search

IdentityPython / pysaml2

Python implementation of SAML2
Apache License 2.0
555 stars 422 forks source link

[Bug/question] Configured name_form ignored for attributes in `idp_user` #936

Closed ToufiPF closed 11 months ago

ToufiPF commented 11 months ago

It seems that the attributes specified in idp_user always have NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri", even if the IDP has 'name_form': "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" in its configuration.

Code Version

pysaml2 7.4.2 ; and for the examples I cloned the master branch yesterday.

Expected Behavior

The custom attributes returned in the assertion have NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified".

Current Behavior

The custom attributes returned in the assertion have NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri".

Possible Solution

No idea, tbh. I tried to debug it a bit by myself. It seems to me that the correct config is loaded, and IDP.config._idp_policy.get_name_form("http:localhost:8087") does return the expected name format.

Steps to Reproduce

  1. Using the provided examples idp2 and sp-wsgi
  2. Change the following entries in idp_conf, resp. sp_conf. 
    CONFIG = {
"service": {
    "idp": {
        "policy": {
            "default": {
                "name_form": NAME_FORMAT_UNSPECIFIED,
            },
        },
    },
},
}

    and

    CONFIG = {
# I also tried to comment this line out in the SP config, which changes nothing
"name_form": NAME_FORMAT_UNSPECIFIED,
}
  3. Edit idp_user to contain custom attributes, e.g., 
    USERS = {
"roland": { "login": "roland4871" },
}
  4. Run the servers (./all.sh)
  5. Login with roland on the IDP login page, observe that the IDP sends (and SP receives): <ns0:Attribute xmlns:ns0="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="login" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns0:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema">roland4871</ns0:AttributeValue></ns0:Attribute> which has an incorrect NameFormat.

Did I do something wrong or is this really a bug ?

ToufiPF commented 11 months ago

The missing step was to add an attribute map: attributemaps/custom.py:

MAP = {
    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
    "fro": {
        "FullName": "FullName",
        "Email": "Email",
        "Login": "Login",
        "Roles": "Roles",
    },
}

And of course to add "attribute_map_dir": "../attributemaps", to the CONFIG in idp_conf and sp_conf.

This has the side effect of adding a FriendlyName tag to the xml elements, though, which I simply ignore.