querying SAML2 attribute payload with pac4j-saml and spring-security-pac4j

[Nomit Babraa]

Hi

I've followed your docs and examples and have managed to get pac4j-saml and spring-security-pac4j working to create a SAML2 Client within a Spring Boot application that is successfully authenticating me against our local Shibboleth IdP.

When i call org.springframework.security.core.Authentication.getName() I can see that pac4j has populated this object like so

-Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes: {urn:oid:0.9.2342.19200300.100.1.3=[a-use...@ourdomain.org], urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1=[a-username], notOnOrAfter=2016-11-17T16:07:39.761Z, urn:oid:2.5.4.42=[Fred], urn:oid:1.3.6.1.4.1.5923.1.1.1.10=[879iuieuiieiuiu=], urn:oid:2.5.4.4=[Bloggs], urn:oid:1.3.6.1.4.1.5923.1.1.1.9=[member@ourdomain.org], sessionindex=efefef994r94r948, notBefore=2016-11-17T16:02:39.761Z} | roles: [] | permissions: [] | isRemembered: false |]

The oids listed are all the specified attribute names in the attribute payload from our Shibboleth IdP that the IdP has been configured to release to my test application.

 

Each attribute element  in the xml payload also has a "FriendlyName" attribute but I guess pac4j doesn't know about them? Maybe this could be an enhancement?

I was wondering what support pac4j provides for mapping the saml2 xml attribute data into an object for my spring boot app to easily query attributes from, even maybe use in Spring Security annotations like @Preauthorize?

The org.pac4j.core.profile.CommonProfile has methods like getUsername() but that returns null with saml AuthN

If there is no out of the box support I'd appreciate some advice re how to do this.

Cheers for any help or advice.

Nomit

[Jérôme LELEU]

Hi,

You raise a good point: the SAML2Profile is a generic one which does not know anything about the oids. It inherits from the CommonProfile and like other profiles share the same getters (like getUsername).

Are these oids specific to Shibboleth or to SAML? In any case, we can improve their handling by pac4j.

At least, in pac4j v2.0 (ETA May 2017), changing the returned profile will be easier.

The pac4j profile is available in the Spring Security context and roles are granted from the pac4j ones: https://github.com/pac4j/spring-security-pac4j/blob/master/src/main/java/org/pac4j/springframework/security/util/SpringSecurityHelper.java#L41

So you can compute the appropriate roles in an AuthorizationGenerator (http://www.pac4j.org/1.9.x/docs/clients.html#compute-roles-and-permissions) attached to your SAML2Client and they will be available for your @PreAuthorize checks.

Thanks.

Best regards,

Jérôme

2016-11-17 17:42 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:

Hi

I've followed your docs and examples and have managed to get pac4j-saml and spring-security-pac4j working to create a SAML2 Client within a Spring Boot application that is successfully authenticating me against our local Shibboleth IdP.

When i call org.springframework.security.core.Authentication.getName() I can see that pac4j has populated this object like so

-Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes: {urn:oid:0.9.2342.19200300.100.1.3=[a-username@ourdomain.org], urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1=[a-username], notOnOrAfter=2016-11-17T16:07:39.761Z, urn:oid:2.5.4.42=[Fred], urn:oid:1.3.6.1.4.1.5923.1.1.1.10=[879iuieuiieiuiu=], urn:oid:2.5.4.4=[Bloggs], urn:oid:1.3.6.1.4.1.5923.1.1.1.9=[member@ourdomain.org], sessionindex=efefef994r94r948, notBefore=2016-11-17T16:02:39.761Z} | roles: [] | permissions: [] | isRemembered: false |]

The oids listed are all the specified attribute names in the attribute payload from our Shibboleth IdP that the IdP has been configured to release to my test application.

 

Each attribute element  in the xml payload also has a "FriendlyName" attribute but I guess pac4j doesn't know about them? Maybe this could be an enhancement?

I was wondering what support pac4j provides for mapping the saml2 xml attribute data into an object for my spring boot app to easily query attributes from, even maybe use in Spring Security annotations like @Preauthorize?

The org.pac4j.core.profile.CommonProfile has methods like getUsername() but that returns null with saml AuthN

If there is no out of the box support I'd appreciate some advice re how to do this.

Cheers for any help or advice.

