Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Question or BUG] Attributes name_format is always URI if they are unspecified from idp, even if specified in sp conf options
See original GitHub issueEven if I configure an sp as follow
'requested_attribute_name_format': saml2.saml.NAME_FORMAT_BASIC,
'name_format': saml2.saml.NAME_FORMAT_BASIC,
the AuthnResponse.assertions[0].attribute_statement[N].attribute[N] name_format will be urn:oasis:names:tc:SAML:2.0:attrname-format:uri by default.
I saw also this: https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/config.py#L245
It seems that requested_attribute_name_format is used only for metadata production, I got it, but name_format what is it for? If the IDP response have unspecified attributes identifiers format as follow
<saml:AttributeStatement>
<saml:Attribute Name="spidCode">
<saml:AttributeValue xsi:type="xs:string">9ebc256045-9a08-3196-66e1-ce9522c4a04c</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="name">
<saml:AttributeValue xsi:type="xs:string">Morell</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="familyName">
<saml:AttributeValue xsi:type="xs:string">Guy</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="fiscalNumber">
<saml:AttributeValue xsi:type="xs:string">TINIT-THATHEX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email">
<saml:AttributeValue xsi:type="xs:string">user@provider.it</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
in this case the SP will try to match these with a URI format (urn:oasis:names:tc:SAML:2.0:attrname-format:uri) and not with ‘name_format’ specified in conf (‘urn:oasis:names:tc:SAML:2.0:attrname-format:basic’).
Is there any additional implementation considerations about this issue or should we think it as a bug?
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hello everyone,
there is no
name_format. What there is though isname_form. This is probably what you are looking for. https://github.com/IdentityPython/pysaml2/blob/61f51b0/example/idp2/idp_conf.py.example#L104 https://github.com/IdentityPython/SATOSA/blob/0ddf568/example/plugins/frontends/saml2_frontend.yaml.example#L49What the spec says, is that if one does not define a value for the
NameFormatattribute of theAttributeelement, then consumers should assume that the value isurn:oasis:names:tc:SAML:2.0:attrname-format:unspecified.When we set a configuration option we are doing the opposite; we are the producers and we are setting the value that we want. Having
NAME_FORMAT_URIas the default is a convention of the library; it has nothing to do with a violation of the spec.NAME_FORMAT_URIis widely used, and that is why it is the default value of theNameFormatattribute for theAttributeelements when those are produced.The bug is that even when we consume an
Attributeelement with noNameFormatattribute, the assumedNameFormatisNAME_FORMAT_URI. This is wrong and we should change it (this will be a breaking change.)Here are the two test cases. They articulate the wanted behaviour. I think this is what we should aim for. Do you agree? If you disagree would you think that even for producing the
Attributeelement we should default to unspecified?fixed by #704