Duplicate Attribute Values after Shibboleth Upgrade

Pablo Vidaurri psvidaurri at gmail.com
Mon Sep 13 17:20:18 UTC 2021 

You you enabled logging to see what is being resolved and what is being
filtered? Can you provide the attribute resolver piece that fetches the
value.

On Mon, Sep 13, 2021 at 11:45 AM David Lovas <dlovas at rexovas.com> wrote:

> Hi Everyone,
>
> Some time ago, I migrated an old IIS7 Application running on Windows
> Server 2016 from using the OpenToken Plugin for Authentication, to
> Shibboleth/SAML as a Service Provider.  At the time, the latest version was
> 3.2.0.0.
>
> Following the recent vulnerabilities identified with these older versions,
> I have attempted (unsuccessfully) to upgrade to the latest version.
>
> This application relies upon a SAML Attribute "HTTP_USER" - the value of
> which is a simple user id of the format "abc123".  Using the Chrome Plugin
> SAML Tracer, I can see that the value is being sent as expected.
>
> This user ID is used to obtain user permissions from a database, and is
> also used for all subsequent writes to the DB.  It is also displayed in the
> application after successful SSO authentication.
>
> For some reason, in all versions tested after 3.2.1.1 including the latest
> 3.2.3.1, despite SAML Tracer showing the correct "abc123" value, the
> application is displaying the value repeated separated by semicolons as
> such "abc123;abc123;abc123".  As a result the database can not locate the
> user, as the value is incorrect.
>
> Because this is a legacy application, changes to the codebase to resolve
> this issue are not possible.
>
> I've attempted adding the following AttributeResolver to try and obtain
> only the first occurence of the userId, however this had no effect.
>
> <AttributeResolver type="Transform" source="HTTP_USER">
>              <Regex match="[^;]*">$1</Regex>
> </AttributeResolver>
>
> Has anyone else experienced this issue following the recent updates? There
> is no mention of any such breaking change in the changelogs.  Is there some
> other change I should make to the shibboleth2.xml or attribute-map.xml
> files?
>
> Thanks,
> David Lovas
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210913/a683ec81/attachment.htm>

More information about the users mailing list