automatic attribute.required handling
8 views
Skip to first unread message
Emmanuel Dreyfus
May 24, 2018, 5:01:29 AM5/24/18
to simple...@googlegroups.com
Hello
I see that metadata parser gets the attribute.required setting, but it
does not seems to be used: I found no way to have the requested attribute
from metadata automatically included in SAML assertions.
Reading the source, I see attribute.required sets a isRequired flag,
but I fail to see where it is used. Is it a missing feature, or just
a configuration flag I missed?
--
Emmanuel Dreyfus
ma...@netbsd.org
I see that metadata parser gets the attribute.required setting, but it
does not seems to be used: I found no way to have the requested attribute
from metadata automatically included in SAML assertions.
Reading the source, I see attribute.required sets a isRequired flag,
but I fail to see where it is used. Is it a missing feature, or just
a configuration flag I missed?
--
Emmanuel Dreyfus
ma...@netbsd.org
Jaime Perez Crespo
May 24, 2018, 5:15:18 AM5/24/18
to SimpleSAMLphp
Hi Emmanuel,
A vanilla install of SimpleSAMLphp without the AttributeLimit authproc filter will release all attributes available. When AttributeLimit is used, only those attributes specified in the metadata (either remote SP metadata, or local IdP metadata) will be released. Whether the attributes have the “isRequired” flag set in the SAML metadata is irrelevant.
The “attributes.required” configuration option is mostly intended for SimpleSAMLphp SPs to express their attribute requirements (setting the isRequired flag for a given set of attributes). A SimpleSAMLphp will just ignore it. The metadata parser processes it and translates it for completeness, but there’s no such configuration option in remote SP metadata:
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
—
Jaime Pérez
Uninett / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
The “attributes.required” configuration option is mostly intended for SimpleSAMLphp SPs to express their attribute requirements (setting the isRequired flag for a given set of attributes). A SimpleSAMLphp will just ignore it. The metadata parser processes it and translates it for completeness, but there’s no such configuration option in remote SP metadata:
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
—
Jaime Pérez
Uninett / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Peter Schober
May 24, 2018, 6:26:23 AM5/24/18
to simple...@googlegroups.com
* Emmanuel Dreyfus <ma...@netbsd.org> [2018-05-24 11:01]:
per RequestedAttribute element, and as such it cannot express commonly
needed things like: I require at least one of either foo or bar.
(In larger deployments IDPs and SPs will not all support all
attributes in use consistently, so being able to handle that potential
mismatch is essential -- but this cannot be done with standard SAML
2.0 metadata. In the academic world people have been using SAML
Entity Attributes instead, to signal attribute requirements, same with
the new OASIS SAML SubjectID Attributes Profile.)
I'm not arguing that SSP shouldn't be able to differentiate between
requested and requested+required attributes, but since this is much
less useful in practice that one would like it to be it's an
understandable omission.
-peter
> I see that metadata parser gets the attribute.required setting, but it
> does not seems to be used: I found no way to have the requested attribute
> from metadata automatically included in SAML assertions.
>
> Reading the source, I see attribute.required sets a isRequired flag,
> but I fail to see where it is used. Is it a missing feature, or just
> a configuration flag I missed?
The problem with isRequired="true" in SAML 2.0 Metadata is that it's
> does not seems to be used: I found no way to have the requested attribute
> from metadata automatically included in SAML assertions.
>
> Reading the source, I see attribute.required sets a isRequired flag,
> but I fail to see where it is used. Is it a missing feature, or just
> a configuration flag I missed?
per RequestedAttribute element, and as such it cannot express commonly
needed things like: I require at least one of either foo or bar.
(In larger deployments IDPs and SPs will not all support all
attributes in use consistently, so being able to handle that potential
mismatch is essential -- but this cannot be done with standard SAML
2.0 metadata. In the academic world people have been using SAML
Entity Attributes instead, to signal attribute requirements, same with
the new OASIS SAML SubjectID Attributes Profile.)
I'm not arguing that SSP shouldn't be able to differentiate between
requested and requested+required attributes, but since this is much
less useful in practice that one would like it to be it's an
understandable omission.
-peter
Reply all
Reply to author
Forward
0 new messages