Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: attrValueMapper fails to parse complex AttributeValue tags (#245) #1

Merged
merged 1 commit into from
May 28, 2020
Merged

fix: attrValueMapper fails to parse complex AttributeValue tags (#245) #1

merged 1 commit into from
May 28, 2020

Conversation

dfdeagle47
Copy link

Context

This fixes an issue where the attrValueMapper would fail to properly map the value for complex AttributeValue tags. This handles the case where the AttributeValue contains a nested NameID tag.

One such example is the eduPersonTargetedID that is used as an identifier in eduGAIN which can return an Attribute of the form

<saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
  <saml2:AttributeValue>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID>
  </saml2:AttributeValue>
</saml2:Attribute>

Limitations

Note that in reality, the AttributeValue tags can be much more complex. The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 uses the following schema for the Attribute tag:

<element name="Attribute" type="saml:AttributeType"/>
<complexType name="AttributeType">
  <sequence>
    <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
  </sequence>
  <attribute name="Name" type="string" use="required"/>
  <attribute name="NameFormat" type="anyURI" use="optional"/>
  <attribute name="FriendlyName" type="string" use="optional"/>
  <anyAttribute namespace="##other" processContents="lax"/>
</complexType>

and the following schema for the AttributeValue:

<element name="AttributeValue" type="anyType" nillable="true"/>

which means it can take any type.

As pointed out in this issue, it is customary to use NameQualifier and the SPNameQualifier in addition to the actual value to create a unique identifier for the platform. That is why the AttributeValue is mapped to an object containing the attribute of the NameID tag as well as the string value for eduPersonTargetedID that is stored in the Value property.

Additional information regarding the fix

  • The attrValueMapper is extracted to the SAML prototype to make it easier to test and it is renamed to attributeValueMapper to make it more explicit.
  • Tests have been added to check that it correctly handles the use case where the AttributeValue contains a nested NameID tag.
  • Previously, the attrValueMapper would return undefined for this use case. Now, it returns an object where Value is the nested string value and the tag attributes are properties of that object.

Related PRs and issues

This should close the following PRs (although the mapping is different):

This should close the following issue:

@dfdeagle47
fix: attrValueMapper fails to parse complex AttributeValue tags (node…
c1801a4 
…-saml#245)

This fixes an issue where the `attrValueMapper` would fail to properly
map the value for complex `AttributeValue` tags. This handles the case
where the `AttributeValue` contains a nested `NameID` tag.

One such example is the `eduPersonTargetedID` that is used as an
identifier in [eduGAIN][1] which can return an Attribute of the form

```xml
<saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
  <saml2:AttributeValue>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example-university.fr/idp/shibboleth" SPNameQualifier="https://www.service-provider.com/shibboleth">a6c2c4d4-08b9-4ca7-8ff9-43d83e6e1d35</saml2:NameID>
  </saml2:AttributeValue>
</saml2:Attribute>
```

Note that in reality, the `AttributeValue` tags can be much more complex.
[The Assertions and Protocols for the OASIS Security Assertion Markup
Language (SAML) V2.0][2] uses the following schema for the `Attribute`
tag:

```xml
<element name="Attribute" type="saml:AttributeType"/>
<complexType name="AttributeType">
  <sequence>
    <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
  </sequence>
  <attribute name="Name" type="string" use="required"/>
  <attribute name="NameFormat" type="anyURI" use="optional"/>
  <attribute name="FriendlyName" type="string" use="optional"/>
  <anyAttribute namespace="##other" processContents="lax"/>
</complexType>
```

and the following schema for the `AttributeValue`:

```xml
<element name="AttributeValue" type="anyType" nillable="true"/>
```

which means it can take any type.

As pointed in [3], it is customary to use `NameQualifier` and the
`SPNameQualifier` in addition to the actual value to create a unique
identifier for the platform. That is why the `AttributeValue` is mapped
to an object containing the attribute of the `NameID` tag as well as
the string value for `eduPersonTargetedID` that is stored in the `Value`
property.

[1]: https://wiki.geant.org/display/eduGAIN/Identifier+Attributes
[2]: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
[3]: node-saml#245 (comment)
@dfdeagle47 dfdeagle47 merged commit d19e02e into master May 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@dfdeagle47