Shibboleth IdP 4, SAML proxying and SimpleSAMLphp proxy breakage?

Robert Bradley robert.bradley at it.ox.ac.uk
Tue Feb 23 19:22:38 UTC 2021


On 23/02/2021 16:54, Peter Schober wrote:
> * Robert Bradley <robert.bradley at it.ox.ac.uk> [2021-02-23 16:50]:
>> I'm not sure if this is a bug in upstream SimpleSAMLphp or simply an issue
>> with the GÉANT SAML proxy, but I thought it would be worth noting here in
>> case anyone else running Shibboleth IdPs with Azure AD for authentication
>> runs into similar issues.
> 
> FWIW, the way those attributes are constructed suggests use of the
> "SmartID" authproc filter (a bit like the Shib SP's REMOTE_USER
> precedence list), with its somewhat weird default of
> add_candidate == True, i.e., it adds the /name/ of the used attribute
> to the resulting /value/ string of the generated attribute:
> https://simplesamlphp.org/docs/stable/smartattributes:smartattributes
> Code at
> https://github.com/simplesamlphp/simplesamlphp-module-smartattributes/blob/master/lib/Auth/Process/SmartID.php
> 

That's definitely the ultimate cause of it - if there's an 
AuthenticatingAuthority element present, it will append the contents of 
it to the attribute value string after a "!":

https://github.com/simplesamlphp/simplesamlphp-module-smartattributes/blob/a5ac6d7f919480c9f2da3bb0b3166216b8b91e4b/lib/Auth/Process/SmartID.php#L120

I suspect that the SimpleSAMLphp NameID extraction code isn't being used 
here, since that appears to spit out the same format as the Shibboleth 
SP by default.  The specifics of SimpleSAMLphp internals is getting a 
bit off-topic for the shibboleth-users mailing list though.

> Make sure to report this to the SSP mailing list or issue tracker.
> 

Agreed.

-- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20210223/cb2d6f87/attachment.sig>


More information about the users mailing list