Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-1521

SamlFederationHandler : using name of the attribute set in the incoming assertion does not work

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.1.1, 4.0.0, 4.5.0, 5.0.0
    • None
    • None
    • OS : OSX 10.11.6
      container : Tomcat 8.5.6
      jdk : 1.8.0_73

    Description

      With the following route :

      {
          "handler": {
              "config": {
                  "bindings": [
                      {
                          "handler": {
                              "config": {
                                  "sessionIndexMapping": "SessionIndex_sp_multi_valued_attributes",
                                  "subjectMapping": "SubjectName_sp_multi_valued_attributes",
                                  "authnContext": "AuthnContext_sp_multi_valued_attributes",
                                  "assertionMapping": {
                                      "sp_multi_valued_attributes_password": "mail",
                                      "sp_multi_valued_attributes_postal_address": "postal_address",
                                      "sp_multi_valued_attributes_userName": "uid"
                                  },
                                  "logoutURI": "/api/after_logout",
                                  "redirectURI": "/api/home"
                              },
                              "type": "SamlFederationHandler",
                              "name": "saml_handler_sp_multi_valued_attributes"
                          },
                          "condition": "${matches(request.uri.path,'^/api/saml')}"
                      },
                      {
                          "handler": {
                              "config": {
                                  "status": 200,
                                  "reason": "Found",
                                  "entity": "Successful LOGOUT from : sp_multi_valued_attributes"
                              },
                              "type": "StaticResponseHandler"
                          },
                          "condition": "${request.uri.path == '/api/after_logout'}"
                      },
                      {
                          "handler": {
                              "config": {
                                  "status": 302,
                                  "headers": {
                                      "Location": [
                                          "http://openam.example.com:8083/api/saml/SPInitiatedSLO"
                                      ]
                                  },
                                  "reason": "Found"
                              },
                              "type": "StaticResponseHandler"
                          },
                          "condition": "${request.uri.path == '/api/logout'}"
                      },
                      {
                          "handler": {
                              "config": {
                                  "status": 302,
                                  "headers": {
                                      "Location": [
                                          "http://openam.example.com:8083/api/saml/SPInitiatedSSO"
                                      ]
                                  },
                                  "reason": "Found"
                              },
                              "type": "StaticResponseHandler"
                          },
                          "condition": "${empty session.sp_multi_valued_attributes_userName}"
                      },
                      {
                          "handler": {
                              "config": {
                                  "status": 200,
                                  "headers": {
                                      "Content-Type": [
                                          "application/json"
                                      ]
                                  },
                                  "reason": "Found",
                                  "entity": "{\"SAML Attribute[0]\": \"${session.sp_multi_valued_attributes_postal_address[0]}\", \"SAML Attribute[1]\": \"${session.sp_multi_valued_attributes_postal_address[1]}\"}"
                              },
                              "type": "StaticResponseHandler"
                          }
                      }
                  ]
              },
              "type": "DispatchHandler"
          },
          "condition": "${matches(request.uri.host, 'openam.example.com')}"
      }
      

      and sp-extended.xml (full file attached):

              <Attribute name="attributeMap">
                  <Value>userName=uid</Value>
                  <Value>mail=mail</Value>
                  <Value>password=mail</Value>
                  <Value>employeenumber=employeenumber</Value>
                  <Value>postal_address=postalAddress</Value>
              </Attribute>
      

      I expect the values of the SAML attribute to be returned in the entity.

      I unexpectedly got empty values

      Workaround :
      However, I noticed that using the DataStore attribute in the `assertMapping` makes it work

      
                                  "assertionMapping": {
                                      "sp_multi_valued_attributes_password": "mail",
                                      "sp_multi_valued_attributes_postal_address": "postalAddress",
                                      "sp_multi_valued_attributes_userName": "uid"
                                  },
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            jcdevil Jean-Charles Deville
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: