It would be great if the package supported AttributeStatements. They are crucial in our use cases (usually to include user information other than the username, such as groups/roles).

Ideally, there would be support for an AttributeStatement property in the Response object which contained a single object of an AttributeStatement class. It in turn would contain a list of Attribute classes, which would expose the properties "name" (a string) and "values" (a list). The SAML that it would export could look like the following:
<Assertion ...>
.....
<AttributeStatement>
<Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xsi:type="xsd:string">aroth</AttributeValue>
</Attribute>
<Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue xsi:type="xsd:string">Member</AttributeValue>
<AttributeValue xsi:type="xsd:string">Admin</AttributeValue>
<AttributeValue xsi:type="xsd:string">Contributor</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>

Right now I manually construct this SAML section in XML using lxml.etree. I use your Response object to build everything else, but export the resulting SAML to string and import that to XML using lxml.etree. Finally, I inject the AttributeStatement XML into the Response XML's Assertion, and post that to the ACS. Not ideal, of course.

I would consider a pull request, but I'm not sure that I understand your code well enough to add this functionality on my own. If you were willing to field some questions, I could take a stab at it.

It seems that this package only works with Python 3.x. I get all sorts of syntax errors in trying to run this with Python 2.7.5.

Is this by design or just one of those things you never got around to? If not by design, I would consider a pull request (but I might need to ask you some questions). If by design, the reasoning would be appreciated.

Thanks!

Hello,

I'm trying to pass the Authnrequest, created according to test case example to a SimpleSAMLphp IdP, where i get:

Invalid SAML2 timestamp passed to parseSAML2Time: 2014-02-22T22:22:30

It seams that the format of the time, serialized by this module is not correct, it should be, according to SimpleSAMLphp:
2014-02-22T22:22:30Z (Z in the end)

SignatureMethod and DigestMethod algorithm is always set to http://www.w3.org/2000/09/xmldsig#rsa-sha1. It would be good if http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 was supported also (and whatever else xmlsec supports).

These elements:

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>