Duplicate entity attributes being added by EntityAttribute metadata filter
Wessel, Keith
kwessel at illinois.edu
Tue Oct 29 13:27:57 EDT 2019
Hi, all,
Trying to figure out if this is a bug or a misconfiguration on my part. I have a configuration like the following. It's intended to add an entity attribute to every SP retrieved from the InCommon MDQ server and add an additional entity attribute to a select set of SPs from that same source.
<MetadataFilter xsi:type="EntityAttributes">
<saml:Attribute Name="urn:mace:incommon:uiuc.edu:source">
<saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
</saml:Attribute>
<ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
<saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent">
<saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp1.example.org/shibboleth</Entity>
<Entity>https://p2.example.org/shibboleth</Entity>
</MetadataFilter>
Examining the metadata produced by mdquery.sh shows, for most entities retrieved from the MDQ service, the first entity attribute being added. However, for any explicitly named for the second attribute, I see the first attribute twice: once before the second attribute and once after. So, it looks like this:
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute Name="http://macedir.org/entity-category"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue>http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:mace:incommon:uiuc.edu:source" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:mace:incommon:uiuc.edu:source" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
Of course, having the second attribute there twice doesn't do any damage other than making for a slightly larger cache of fetched metadata from MDQ. My rules that use that rle work fine regardless of whether the attribute is there once or twice. But I ca't figure out why it's there twice.
Happy to file as a bug if nobody can suggest a misconfiguration that would be causing this.
Thanks,
Keith
More information about the users
mailing list