):
         is_valid = getattr(user, 'is_valid', None)
         return is_valid or is_valid is None
 
@@ -42,9 +41,10 @@ class SAML2Backend(ModelBackend):
         log_prompt = "Process authenticate [SAML2AuthCodeBackend]: {}"
         logger.debug(log_prompt.format('Start'))
         if saml_user_data is None:
-            logger.debug(log_prompt.format('saml_user_data is missing'))
+            logger.error(log_prompt.format('saml_user_data is missing'))
             return None
 
+        logger.debug(log_prompt.format('saml data, {}'.format(saml_user_data)))
         username = saml_user_data.get('username')
         if not username:
             logger.debug(log_prompt.format('username is missing'))

apps/authentication/backends/saml2/views.py

@@ -1,5 +1,4 @@
-import json
-import os
+import copy
 
 from django.views import View
 from django.contrib import auth as auth
@@ -96,10 +95,18 @@ class PrepareRequestMixin:
     def get_advanced_settings():
         try:
             other_settings = dict(settings.SAML2_SP_ADVANCED_SETTINGS)
+            other_settings = copy.deepcopy(other_settings)
         except Exception as error:
             logger.error('Get other settings error: %s', error)
             other_settings = {}
 
+        security_default = {
+            'wantAttributeStatement': False,
+            'allowRepeatAttributeName': True
+        }
+        security = other_settings.get('security', {})
+        security_default.update(security)
+
         default = {
             "organization": {
                 "en": {
@@ -107,9 +114,10 @@ class PrepareRequestMixin:
                     "displayname": "JumpServer",
                     "url": "https://jumpserver.org/"
                 }
-            }
+            },
         }
         default.update(other_settings)
+        default['security'] = security_default
         return default
 
     def get_sp_settings(self):
@@ -156,9 +164,12 @@ class PrepareRequestMixin:
         user_attrs = {}
         real_key_index = len(settings.SITE_URL) + 1
         attrs = saml_instance.get_attributes()
+        valid_attrs = ['username', 'name', 'email', 'comment', 'phone']
 
         for attr, value in attrs.items():
             attr = attr[real_key_index:]
+            if attr not in valid_attrs:
+                continue
             user_attrs[attr] = self.value_to_str(value)
         return user_attrs
 

apps/jumpserver/conf.py

@@ -234,7 +234,18 @@ class Config(dict):
         'SAML2_LOGOUT_COMPLETELY': True,
         'AUTH_SAML2_ALWAYS_UPDATE_USER': True,
         'SAML2_RENAME_ATTRIBUTES': {'uid': 'username', 'email': 'email'},
-        'SAML2_SP_ADVANCED_SETTINGS': {"organization": {"en": {"name": "JumpServer", "displayname": "JumpServer", "url": "https://jumpserver.org/"}}},
+        'SAML2_SP_ADVANCED_SETTINGS': {
+            "organization": {
+                "en": {
+                    "name": "JumpServer",
+                    "displayname": "JumpServer",
+                    "url": "https://jumpserver.org/"
+                }
+            },
+            "strict": True,
+            "security": {
+            }
+        },
         'SAML2_IDP_METADATA_URL': '',
         'SAML2_IDP_METADATA_XML': '',
         'SAML2_SP_KEY_CONTENT': '',

apps/orgs/caches.py

@@ -72,7 +72,7 @@ class OrgResourceStatisticsCache(OrgRelatedCache):
         self.org = org
 
     def get_key_suffix(self):
-        return f'<org:{self.org.id}>'
+        return f'org_{self.org.id}'
 
     def get_current_org(self):
         return self.org