Attributes without Value?

[Jeffrey Krug]

Sometimes the attribute value for one of the attributes asserted by my Simple SAML IDP has no value in the user store (DB).  When this happens the SAML Assertion includes the saml:Attribute but the saml:AttributeValue is empty, for example:

<saml:Attribute Name="sample" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

   <saml:AttributeValue xsi:type="xs:string"/>

</saml:Attribute>

Some partners are having trouble with this, they would rather the attribute be filtered out (do not transmit, instead of transmit without value).  I also think it makes sense to not transit the attribute if it has no value.  Is there such a filter that I can apply to get that result?  A second albeit less desirable option would be a filter to detect no value and then include a 'safe default value', but I also was not entirely sure if there was a clear way to do that.  I can write my own filter if needed I guess, but I thought I might be overlooking something obvious.

(I feel like I asked this exact question ~4 months ago, but I failed to find it in the google groups archive...  So hopefully I am not duplicating an inquiry.)

Thanks,
Jeff

  

[Peter Schober]

* Jeffrey Krug <gtk...@gmail.com> [2015-10-28 17:00]:

> Sometimes the attribute value for one of the attributes asserted by my
> Simple SAML IDP has no value in the user store (DB). When this happens the
> SAML Assertion includes the saml:Attribute but the saml:AttributeValue is
> empty, for example:
>
> <saml:Attribute Name="sample" NameFormat="
> urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml:AttributeValue xsi:type="xs:string"/>
> </saml:Attribute>

Please create a bug report on that. Such attributes should never make
it to SPs, IMO.

> (I feel like I asked this exact question ~4 months ago, but I failed
> to find it in the google groups archive... So hopefully I am not
> duplicating an inquiry.)

I checked my personal folder of SimpleSAMLphp user list emails,
nothing on that matter, AFAICT.
-peter

[Jeffrey Krug]

I added a bug. I double checked and the other attribute issue I had was similar but was related to insuring all possible internal attribute values can be mapped to a transmitted attribute value as opposed to a case where there is no attribute value. I submitted a patch for that issue to support what I needed.  

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Jeffrey Krug]

It looks like in the interim I may be able to tweak my SQL select to disallow NULL values, but not sending the attribute would be better than coming up with a default.

[Dick Visser]

On 28 October 2015 at 17:00, Jeffrey Krug <gtk...@gmail.com> wrote:
> Sometimes the attribute value for one of the attributes asserted by my
> Simple SAML IDP has no value in the user store (DB). When this happens the
> SAML Assertion includes the saml:Attribute but the saml:AttributeValue is
> empty, for example:
>
> <saml:Attribute Name="sample"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml:AttributeValue xsi:type="xs:string"/>
> </saml:Attribute>
>
> Some partners are having trouble with this, they would rather the attribute
> be filtered out (do not transmit, instead of transmit without value). I
> also think it makes sense to not transit the attribute if it has no value.
> Is there such a filter that I can apply to get that result?

You can apply this authproc filter:


90 => array(
'class' => 'core:PHP',
'code' => ' foreach($attributes as
$attrname=>$attrval) {
if(empty($attrval[0])) {

SimpleSAML_Logger::debug("Removing empty attribute \'$attrname\'");
unset($attributes[$attrname]);
}
}',
),





--
-Dick­