Nomit

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nomit Babraa]

Hi
Thanks for your reply - much appreciated.
Please see below
Cheers
Nomit

On 17 November 2016 at 17:41, Jérôme LELEU <lel...@gmail.com> wrote:
> Hi,
>
> You raise a good point: the SAML2Profile is a generic one which does not
> know anything about the oids. It inherits from the CommonProfile and like
> other profiles share the same getters (like getUsername).
>
> Are these oids specific to Shibboleth or to SAML? In any case, we can
> improve their handling by pac4j.

Shibboleth, I think in this case.

>
> At least, in pac4j v2.0 (ETA May 2017), changing the returned profile will
> be easier.
>
> The pac4j profile is available in the Spring Security context and roles are
> granted from the pac4j ones:
> https://github.com/pac4j/spring-security-pac4j/blob/master/src/main/java/org/pac4j/springframework/security/util/SpringSecurityHelper.java#L41
>
> So you can compute the appropriate roles in an AuthorizationGenerator
> (http://www.pac4j.org/1.9.x/docs/clients.html#compute-roles-and-permissions)
> attached to your SAML2Client and they will be available for your
> @PreAuthorize checks.

sound perfect for building authorities :)

But how would I go about using something like

@PreAuthorize("#contact.name == authentication.name")
i.e. get access to authentication.name?

thans

>
> Thanks.
> Best regards,
> Jérôme
>
>
>
> 2016-11-17 17:42 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:
>>
>> Hi
>>
>> I've followed your docs and examples and have managed to get pac4j-saml
>> and spring-security-pac4j working to create a SAML2 Client within a Spring
>> Boot application that is successfully authenticating me against our local
>> Shibboleth IdP.
>>
>> When i call org.springframework.security.core.Authentication.getName() I
>> can see that pac4j has populated this object like so
>>
>>
>> -Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes:

>> {urn:oid:0.9.2342.19200300.100.1.3=[a-use...@ourdomain.org],

>> urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1=[a-username],
>> notOnOrAfter=2016-11-17T16:07:39.761Z, urn:oid:2.5.4.42=[Fred],
>> urn:oid:1.3.6.1.4.1.5923.1.1.1.10=[879iuieuiieiuiu=],
>> urn:oid:2.5.4.4=[Bloggs],

>> urn:oid:1.3.6.1.4.1.5923.1.1.1.9=[mem...@ourdomain.org],

>> sessionindex=efefef994r94r948, notBefore=2016-11-17T16:02:39.761Z} | roles:
>> [] | permissions: [] | isRemembered: false |]
>>
>> The oids listed are all the specified attribute names in the attribute
>> payload from our Shibboleth IdP that the IdP has been configured to release
>> to my test application.
>>
>> Each attribute element in the xml payload also has a "FriendlyName"
>> attribute but I guess pac4j doesn't know about them? Maybe this could be an
>> enhancement?
>>
>> I was wondering what support pac4j provides for mapping the saml2 xml
>> attribute data into an object for my spring boot app to easily query
>> attributes from, even maybe use in Spring Security annotations like
>> @Preauthorize?
>>
>> The org.pac4j.core.profile.CommonProfile has methods like getUsername()
>> but that returns null with saml AuthN
>>
>>
>> If there is no out of the box support I'd appreciate some advice re how to
>> do this.
>>
>> Cheers for any help or advice.
>>
>> Nomit
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pac4j-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to pac4j-users...@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>

--
Nomit Babraa
Corporate Information and Computing Services
10-12 Brunswick Street
Sheffield
S10 2FN
Tel: 0114 222 1162

[Jérôme LELEU]

Hi,

authentication.name matches SecurityContextHolder.getContext().getAuthentication().getName(), which in case of pac4j, returns a default value (the optional profile). This is not very useful.

I fixed that: https://github.com/pac4j/spring-security-pac4j/issues/48

Can you try with the 2.1.2-SNAPSHOT version?

Thanks.

