Attribute filter policy conditional on existence of attribute?

Baron Fujimoto baron at hawaii.edu
Fri Nov 18 17:02:18 UTC 2022 

In this case, the attrFoo and attrBar are two variants of a uid (e.g.
altUid and uid). For somewhat byzantine reasons, we have a set of users who
are assigned non-standard uids, so we must synthesize an altUid for them.
Since both variants are nominally uids, they are both defined in the
transcoders with <prop key="saml2.name
">urn:oid:0.9.2342.19200300.100.1.1</prop>.

If I release both uid and altUid, they get merged into one of the
attributes (I don't know if which one is order dependent) as a multivalued
attribute: e.g.:

        <saml2:Attribute FriendlyName="altUid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>altUid</saml2:AttributeValue>
            <saml2:AttributeValue>normalUid</saml2:AttributeValue>
        </saml2:Attribute>

Unfortunately, the SP can only use one attribute key on their end for its
business logic, so it is looking for "urn:oid:0.9.2342.19200300.100.1.1".
When it encounters the multivalued attribute in the response, it catenates
the values, and they don't have a good means to undo that on their end. The
problem is uid should always exist, so this leads to the catenation issue
for the SP that requires the altUid. So I don't know if that is a good
reason, but that's what led me down this path.

I think I'd rather not do it in the resolver because the proportion of
cases we need the altUid is relatively very small, and it seems inefficient
to have make the conditional determination every time we need to resolve
the uid? Plus, it just seems cleaner imo, to confine the exception to the
one place where it would be needed.


On Thu, Nov 17, 2022 at 10:56 PM Peter Schober via users <
users at shibboleth.net> wrote:

> * Baron Fujimoto via users <users at shibboleth.net> [2022-11-18 02:42]:
> > I'd like to define an AttributeFilterPolicy that conditionally releases
> one
> > of two attributes depending on whether one of the two exists or not. In
> > pseudocode, essentially:
> >
> > If ( defined attrFoo ) {
> >     permit attrFoo
> > }
> > else {
> >     permit attrBar
> > }
>
> You positively need to prevent that both attributes are released in
> case both have values (if that what you mean with "exists")?
> If so, is there a good reason for that? ;)
> If not you'd simply release both attributes and the IDP would take
> care of not sending any that don't have any values, which seems to
> come close to your requirement, maybe sufficiently close.
>
> Also note that scripting can also be used in the filter, AFAIR, though
> it's more often used in the resolver.
>
> -peter
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Baron Fujimoto <baron at hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221118/7e7b0a8c/attachment.htm>

More information about the users mailing list