search

IdentityPython / SATOSA

Proxy translating between different authentication protocols (SAML2, OpenID Connect and OAuth2)
https://idpy.org
Apache License 2.0
197 stars 121 forks source link

Attributes not forwarded to SP #443

Open walton-io opened 11 months ago

walton-io commented 11 months ago

Hello, Im sorry for posting here, hoping someone can help

What I am trying: Google/G-Suite as the SAML IDP AWS Workspaces as the SAML SP

in my saml2_backend.yaml I had to set these the below to true

  mirror_force_authn: true
  memorize_idp: true

When I try to hit my unsolicited link with a target param in the url, I can get to google and authenticate.

Using the Chrome developer tools, I see the first SAMLResponse payload and that contains the correct attributes.

However the second SAMLResponse that comes from https://signin.aws.amazon.com/saml tells me the SAML response is invalid. When I decode the base64 for this response I can see the attributes are missing.

In the app logs logs, I see something like "backend attributes received" and I can also see logs relating to the custom nameID and attributes processor I've have configured.

I've spent some time digging and found other people having the same issue with satosa

https://lists.sunet.se/hyperkitty/list/satosa-users@lists.sunet.se/thread/5CUGMZZ6TPNDTRCHV7IZOTQBGADPRV6N/

https://lists.sunet.se/hyperkitty/list/satosa-users@lists.sunet.se/thread/IIRFENYNCM2UR3GKOKV6AES4F2OWPBUG/

https://lists.sunet.se/hyperkitty/list/satosa-users@lists.sunet.se/thread/L6DHB5JROVGSFPULPPSFW7Y4XBDXEKUU/?sort=date

in my logs I see the below as well similar to the users in the links above

I've also double checked the name_format coming from AWS ...everything looks fine but no attributes.

Code Version

docker satosa:latest

Expected Behavior

Attributes should be included

Current Behavior

Seeing this in my logs... no attributes included to SP

Filter: []
returning attributes **{}**

I have also tried adding static attributes as per the examples/docs in this repo and those do not populate either.

c00kiemon5ter commented 11 months ago

Hello,

I would suggest to open the debug log for the saml2 module. To me what you describe sounds like the SP does not set any RequestedAttribute (that are set to be required) on its metadata, and that results into the attributes being filtered out.

joaofilipedg commented 10 months ago

Hello!

I am having a similar issue to what is described here. And I was indeed coming to the conclusion that the Frontend is only releasing the attributes Requested by the SP on its metadata.

@c00kiemon5ter, can you confirm if there is no way to configure the Frontend to release all internally mapped attributes, even those not requested by the SP?