Multiple Audience-entries

[Tim van Dijen]

Hi all,

Earlier today I was struggling to release multiple <saml:Audience> statements to an SP through Attribute Manipulation.

It appeared to be impossible, even by editing the $response-variable.

A dive into the code turned out that this specific setting is marked as 'singular' in `library/EngineBlock/Corto/XmlToArray.php`.

I could simply comment out the setting to make it plural.. And it worked, and I could release additional audiences..

My question here is..  Why was this setting marked as singular in the code, while it is plural by SAML specs?

What would be the implications if I comment this out? It worked for me in this specific case, but can I expect issues with this at some point?

Could this be supported by default?

- Tim

[Michiel Kodde]

Hi Tim,

You should be fine, commenting out the audience property in the singular whitelist. I was not involved in building the XmlToArray feature. But looking at it from a development perspective, I guess we assumed every value to be singular. And moved them to the (?now unused?) _multipleValues static field if they turned out to be non-singular.

To be sure, I will ask Thijs to verify this.

Michiel

--
OpenConext - Open For Collaboration
---
You received this message because you are subscribed to the Google Groups "OpenConext Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openconext+...@googlegroups.com.
To post to this group, send email to openc...@googlegroups.com.
Visit this group at https://groups.google.com/group/openconext.
To view this discussion on the web visit https://groups.google.com/d/msgid/openconext/b113c910-8aa8-4d93-84b8-b58a615f52d6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michiel Kodde]

Hello Tim,

We just discussed this during the daily stand up. We see no big problem in you applying your proposed change. We would have to test and verify this rigorously of course.

Our users do not have a use case for this feature, so if you could assist in testing and providing some additional context on how/why the plural property is used, that would be greatly appreciated!

Cheers, Michiel

[Tim van Dijen]

Hi Michiel!

Thanks for getting back!

My use-case is a SP-proxy based on WSO2, that simply refuses to forward any assertions to an SP not listed as Audience.

Therefore I have to send both the SP-proxy' and the actual SP's entityIDs in the Audience.

Now as for testing, I think I can come up with unit tests to verify xml2array/array2xml behaviour, would that suffice? I'm not that experienced in writing unit tests...

- Tim

Op dinsdag 28 mei 2019 11:31:40 UTC+2 schreef Michiel Kodde:

Hello Tim,

We just discussed this during the daily stand up. We see no big problem in you applying your proposed change. We would have to test and verify this rigorously of course.

Our users do not have a use case for this feature, so if you could assist in testing and providing some additional context on how/why the plural property is used, that would be greatly appreciated!

Cheers, Michiel

On Tue, 28 May 2019 at 09:05, Michiel Kodde <mko...@ibuildings.nl> wrote:

Hi Tim,

You should be fine, commenting out the audience property in the singular whitelist. I was not involved in building the XmlToArray feature. But looking at it from a development perspective, I guess we assumed every value to be singular. And moved them to the (?now unused?) _multipleValues static field if they turned out to be non-singular.

To be sure, I will ask Thijs to verify this.

Michiel

On Fri, 24 May 2019 at 18:47, Tim van Dijen <tvd...@gmail.com> wrote:

Hi all,

Earlier today I was struggling to release multiple <saml:Audience> statements to an SP through Attribute Manipulation.

It appeared to be impossible, even by editing the $response-variable.

A dive into the code turned out that this specific setting is marked as 'singular' in `library/EngineBlock/Corto/XmlToArray.php`.

I could simply comment out the setting to make it plural.. And it worked, and I could release additional audiences..

My question here is..  Why was this setting marked as singular in the code, while it is plural by SAML specs?

What would be the implications if I comment this out? It worked for me in this specific case, but can I expect issues with this at some point?

Could this be supported by default?

- Tim

--
OpenConext - Open For Collaboration
---
You received this message because you are subscribed to the Google Groups "OpenConext Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openc...@googlegroups.com.

[Michiel Kodde]

Hi Tim,

Thanks for shedding some more light on your use case.

A unit test is a great starting point, and will probably provide us with enough test coverage. Adding a behat scenario would be even nicer, but will quickly become quite complex I guess.

In addition to automated tests, we would also need to test this change functionally in our test environments. Maybe we will come back to you for an assist on that!

Michiel

To unsubscribe from this group and stop receiving emails from it, send an email to openconext+...@googlegroups.com.

To post to this group, send email to openc...@googlegroups.com.
Visit this group at https://groups.google.com/group/openconext.

To view this discussion on the web visit https://groups.google.com/d/msgid/openconext/aac2f7de-9ef7-4af4-8379-428354a26c7f%40googlegroups.com.

[Tim van Dijen]

Thanks Michiel, I'll await your response.

For completeness, here is the AM I used (after commenting the singular property):

$response['saml:Assertion']['saml:Conditions']['saml:AudienceRestriction']['saml:Audience'][] = ['__v' => 'https://dummy.example.org/sample/entityid'];

Op woensdag 29 mei 2019 13:23:32 UTC+2 schreef Michiel Kodde: