Duplicate entity attributes being added by EntityAttribute metadata filter

Wessel, Keith kwessel at illinois.edu
Tue Oct 29 13:27:57 EDT 2019


Hi, all,

Trying to figure out if this is a bug or a misconfiguration on my part. I have a configuration like the following. It's intended to add an entity attribute to every SP retrieved from the InCommon MDQ server and add an additional entity attribute to a select set of SPs from that same source.

	<MetadataFilter xsi:type="EntityAttributes">
	    <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source">
		<saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
	    </saml:Attribute>
	    <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>

	    <saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent">
		<saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
	    </saml:Attribute>
	    <Entity>https://sp1.example.org/shibboleth</Entity>
	    <Entity>https://p2.example.org/shibboleth</Entity>
	</MetadataFilter>

Examining the metadata produced by mdquery.sh shows, for most entities retrieved from the MDQ service, the first entity attribute being added. However, for any explicitly named for the second attribute, I see the first attribute twice: once before the second attribute and once after. So, it looks like this:

        <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
            <saml:Attribute Name="http://macedir.org/entity-category"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
            </saml:Attribute>
        </mdattr:EntityAttributes>

Of course, having the second attribute there twice doesn't do any damage other than making for a slightly larger cache of fetched metadata from MDQ. My rules that use that rle work fine regardless of whether the attribute is there once or twice. But I ca't figure out why it's there twice.

Happy to file as a bug if nobody can suggest a misconfiguration that would be causing this.

Thanks,
Keith



More information about the users mailing list