Best regards,

Jérôme

 

>> {urn:oid:0.9.2342.19200300.100.1.3=[a-username@ourdomain.org],

>> email to pac4j-users+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
>

--
Nomit Babraa
Corporate Information and Computing Services
10-12 Brunswick Street
Sheffield
S10 2FN
Tel: 0114 222 1162

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Nomit Babraa]

Hi
Tried with spring-security-pac4j-2.1.2-SNAPSHOT but am still getting the output

>> >> -Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes:

>> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-use...@ourdomain.org],

>> >> urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1=[a-username],
>> >> notOnOrAfter=2016-11-17T16:07:39.761Z, urn:oid:2.5.4.42=[Fred],
>> >> urn:oid:1.3.6.1.4.1.5923.1.1.1.10=[879iuieuiieiuiu=],
>> >> urn:oid:2.5.4.4=[Bloggs],
>> >> urn:oid:1.3.6.1.4.1.5923.1.1.1.9=[mem...@ourdomain.org],
>> >> sessionindex=efefef994r94r948, notBefore=2016-11-17T16:02:39.761Z} |
>> >> roles:
>> >> [] | permissions: [] | isRemembered: false |]

I'm not sure what I should see as a default ...as pac4j doesn't know
how to map urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1=[a-username] to the
SecurityContextHolder.getContext().getAuthentication().getName().

I was more wondering how I would set the extracted value from a pac4j
profile attribute of

commonProfile.getAttribute("urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1",
ArrayList.class));

into the authentication.name object.

Cheers

Nomit

>> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-use...@ourdomain.org],

>> >> email to pac4j-users...@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>>
>>
>>
>> --
>> Nomit Babraa
>> Corporate Information and Computing Services
>> 10-12 Brunswick Street
>> Sheffield
>> S10 2FN
>> Tel: 0114 222 1162
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pac4j-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to pac4j-users...@googlegroups.com.

[Jérôme LELEU]

Hi,

Currently, that's not straightforward as you cannot change the returned profile without overriding the client.

But that's the idea: you should override the retrieveUserProfile method in a new SAML client to change the identifier by this specific attribute.

Thanks.

Best regards,

Jérôme

2016-11-21 13:38 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:

Hi

Tried with spring-security-pac4j-2.1.2-SNAPSHOT but am still getting the output

>> >> -Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes:

>> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-username@ourdomain.org],

>> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-username@ourdomain.org],

>> >> email to pac4j-users+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>>
>>
>>
>> --
>> Nomit Babraa
>> Corporate Information and Computing Services
>> 10-12 Brunswick Street
>> Sheffield
>> S10 2FN
>> Tel: 0114 222 1162

>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pac4j-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to pac4j-users+unsubscribe@googlegroups.com.

[Nomit Babraa]

okay - many thanks for all your help
You've given me loads to go on.
cheers

On 21 November 2016 at 14:52, Jérôme LELEU <lel...@gmail.com> wrote:
> Hi,
>

> Currently, that's not straightforward as you cannot change the returned
> profile without overriding the client.
>
> But that's the idea: you should override the retrieveUserProfile method in a
> new SAML client to change the identifier by this specific attribute.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> 2016-11-21 13:38 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:
>>
>> Hi
>> Tried with spring-security-pac4j-2.1.2-SNAPSHOT but am still getting the
>> output
>>
>> >> >> -Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes:

>> >> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-use...@ourdomain.org],

>> >> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-use...@ourdomain.org],

>> >> >> email to pac4j-users...@googlegroups.com.

>> >> >> For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Nomit Babraa
>> >> Corporate Information and Computing Services
>> >> 10-12 Brunswick Street
>> >> Sheffield
>> >> S10 2FN
>> >> Tel: 0114 222 1162
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "pac4j-users" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >> an

>> >> email to pac4j-users...@googlegroups.com.

[Jérôme LELEU]

You're welcome.

BTW, I'm releasing spring-security-pac4j v2.1.2 to have meaningful values for authentication.name and authentication.principal.

Best regards,

Jérôme

2016-11-22 10:31 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:

okay - many thanks for all your help
You've given me loads to go on.
cheers

On 21 November 2016 at 14:52, Jérôme LELEU <lel...@gmail.com> wrote:
> Hi,
>
> Currently, that's not straightforward as you cannot change the returned
> profile without overriding the client.
>
> But that's the idea: you should override the retrieveUserProfile method in a
> new SAML client to change the identifier by this specific attribute.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> 2016-11-21 13:38 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:
>>
>> Hi
>> Tried with spring-security-pac4j-2.1.2-SNAPSHOT but am still getting the
>> output
>>
>> >> >> -Optional[#SAML2Profile# | id: 78979454544t4trtrggege | attributes:

>> >> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-username@ourdomain.org],

>> >> >> {urn:oid:0.9.2342.19200300.100.1.3=[a-username@ourdomain.org],

>> >> >> email to pac4j-users+unsubscribe@googlegroups.com.

