IdP 4.0.1 AttributeEncoder behavioral change
Paul Engle
pengle at rice.edu
Fri Jan 29 21:55:45 UTC 2021
All,
After upgrading to 4.0.1, I only had one SP that had issues with the
upgrade, and it turned out to be a change in the way the attributes were
populated in the assertion.
Scenario:
We have some attributes that had multiple SAML2String AttributeEncoders
tied to them to accommodate SPs that were looking for specific names for an
attribute. In general, the secondary encoders lacked a friendlyName xml
attribute in the AttributeEncoder element. (Reasoning being if they were
looking for that specific name, they didn't need a friendly name.)
Under 3.4.6 and earlier, this resulted in assertions with Attribute
elements that contained no FriendlyName xml attributes, as expected. Under
4.0.1, it seems that these attributes inherited the friendly name from the
other SAML2String encoder. So the resulting assertion had two Attributes
with different Names, but the same FriendlyName.
For one of our SPs, this was a problem. They outright rejected the
assertion if two attributes had the same FriendlyName. Now, I'm of the
opinion that that's a bug on their part, since nobody should be relying on
FriendlyNames. But I haven't examined the spec to see if it's allowed or
not.
It was easily fixed by me putting a friendlyName value in the
AttributeEncoders so that everything had a unique FriendlyName in the
assertion. I wanted to bring it to the attention of others, though, in case
they run across something similar.
I'm happy to file a jira, if this is considered a bug in IdP4. I know the
encoding configuration has all changed, so maybe this is just an artifact
from using legacy configuration.
--
Paul Engle
IAM Architect
Identity & Access Management
pengle at rice.edu 713-348-4702
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210129/80e3643a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5355 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20210129/80e3643a/attachment.p7s>
More information about the users
mailing list