search

FusionAuth / fusionauth-samlv2

SAML v2.0 bindings in Java using JAXB
Apache License 2.0
9 stars 2 forks source link

Handle xsi:nil when parsing a SAML response #1

Closed robotdan closed 2 years ago

robotdan commented 4 years ago

When parsing a SAML response, if the attribute value specifies xsi:nil we still expect a value of non null and then exception.

Example attribute, notice xsi:nil="true".

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="PersonImmutableID">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" xsi:type="xs:string"/>
</saml:Attribute>
robotdan commented 4 years ago

Commit https://github.com/FusionAuth/fusionauth-samlv2/commit/a8dafbbe447e6b2fe75693dfcdd3ad7596742873

robotdan commented 4 years ago

@voidmain want to take a look at this issue and fix?

From what I can tell, the xsi:nil is more for the parser than the reader. So during our parsing of the response, I don't have an additional attribute to indicate null is ok. But rather, it parses successfully and because xsi:nil is present the value comes through as null instead of "".

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

2.7.3.1.1 Element

1250 If a SAML attribute includes a "null" value, the corresponding element MUST be 1251 empty and MUST contain the reserved xsi:nil XML attribute with a value of "true" or "1".

So I'm accounting for a null attribute, and preserving the null value in the collection.

We could also omit the null attribute by removing it from the collection.

robotdan commented 4 years ago

I released for now since the fix alleviates the symptom. We can discuss if we want to keep this behavior or modify it.