You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Encounter a SAML assertion containing an empty Attribute tag with no nested AttributeValue.
example:<saml2:Attribute Name="employee_id"/>
I've encountered these empty tags in the wild using Google Workspaces as a SAML IDP
it("A null value given with an object should be null",async()=>{constxml='<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="response0">'+'<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">'+"<saml2:AttributeStatement>"+'<saml2:Attribute Name="attributeName" '+'NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" />'+"</saml2:AttributeStatement>"+"</saml2:Assertion>"+"</Response>";constsigningKey=fs.readFileSync(__dirname+"/static/key.pem");constsigningCert=fs.readFileSync(__dirname+"/static/cert.pem","utf-8");constsignedXml=signXmlResponse(xml,{privateKey: signingKey});constbase64xml=Buffer.from(signedXml).toString("base64");constcontainer={SAMLResponse: base64xml};constsamlObj=newSAML({cert: signingCert,audience: false,issuer: "onesaml_login",wantAssertionsSigned: false,});const{ profile }=awaitsamlObj.validatePostResponseAsync(container);assertRequired(profile,"profile must exist");expect(profile.attributes?.attributeName).to.be.null;});
Expected behavior
The current behavior of omitting the value entirely makes it difficult to determine if the attribute is configured at all by the IdP, or
if the data associated with the user is incorrect. For example {first_name: null} means that the user doesn't have a first name, while {} means that maybe the user doesn't have a first name, maybe the attribute isn't configured properly.
No Attribute Value
SAML Core line 1219 states
Within an <AttributeStatement>, if the SAML attribute exists but has no values, then the <AttributeValue> element MUST be omitted.
I believe that the most idiomatic way to represent something that exists but has no values - e.g. <saml2:Attribute Name="employee_id"/> - would be as { "employee_id": null }.
Empty Attribute Value
SAML Core line 1246 states:
If a SAML attribute includes an empty value, such as the empty string, the corresponding <AttributeValue> element MUST be empty (generally this is serialized as <AttributeValue/>).
This overrides the requirement in Section 1.3.1 that string values in SAML content contain at least one
non-whitespace character.
I believe the test case An undefined value given with an object should still be undefined is incorrect - the empty attribute with type xs:string should be returned as an empty string literal (''), not as undefined.
I'm more than happy to update the code + testcases - I understand these would be breaking changes - so please let me know if there is a preferred way to structure the PRs / some future branch I should target.
Environment
Node.js version: 18
@node-saml/node-saml version: 4.0.2
The text was updated successfully, but these errors were encountered:
Feel free to submit a PR with test cases and I'll have a closer look. Just from reading your description it does seem that undefined would be improper for xs:string.
We'll do a breaking-change release with the deprecation of Node 14, so we still have 2-3 months to get this right before releasing it.
To Reproduce
Encounter a SAML assertion containing an empty Attribute tag with no nested AttributeValue.
example:
<saml2:Attribute Name="employee_id"/>
I've encountered these empty tags in the wild using Google Workspaces as a SAML IDP
Expected behavior
The current behavior of omitting the value entirely makes it difficult to determine if the attribute is configured at all by the IdP, or
if the data associated with the user is incorrect. For example
{first_name: null}
means that the user doesn't have a first name, while{}
means that maybe the user doesn't have a first name, maybe the attribute isn't configured properly.No Attribute Value
SAML Core line 1219 states
I believe that the most idiomatic way to represent something that exists but has no values - e.g.
<saml2:Attribute Name="employee_id"/>
- would be as{ "employee_id": null }
.Empty Attribute Value
SAML Core line 1246 states:
I believe the test case
An undefined value given with an object should still be undefined
is incorrect - the empty attribute with typexs:string
should be returned as an empty string literal (''
), not asundefined
.I'm more than happy to update the code + testcases - I understand these would be breaking changes - so please let me know if there is a preferred way to structure the PRs / some future branch I should target.
Environment
The text was updated successfully, but these errors were encountered: