attributes from external auth

Jason Pyeron jpyeron at pdinc.us
Wed Jan 13 22:40:02 UTC 2021 

Thanks! This seems to have steered me in the right direction. I may have found a bug or I am just thinking wrong. Will follow up after my next code change.

> From: Cantor, Scott
> Sent: Wednesday, January 13, 2021 3:08 PM
> 
> > Reading the mailing list archives ... SNIP
> Messages from 2014 don't have much relevance compared to actual documentation when you're talking


Agreed, was just showing what I had tried.

> 
> >    Is it true that external auth can provide attributes in v4 (was true in v2 per mailing list) as
> implied by the docs, source
> > code, and logs?
> 
> Yes.
> 
> >  If so, what are the possible (and preferred) mechanisms to define them and (not) filter them away?
> ScriptedAttribute,
> > ContextDerived, Simple with a InputAttributeDefinition/InputDataConnector, or something else?
> 
> Attributes obtained during authentication are stored inside the Subject and tracked as part of the
> AuthenticationResult for that method. If you're trying to make use of them later or pass them out to
> an SP, you need the Subject DataConnector [1] to pull them out for that purpose.

When using:

	<AttributeDefinition xsi:type="Simple"
		id="eduPersonNickname">
		<InputDataConnector ref="passthroughAttributes"
			attributeNames="eduPersonNickname" />
	</AttributeDefinition>

	<DataConnector id="passthroughAttributes"
		xsi:type="Subject" exportAttributes="eduPersonNickname" />

I no longer have errors in the logs, but I get:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy1</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy1 at example.org</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy1 at ad.pdinc.us</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>member at ad.pdinc.us</saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>

With the following log messages. 

DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'eduPersonNickname'
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'eduPersonNickname'
DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:137] - Attribute Definition 'eduPersonNickname': produced an attribute with no values
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'eduPersonNickname' produced an attribute with 0 values


This is progress - I will continue to read and debug.

I am suspecting the registration of attributes, like the following are being ignored. The Subject Data Connector [7] says "The Subject DataConnector exposes IdPAttribute objects contained within Java Subject(s)", but the IdPAttribute collection is not in the Subject or Principals. 

	Collection<IdPAttribute> attrs=new ArrayList<IdPAttribute>();
	IdPAttribute attr;
	attr=new IdPAttribute("eduPersonNickname");
	attr.setValues(Collections.singleton(new StringAttributeValue("Bob Barker 1")));
	attrs.add(attr);
	attr=new IdPAttribute("ignoredAttribute");
	attr.setValues(Collections.singleton(new StringAttributeValue("Bob Barker 3")));
	attrs.add(attr);
	request.setAttribute(ExternalAuthentication.ATTRIBUTES_KEY, attrs);

ExternalAuthenticationImpl.java:
        attr = request.getAttribute(ATTRIBUTES_KEY);
        if (attr != null && attr instanceof Collection<?>) {
            extContext.getSubcontext(AttributeContext.class, true).setUnfilteredIdPAttributes(
                    (Collection<IdPAttribute>) attr);
            extContext.getSubcontext(AttributeContext.class).setIdPAttributes(
                    (Collection<IdPAttribute>) attr);
        }

I will change the code to use javax.security.auth.Subject [8].

> 
> I don't recall the External login method filtering attributes. Proxying via SAML does, but I didn't
> think External did, don't recall offhand. If it says it does or logs say it does then it does. Perhaps
> it does only in the case where an authenticationAuthority is supplied.

With a baseline test using:

	<AttributeDefinition id="eduPersonNickname"
		xsi:type="Template">
		<InputAttributeDefinition ref="uid" />
		<Template>name ${uid}</Template>
	</AttributeDefinition>

I get:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy1 at example.org</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>member at ad.pdinc.us</saml2:AttributeValue>
  </saml2:Attribute>

  <!-- eduPersonNickname = name ${uid} -->
  <saml2:Attribute FriendlyName="eduPersonNickname" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>name xyzzy1</saml2:AttributeValue>
  </saml2:Attribute>

  <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy1</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy1 at ad.pdinc.us</saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>

7: https://wiki.shibboleth.net/confluence/display/IDP4/SubjectDataConnector
8: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/Subject.html

More information about the users mailing list