attributes from external auth

Jason Pyeron jpyeron at pdinc.us
Wed Jan 13 23:39:20 UTC 2021 

Solved! Would an update to https://wiki.shibboleth.net/confluence/display/IDP4/ExternalAuthnConfiguration "external interface example in JSP" be welcome?

> From: Jason Pyeron
> Sent: Wednesday, January 13, 2021 5:40 PM
> 
> Thanks! This seems to have steered me in the right direction. I may have found a bug or I am just
> thinking wrong. Will follow up after my next code change.
> 
> > From: Cantor, Scott
> > Sent: Wednesday, January 13, 2021 3:08 PM
> >
<snip/>
> >
> > >    Is it true that external auth can provide attributes in v4 (was true in v2 per mailing list) as
> > implied by the docs, source
> > > code, and logs?
> >
> > Yes.
> >
> > >  If so, what are the possible (and preferred) mechanisms to define them and (not) filter them
> away?
> > ScriptedAttribute,
> > > ContextDerived, Simple with a InputAttributeDefinition/InputDataConnector, or something else?
> >
> > Attributes obtained during authentication are stored inside the Subject and tracked as part of the
> > AuthenticationResult for that method. If you're trying to make use of them later or pass them out to
> > an SP, you need the Subject DataConnector [1] to pull them out for that purpose.
> 
> When using:
> 
> 	<AttributeDefinition xsi:type="Simple"
> 		id="eduPersonNickname">
> 		<InputDataConnector ref="passthroughAttributes"
> 			attributeNames="eduPersonNickname" />
> 	</AttributeDefinition>
> 
> 	<DataConnector id="passthroughAttributes"
> 		xsi:type="Subject" exportAttributes="eduPersonNickname" />
> 
<snip/>
> 
> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver
> 'ShibbolethAttributeResolver': Resolving dependencies for 'eduPersonNickname'
> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver
> 'ShibbolethAttributeResolver': Finished resolving dependencies for 'eduPersonNickname'
> DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:137] - Attribute Definition
> 'eduPersonNickname': produced an attribute with no values
> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver
> 'ShibbolethAttributeResolver': Attribute definition 'eduPersonNickname' produced an attribute with 0
> values
> 
Fixed by switching to request.setAttribute(ExternalAuthentication.SUBJECT_KEY,new Subject(false, principals, Collections.EMPTY_SET, Collections.EMPTY_SET));

Where principals is a collection of the UsernamePricipal and IdPAttributePrincipal objects.
> 
> This is progress - I will continue to read and debug.
> 
> I am suspecting the registration of attributes, like the following are being ignored. The Subject Data
> Connector [7] says "The Subject DataConnector exposes IdPAttribute objects contained within Java
> Subject(s)", but the IdPAttribute collection is not in the Subject or Principals.
> 
> 	Collection<IdPAttribute> attrs=new ArrayList<IdPAttribute>();
> 	IdPAttribute attr;
> 	attr=new IdPAttribute("eduPersonNickname");
> 	attr.setValues(Collections.singleton(new StringAttributeValue("Bob Barker 1")));
> 	attrs.add(attr);

	principals.add(new IdPAttributePrincipal(attr));

> 	attr=new IdPAttribute("ignoredAttribute");
> 	attr.setValues(Collections.singleton(new StringAttributeValue("Bob Barker 3")));
> 	attrs.add(attr);


	principals.add(new IdPAttributePrincipal(attr));

	principals.add(new UsernamePrincipal("xyzzy2a"));

	request.setAttribute(ExternalAuthentication.SUBJECT_KEY,new Subject(false, principals, Collections.EMPTY_SET, Collections.EMPTY_SET));

and eliminated: 
> 	request.setAttribute(ExternalAuthentication.ATTRIBUTES_KEY, attrs);

Because it is ignored by the <DataConnector xsi:type="Subject" ... >

Which results in:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <!-- attribute from the external auth -->
  <saml2:Attribute FriendlyName="eduPersonNickname" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>Bob Barker 1</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy2a</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy2a at ad.pdinc.us</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>member at ad.pdinc.us</saml2:AttributeValue>
  </saml2:Attribute>
  <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>xyzzy2a at example.org</saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>

More information about the users mailing list