Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-647

IdPFilter does not correctly handle SAML assertion attributes or invoke custom attribute managers when doing IdP initiated auth use cases

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • PLINK_2.7.0.CR3
    • PLINK_2.6.0.CR5
    • SAML
    • None

      When using the IdPFilter (as opposed to IDPWebBrowserSSOValve) in conjunction with a custom attribute manager, the following issues occur:

      1. Custom attribute manager is not invoked.
      2. Every time an IdP-initiated SAML request is made, an additional (duplicated) block of Role attributes are added to the resulting SAML assertion. For example, if you access a url like this http://localhost:8080/idp/?SAML_VERSION=2.0&TARGET=https://training-lms-test.redhat.com/Saml/Logon&SAML_BINDING=POST, you will see a saml assertion similar to this:

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      IssueInstant="2014-12-12T16:18:31.996Z"
      MajorVersion="1"
      MinorVersion="1"
      ResponseID="ID_ccf93504-1f2b-4102-8a26-81d1577f466f"
      >
      <samlp:Status>
      <samlp:StatusCode Value="samlp:Success" />
      </samlp:Status>
      <saml:Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
      AssertionID="ID_62d6d29f-5368-4065-b068-5cf67381836d"
      IssueInstant="2014-12-12T16:18:06.393Z"
      Issuer="http://localhost:8080/idp/"
      MajorVersion="1"
      MinorVersion="1"
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      >
      <saml:Conditions NotBefore="2014-12-12T16:18:04.393Z"
      NotOnOrAfter="2014-12-12T16:18:13.393Z"
      />
      <saml:AuthenticationStatement AuthenticationInstant="2014-12-12T16:18:06.393Z"
      AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
      >
      <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
      <saml:NameIdentifier>vkumar51</saml:NameIdentifier>
      </saml:Subject>
      </saml:AuthenticationStatement>
      <saml:AttributeStatement>
      <saml:Attribute AttributeName="Role"
      AttributeNamespace="urn:picketlink:role"
      >
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
      >idp_authenticated</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <saml:AttributeStatement>
      <saml:Attribute AttributeName="Role"
      AttributeNamespace="urn:picketlink:role"
      >
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
      >idp_authenticated</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <saml:AttributeStatement>
      <saml:Attribute AttributeName="Role"
      AttributeNamespace="urn:picketlink:role"
      >
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
      >idp_authenticated</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      </saml:Assertion>
      </samlp:Response>

      This behavior does not occur if you use the SAML valve, however we have other requirements that dictate we use the IDPFilter.

              psilva@redhat.com Pedro Igor Craveiro
              rhit_mcirioli michael cirioli (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: