Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attributes cannot be accessed through their FriendlyNames #218

Closed
pc-coholic opened this issue Oct 23, 2020 · 1 comment
Closed

Attributes cannot be accessed through their FriendlyNames #218

pc-coholic opened this issue Oct 23, 2020 · 1 comment

Comments

@pc-coholic
Copy link

Hello!

Please feel free to close this as invalid if I'm misunderstanding how things are supposed to work...

I'm requesting a number of attributes from the IdP - the requestAttributes-section of the SP-configuration is set up with the urn:-names and friendlyNames as follows:

'requestedAttributes': [{
    "name": "urn:mace:dir:attribute-def:displayName",
    "isRequired": True,
    "nameFormat": "urn:mace:shibboleth:1.0:attributeNamespace:uri",
    "friendlyName": "displayName",
    "attributeValue": []
}, {
    "name": "urn:oid:2.16.840.1.113730.3.1.241",
    "isRequired": True,
    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    "friendlyName": "displayName",
    "attributeValue": []
}],

This yields - as expected - a response something like this:

    <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">foo@bar.tld</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>

I was a little bit surprised that calling auth.get_attributes() would return the attributes with the urn:-name/notation even though a friendlyName was setup in the SP-config and even returned by the IdP.

I was wondering if this is the expected result or if I might have some other misconfiguration going on.

It is easy enough to iterate through the returned attributes and compare them to the SP-config and pull the friendlyNames... But I think that instead of doing this after the fact, it might be easier/quicker to just pull the friendlyName in /onelogin/saml2/response.py:get_attributes().

I'd be open to create a PR to implement this. However I would need some guide as to how this should exactly be handled: Using the friendlyName instead of the name in get_attributes() might break existing implementations - so I'm thinking of perhaps just having both present in the resulting dict?
@pitbulk
Copy link
Contributor

pitbulk commented Jan 9, 2021

php-saml has the getAttributesWithFriendlyName method
SAML-Toolkits/php-saml@173a156

I will implement similar here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @pc-coholic