9:21 a.m.
Hello,
(Apologies, cross posting from Slack)
I’m having a strange error with my Satosa frontend that seems to be
stripping out attributes incorrectly from the SAML response before it is
sent, based on required attributes from SP metadata.
It receives the correct values from an upstream IdP:
returning attributes {"eduPersonUniqueId": ["... at cern.ch"],
"displayName":
["Hannah Short"], "givenName": ["Hannah"], "mail":
["hannah.short at cern.ch"],
"cn": ["Hannah Short"], "sn": ["Short"],
"eduPersonScopedAffiliation": ["
member at cern.ch"], "eduPersonAffiliation": ["member"],
"eduPersonPrincipalName": ["hshort at cern.ch"],
"eduPersonAssurance": ["
https://refeds.org/assurance/ID/unique", "
https://refeds.org/assurance/ATP/ePA-1m", "
https://refeds.org/assurance/IAP/low"] "schacHomeOrganization":
["cern.ch"],
"schacHomeOrganizationType":
["urn:schac:homeOrganizationType:ch:others"],
"swissEduPersonHomeOrganization": ["cern.ch"],
"swissEduPersonHomeOrganizationType": ["others"],
"swissEduPersonUniqueID":
["... at cern.ch"], "eduPersonTargetedID": ["..."]}
However, it then checks the “required” attributes from the target SP and
decides to strip out the swiss* ones (despite them being required in the
SP’s metadata and I can also see that they are required in the debug
statement).
My swiss* attributes are defined in an attribute map, and I’m running
satosa 6.0.0.
I’m really stuck here, I just rolled out this IdP and will have to roll
back if I can’t fix this quickly :( Can I ignore “required” attributes as a
workaround? When none are required the token gets sent as expected
Thanks in advance for any help,
Hannah
10:16 a.m.
Hi again,
Many thanks to Ivan for his help on Slack.
It turns out that this is working by design. The services that I've been
testing against define multiple <md:RequestedAttribute /> but *not* the 3
that are being stripped out (despite having similar names...).
pysaml2 is following the principal of minimisation and only releasing
required attributes. I am following up with the services in question to see
whether they should add the attributes in their metadata.
Cheers,
Hannah
On Thu, 17 Sep 2020 at 09:21, Hannah Short <hannah.short08 at gmail.com> wrote:
Hello,
(Apologies, cross posting from Slack)
I’m having a strange error with my Satosa frontend that seems to be
stripping out attributes incorrectly from the SAML response before it is
sent, based on required attributes from SP metadata.
It receives the correct values from an upstream IdP:
returning attributes {"eduPersonUniqueId": ["... at cern.ch"],
"displayName": ["Hannah Short"], "givenName":
["Hannah"], "mail": ["
hannah.short at cern.ch"], "cn": ["Hannah Short"],
"sn": ["Short"],
"eduPersonScopedAffiliation": ["member at cern.ch"],
"eduPersonAffiliation":
["member"], "eduPersonPrincipalName": ["hshort at
cern.ch"],
"eduPersonAssurance": ["https://refeds.org/assurance/ID/unique",
"
https://refeds.org/assurance/ATP/ePA-1m", "
https://refeds.org/assurance/IAP/low"] "schacHomeOrganization":
["cern.ch"],
"schacHomeOrganizationType":
["urn:schac:homeOrganizationType:ch:others"],
"swissEduPersonHomeOrganization": ["cern.ch"],
"swissEduPersonHomeOrganizationType": ["others"],
"swissEduPersonUniqueID":
["... at cern.ch"], "eduPersonTargetedID": ["..."]}
However, it then checks the “required” attributes from the target SP and
decides to strip out the swiss* ones (despite them being required in the
SP’s metadata and I can also see that they are required in the debug
statement).
My swiss* attributes are defined in an attribute map, and I’m running
satosa 6.0.0.
I’m really stuck here, I just rolled out this IdP and will have to roll
back if I can’t fix this quickly :( Can I ignore “required” attributes as a
workaround? When none are required the token gets sent as expected
Thanks in advance for any help,
Hannah
1513
days inactive
1513
days old
1 comments
1 participants
participants (1)
-
hannah.short08@gmail.com