attrValueMapper fails to parse complex AttributeValue tags #245

vpalmisano · 2017-10-30T15:11:46Z

attrValueMapper function parse correctly this AttributeStatement:

<saml2:Attribute FriendlyName="NAME" Name="urn:oid:x.x.x.x" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>VALUE</saml2:AttributeValue> </saml2:Attribute>

but it fails with this kind of AttributeStatement:

<saml2:Attribute FriendlyName="NAME" Name="urn:oid:x.x.x.x" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="XXX" SPNameQualifier="XX">VALUE</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute>

The text was updated successfully, but these errors were encountered:

huntdm07 · 2017-11-13T10:40:17Z

The PR I've submitted #249 should fix this with support for existing usage.

alexstuart · 2017-11-15T12:17:11Z

Hello, it's Alex from the UK federation support team here. Just to expand on what @huntdm07 says in #249.

The UK federation uses eduPersonTargetedID to uniquely identify subjects. In SAML 2 eduPersonTargetedID is called urn:oid:1.3.6.1.4.1.5923.1.1.1.10 and, as far as I know, it's the only attribute from the eduPerson schema which has a value that is a saml2:NameID. So I think your code should only be trying to extract parts of the attribute if its Name starts with urn:oid:1.3.6.1.4.1.5923.1.1.1. and its Name == urn:oid:1.3.6.1.4.1.5923.1.1.1.10.

Secondly, the UK federation advises storing eduPersonTargetedID by concatenating the following elements:

the entity name of the identity provider
a single ‘!’ character
the entity name of the service provider
a single ‘!’ character
the opaque string value

As an example, the attribute received as

<saml2:Attribute
           FriendlyName="eduPersonTargetedID"
           Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml2:AttributeValue>
                <saml2:NameID
                   Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                   NameQualifier="https://test-idp.ukfederation.org.uk/idp/shibboleth"
                   SPNameQualifier="https://test.ukfederation.org.uk/entity">
                  xY1234567890ACdFGGhjmkklljA=
                </saml2:NameID>
          </saml2:AttributeValue>
</saml2:Attribute>

could be flattened to https://test-idp.ukfederation.org.uk/idp/shibboleth!https://test.ukfederation.org.uk/entity!xY1234567890ACdFGGhjmkklljA=

Sorry, I'd write a pull request myself but I don't speak Javascript or know the structure of passport-saml.

…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in eduGAIN [1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)

…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)

…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment) # Conflicts: # test/tests.js

…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)

…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment) # Conflicts: # test/tests.js

…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)

mans0954 · 2020-08-26T11:10:30Z

saml-core-2.0-os Section 2.7.3.1.1 says

The <AttributeValue> element supplies the value of a specified SAML attribute. It is of the
xs:anyType type, which allows any well-formed XML to appear as the content of the element.

It doesn't, as far as I can see, specify any particular interpretation of XML appearing in an AttributeValue, even if that XML is a valid SAML fragment.

I note that the latest eduPerson schema says:

NOTE: eduPersonTargetedID is DEPRECATED and will be marked as obsolete in a 
future version of this specification. Its equivalent definition in SAML 2.0 has 
been replaced by a new specification for standard Subject Identifier attributes 
[https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html],
one of which ("urn:oasis:names:tc:SAML:attribute:pairwise-id") is a direct 
replacement for this identifier with a simpler syntax and safer comparison 
rules. Existing use of this attribute in SAML 1.1 or SAML 2.0 should be phased 
out in favor of the new Subject Identifier attributes.

mans0954 · 2020-08-26T16:06:58Z

Just to further muddy the waters, I've suggested a third PR for solving this #447. Since the SAML specification allows any well formed XML to form the content of an AttributeValue, it seems to me that the correct response is to return that XML (or rather an object parsed from it) as the value of the attribute.

Much as I'm a fan of eduPerson, as I understand it passport-saml is targeting the SAML specification rather than eduPerson so we should avoid including eduPerson specific code in passport-saml, particularly when eduPersonTargetedID is deprecated, and the transform to a string suggested by @alexstuart is UKAMF specific (if I have understood correctly) rather than part of eduPerson.

I would be in favour of adding support for https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html in future since that is an OASIS SAML specification.

dfdeagle47 · 2020-12-15T23:33:14Z

Much as I'm a fan of eduPerson, as I understand it passport-saml is targeting the SAML specification rather than eduPerson so we should avoid including eduPerson specific code in passport-saml, particularly when eduPersonTargetedID is deprecated, and the transform to a string suggested by @alexstuart is UKAMF specific (if I have understood correctly) rather than part of eduPerson.

Much appreciated. Perfectly agree it's much better to have a scalable solution which doesn't rely on eduPerson-related attributes (though I didn't have time to propose a cleaner solution).

(Didn't know eduPersonTargetedID was deprecated, thanks for pointing it out, though how wonder how many years it will take for universities to update their configuration ^^)

vpalmisano mentioned this issue Oct 30, 2017

Fixing NameID value mapping #246

Closed

huntdm07 mentioned this issue Nov 13, 2017

Add support nested NameID in attribute value #249

Closed

markstos added the peer-review-welcome label Jan 3, 2018

dfdeagle47 mentioned this issue Mar 9, 2020

fix: attrValueMapper fails to parse complex AttributeValue tags (#245) #427

Closed

dfdeagle47 mentioned this issue May 28, 2020

fix: attrValueMapper fails to parse complex AttributeValue tags (#245) wooclap/passport-saml#1

Merged

mans0954 mentioned this issue Aug 26, 2020

Return object for XML-valued AttributeValues #447

Merged

markstos closed this as completed in #447 Sep 3, 2020

snyk-bot mentioned this issue Oct 13, 2022

[Snyk] Security upgrade xml-crypto from 2.1.3 to 3.0.0 sign-in-canada/passport-saml#19

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

attrValueMapper fails to parse complex AttributeValue tags #245

attrValueMapper fails to parse complex AttributeValue tags #245

vpalmisano commented Oct 30, 2017

huntdm07 commented Nov 13, 2017

alexstuart commented Nov 15, 2017

mans0954 commented Aug 26, 2020 •

edited

Loading

mans0954 commented Aug 26, 2020

dfdeagle47 commented Dec 15, 2020

attrValueMapper fails to parse complex AttributeValue tags #245

attrValueMapper fails to parse complex AttributeValue tags #245

Comments

vpalmisano commented Oct 30, 2017

huntdm07 commented Nov 13, 2017

alexstuart commented Nov 15, 2017

mans0954 commented Aug 26, 2020 • edited Loading

mans0954 commented Aug 26, 2020

dfdeagle47 commented Dec 15, 2020

mans0954 commented Aug 26, 2020 •

edited

Loading