>> >> >> For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Nomit Babraa
>> >> Corporate Information and Computing Services
>> >> 10-12 Brunswick Street
>> >> Sheffield
>> >> S10 2FN
>> >> Tel: 0114 222 1162
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "pac4j-users" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >> an

>> >> email to pac4j-users+unsubscribe@googlegroups.com.

>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>>
>>
>>
>> --
>> Nomit Babraa
>> Corporate Information and Computing Services
>> 10-12 Brunswick Street
>> Sheffield
>> S10 2FN
>> Tel: 0114 222 1162
>
>

--
Nomit Babraa
Corporate Information and Computing Services
10-12 Brunswick Street
Sheffield
S10 2FN
Tel: 0114 222 1162

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Jérôme LELEU]

Hi,

You're right: it's not the first time I noticed this, we should certainly use the friendly name instead of the oid one. I opened an issue to fix that in pac4j v2: https://github.com/pac4j/pac4j/issues/827

@misagh: was there any reason to use the oid names?

Thanks.

Best regards,

Jérôme

2017-02-14 18:26 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:

It looks like the SAMLClient is logging attribute friendly names but SamlProfile is logging the oid values.....

Can I get the value of eduPersonPrincipalNameUnscoped using the key "eduPersonPrincipalNameUnscoped" from either the client or the profile?

Cheers

Nomit

[Jérôme LELEU]

Hi,

Indeed, it's misleading, the oid name is used to store the attribute while the friendly name is displayed in the logs. Currently, there is no better solution than to get the value by the oid name or override the retrieveUserProfile method in the SAML2Client to change the behaviour.

Thanks.

Best regards,

Jérôme

2017-02-14 18:19 GMT+01:00 Nomit Babraa <h.ba...@sheffield.ac.uk>:

Hello

A quick question on the back of this please

I can see in the logs after a saml login....

2017-02-14 16:49:08.772 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Processing profile attribute org.opensaml.saml.saml2.core.impl.AttributeImpl@1a00ef3b

2017-02-14 16:49:08.773 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value Muse for attribute sn

2017-02-14 16:49:08.773 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: urn:oid:2.5.4.4 / value: [Muse] / class java.util.ArrayList

2017-02-14 16:49:08.774 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Processing profile attribute org.opensaml.saml.saml2.core.impl.AttributeImpl@154ad752

2017-02-14 16:49:08.775 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value stu...@sheffield.ac.uk for attribute eduPersonScopedAffiliation

2017-02-14 16:49:08.776 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value mem...@sheffield.ac.uk for attribute eduPersonScopedAffiliation

2017-02-14 16:49:08.776 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: urn:oid:1.3.6.1.4.1.5923.1.1.1.9 / value: [stu...@sheffield.ac.uk, mem...@sheffield.ac.uk] / class java.util.ArrayList

2017-02-14 16:49:08.776 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Processing profile attribute org.opensaml.saml.saml2.core.impl.AttributeImpl@3232c384

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value Freddo for attribute givenName

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: urn:oid:2.5.4.42 / value: [Freddo] / class java.util.ArrayList

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Processing profile attribute org.opensaml.saml.saml2.core.impl.AttributeImpl@786e70db

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value 1fclRh5L0f2R0dzwvZMdVNpVTdQ= for attribute eduPersonTargetedID

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: urn:oid:1.3.6.1.4.1.5923.1.1.1.10 / value: [1fclRh5L0f2R0dzwvZMdVNpVTdQ=] / class java.util.ArrayList

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Processing profile attribute org.opensaml.saml.saml2.core.impl.AttributeImpl@658a21da

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value mda05fmtyr for attribute eduPersonPrincipalNameUnscoped

2017-02-14 16:49:08.777 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1 / value: [mda05fmtyr] / class java.util.ArrayList

2017-02-14 16:49:08.778 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Processing profile attribute org.opensaml.saml.saml2.core.impl.AttributeImpl@26399a7e

2017-02-14 16:49:08.779 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.client.SAML2Client        : Adding attribute value mda05...@sheffield.ac.uk for attribute mail

