I would like to break it to 2 separate patches and submit it to master branch.
Could you comment on these proposed changes?
1. Add support for getRequestedDefinitions to MetadataRequestedAttributesAttributeReleasePolicy.
2. Change of getAttributesForSamlRegisteredService in MetadataRequestedAttributesAttributeReleasePolicy.
Instead of selecting attributes for release using RequestedAttributes Name or FriendlyName provided in SP metadata:
- try to search for SamlIdPAttributeDefinition in AttributeDefinitionStore using urn provided Name attribute of RequestedAttribute ,
- if such SamlIdPAttributeDefinition exists, then use the key provided in this attribute definition to search and release user attribute,
- if above fails, then try to search for user attribute using RequestedAttribute FriendlyName.
Sample RequestedAttribute definition in SP metadata looks like this:
<md:RequestedAttribute FriendlyName="schacPersonalUniqueCode" Name="urn:oid:1.3.6.1.4.1.25178.1.2.14" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
Without this change it is necessary to define attribute twice to handle resolution by both urn and friendly name, ex.:
"schacPersonalUniqueCode" : {
"@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
"key" : "schacPersonalUniqueCode",
"name" : "schacPersonalUniqueCode",
"urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"friendlyName" : "schacPersonalUniqueCode"
},
"urn:oid:1.3.6.1.4.1.25178.1.2.14" : {
"@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
"key" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"name" : "schacPersonalUniqueCode",
"urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"friendlyName" : "schacPersonalUniqueCode",
"attribute" : "schacPersonalUniqueCode",
},
Besides, selecting attributes using urn provided in attribute definition is more robust then using friendly names, because friendly names are inconsistently used in SP metadata.