Improvements in handling attribute definitions and requested attributes in MetadataRequestedAttributesAttributeReleasePolicy
17 views
Skip to first unread message
Marcin Roman
Apr 16, 2021, 1:14:18 PM4/16/21
to CAS Developer
Hi, I created pull request https://github.com/apereo/cas/pull/5124
I would like to break it to 2 separate patches and submit it to master branch.
Could you comment on these proposed changes?
This change is a continuation of https://github.com/apereo/cas/pull/5051, which creates attributes when requested based on attribute definitions.
2. Change of getAttributesForSamlRegisteredService in MetadataRequestedAttributesAttributeReleasePolicy.
Instead of selecting attributes for release using RequestedAttributes Name or FriendlyName provided in SP metadata:
- try to search for SamlIdPAttributeDefinition in AttributeDefinitionStore using urn provided Name attribute of RequestedAttribute ,
- if such SamlIdPAttributeDefinition exists, then use the key provided in this attribute definition to search and release user attribute,
- if above fails, then try to search for user attribute using RequestedAttribute FriendlyName.
- if such SamlIdPAttributeDefinition exists, then use the key provided in this attribute definition to search and release user attribute,
- if above fails, then try to search for user attribute using RequestedAttribute FriendlyName.
Sample RequestedAttribute definition in SP metadata looks like this:
<md:RequestedAttribute FriendlyName="schacPersonalUniqueCode" Name="urn:oid:1.3.6.1.4.1.25178.1.2.14" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
Without this change it is necessary to define attribute twice to handle resolution by both urn and friendly name, ex.:
"schacPersonalUniqueCode" : {
"@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
"key" : "schacPersonalUniqueCode",
"name" : "schacPersonalUniqueCode",
"urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"friendlyName" : "schacPersonalUniqueCode"
},
"@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
"key" : "schacPersonalUniqueCode",
"name" : "schacPersonalUniqueCode",
"urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"friendlyName" : "schacPersonalUniqueCode"
},
"urn:oid:1.3.6.1.4.1.25178.1.2.14" : {
"@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
"key" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"name" : "schacPersonalUniqueCode",
"@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
"key" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"name" : "schacPersonalUniqueCode",
"urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
"friendlyName" : "schacPersonalUniqueCode",
"friendlyName" : "schacPersonalUniqueCode",
"attribute" : "schacPersonalUniqueCode",
},
},
Besides, selecting attributes using urn provided in attribute definition is more robust then using friendly names, because friendly names are inconsistently used in SP metadata.
Reply all
Reply to author
Forward
0 new messages