-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attrValueMapper fails to parse complex AttributeValue tags #245
Comments
The PR I've submitted #249 should fix this with support for existing usage. |
Hello, it's Alex from the UK federation support team here. Just to expand on what @huntdm07 says in #249. The UK federation uses eduPersonTargetedID to uniquely identify subjects. In SAML 2 eduPersonTargetedID is called Secondly, the UK federation advises storing eduPersonTargetedID by concatenating the following elements:
As an example, the attribute received as
could be flattened to Sorry, I'd write a pull request myself but I don't speak Javascript or know the structure of passport-saml. |
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in eduGAIN [1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment) # Conflicts: # test/tests.js
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment) # Conflicts: # test/tests.js
…-saml#245) This fixes an issue where the `attrValueMapper` would fail to properly map the value for complex `AttributeValue` tags. This handles the case where the `AttributeValue` contains a nested `NameID` tag. One such example is the `eduPersonTargetedID` that is used as an identifier in [eduGAIN][1] which can return an Attribute of the form ```xml <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> ``` Note that in reality, the `AttributeValue` tags can be much more complex. [The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0][2] uses the following schema for the `Attribute` tag: ```xml <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> ``` and the following schema for the `AttributeValue`: ```xml <element name="AttributeValue" type="anyType" nillable="true"/> ``` which means it can take any type. As pointed in [3], it is customary to use `NameQualifier` and the `SPNameQualifier` in addition to the actual value to create a unique identifier for the platform. That is why the `AttributeValue` is mapped to an object containing the attribute of the `NameID` tag as well as the string value for `eduPersonTargetedID` that is stored in the `Value` property. [1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes [2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [3]: node-saml#245 (comment)
saml-core-2.0-os Section 2.7.3.1.1 says
It doesn't, as far as I can see, specify any particular interpretation of XML appearing in an AttributeValue, even if that XML is a valid SAML fragment. I note that the latest eduPerson schema says:
|
Just to further muddy the waters, I've suggested a third PR for solving this #447. Since the SAML specification allows any well formed XML to form the content of an AttributeValue, it seems to me that the correct response is to return that XML (or rather an object parsed from it) as the value of the attribute. Much as I'm a fan of I would be in favour of adding support for https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/saml-subject-id-attr-v1.0.html in future since that is an OASIS SAML specification. |
Much appreciated. Perfectly agree it's much better to have a scalable solution which doesn't rely on (Didn't know |
attrValueMapper function parse correctly this AttributeStatement:
<saml2:Attribute FriendlyName="NAME" Name="urn:oid:x.x.x.x" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>VALUE</saml2:AttributeValue> </saml2:Attribute>
but it fails with this kind of AttributeStatement:
<saml2:Attribute FriendlyName="NAME" Name="urn:oid:x.x.x.x" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="XXX" SPNameQualifier="XX">VALUE</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute>
The text was updated successfully, but these errors were encountered: