search

steffow / meteor-accounts-saml

SAML SP tested with OpenAM
27 stars 29 forks source link

Correct the implementation of the SAML Attribute profile #21

Closed rhoerbe closed 6 years ago

rhoerbe commented 7 years ago

The current implementation is mixing up the basic and x500 SAML attribute profiles.

The "SAML profiles" specification defines how attribute names are communicated. A very common way is to use URIs to have a unique id for an attribute, along with an optional friendly name. This is specified in Section 8.2 of above document. The correct way to interpret attribute names for a SMAL library is to map the URI to a name that the application can understand. A typical map using LDAP-based attributes could look like this:

{
  "urn:oid:2.5.4.3": "cn",
  "urn:oid:2.5.4.4": "sn",
  "urn:oid:2.5.4.42": "givenName",
  "urn:oid:2.16.840.1.113730.3.1.241": "displayName",
  "urn:oid:0.9.2342.19200300.100.1.1": "uid",
  "urn:oid:0.9.2342.19200300.100.1.3": "mail"
}
steffow commented 6 years ago

Mmmh. Not a very user friendly notation is JS world. Suggest to keep it as it is. Pls note that OpenAM follows the same mapping "samlattrName=localName".

rhoerbe commented 6 years ago

No, OpenAM supports both the basic and x500 attribute profiles (due to its heritage it is a pretty complete SAML implementation). The choice how to map attributes depends on the deployment specification. In simplistic cases (e.g. I need to connect a couple of SPs to a single IDP) a direct mapping of local names is obvious, but it does not scale well in large and heterogenuous scenarios. IDPs and applications have different understandings of attribute names and sematicts, therefore a URI helps to define a common identifier for each attribute.

So I ask you not to drop this, as this is a very common practice in large federations, and also very simple to implement, because it is just mapping strings.

steffow commented 6 years ago

Correct from a standards perspective. Which larger (AM) installation are you referring to? If there's none, pls send PR (dev branch) and I'll have look.

rhoerbe commented 6 years ago

wrt OpenAM support of the attribute mapping profiles see https://backstage.forgerock.com/knowledge/kb/book/b78765801#saml2

Examples for federations using URIs for attribute exchange are the Research & Education federations (> 10000 entities), eIDAS (European eID), AT eGov federation.

In this case I cannot provide a PR, I am not a JS developer, sorry.