2017-02-14 16:49:08.779 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: urn:oid:0.9.2342.19200300.100.1.3 / value: [mda05...@sheffield.ac.uk] / class java.util.ArrayList

2017-02-14 16:49:08.864 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: notBefore / value: 2017-02-14T16:49:08.038Z / class org.joda.time.DateTime

2017-02-14 16:49:08.865 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] org.pac4j.saml.profile.SAML2Profile      : no conversion => key: notOnOrAfter / value: 2017-02-14T16:54:08.038Z / class org.joda.time.DateTime

2017-02-14 16:49:08.866 DEBUG query-string: 37297 --- [http-nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic     : profile: #SAML2Profile# | id: _75c89eba44436ed82bb9846bd70cedf7 | attributes: {urn:oid:0.9.2342.19200300.100.1.3=[mda05fmtyr@sheffield.ac.uk], urn:oid:1.3.6.1.4.1.5923.1.1.1.6.1=[mda05fmtyr], notOnOrAfter=2017-02-14T16:54:08.038Z, urn:oid:2.5.4.42=[Freddo], urn:oid:1.3.6.1.4.1.5923.1.1.1.10=[1fclRh5L0f2R0dzwvZMdVNpVTdQ=], urn:oid:2.5.4.4=[Muse], urn:oid:1.3.6.1.4.1.5923.1.1.1.9=[stu...@sheffield.ac.uk, mem...@sheffield.ac.uk], sessionindex=a034a5ed79e0641b6c10b63969435b596652504a8e1b72a7bb8fb46138fb486b, notBefore=2017-02-14T16:49:08.038Z} | roles: [] | permissions: [] | isRemembered: false |

what code wold I call to get the value from the log line:

"Adding attribute value mda05fmtyr for attribute eduPersonPrincipalNameUnscoped"

I tried 

if (auth != null && auth instanceof Pac4jAuthentication) {
    Pac4jAuthentication token = (Pac4jAuthentication) auth;
    CommonProfile profile = token.getProfile();
    SAML2Profile saml2Profile = (SAML2Profile) profile;

    LOG.info("SEC4 " + saml2Profile.getAttribute("eduPersonPrincipalNameUnscoped"));

}

but that returns null

Cheers

Nomit

On Thursday, 17 November 2016 16:42:42 UTC, Nomit Babraa wrote:

[Misagh]

SAML attributes are identified by their names, not by their friendlyName. If the IdP is sending attributes whose names belong to an oid/url namespace, then those are what you "should" use. This is likely an issue that should be solved by the IdP, and not you. 

Being practical, the behavior can be relaxed but that would be a brittle change. 

--

- Misagh

[Jérôme LELEU]

Hi,

Just to be sure of my understanding: if I want friendly names, the IdP should use the "Basic Attribute Profile".

That said, as we want to target simplicity with pac4j, I guess it would not do any harm to add the friendly names (when they exist) in addition to the oid/url ones.

@misagh: I don't think adding friendly names will raise any security concern, won't it?

Thanks.

Best regards,

Jérôme

[Misagh]

You always use that profile [the idp will] to send along attributes. It may decide to send you friendlyNames, it may not. That would part of the contract you set up with the IdP. What is definitive is that SP should mostly rely on the attribute name as that's the binding contract. The friendlyName is mostly for readability [and possibly display purposes]. Now, some IdP may decide to send you "givenName" in the attribute name too. It's not always an oid-something. Again, that's part of the contract you have with the IdP.

It's not a security thing; mostly keeping things consistent and less brittle. While in practice it rarely happens, an IdP may decide to change the friendlyName of an attribute and that "technically" does not constitute breach of contract, but it will break the SP if it's relying on friendlyNames. It can also be badly configured to send duplicate friendlyNames. 

As I said, in practice, that rarely may happen [I've only seen it once].

For pac4j, we probably should execute on the following logic:

1. Default to attribute names everywhere. 

2. Allow an option to say: use friendlyNames.

3. Warn if a friendlyName is not found, or is a duplicate. Fall back onto attribute name, or bomb. 

--

- Misagh

[Jérôme LELEU]

Hi,

Thanks for the explanations.

As there is no security concern, my feeling is that we should do something very simple: release attributes with the name and also with the friendly name when it exists and document that properly.

Best regards,

Jérôme