Closed rhoerbe closed 6 years ago
Mmmh. Not a very user friendly notation is JS world. Suggest to keep it as it is. Pls note that OpenAM follows the same mapping "samlattrName=localName".
No, OpenAM supports both the basic and x500 attribute profiles (due to its heritage it is a pretty complete SAML implementation). The choice how to map attributes depends on the deployment specification. In simplistic cases (e.g. I need to connect a couple of SPs to a single IDP) a direct mapping of local names is obvious, but it does not scale well in large and heterogenuous scenarios. IDPs and applications have different understandings of attribute names and sematicts, therefore a URI helps to define a common identifier for each attribute.
So I ask you not to drop this, as this is a very common practice in large federations, and also very simple to implement, because it is just mapping strings.
Correct from a standards perspective. Which larger (AM) installation are you referring to? If there's none, pls send PR (dev branch) and I'll have look.
wrt OpenAM support of the attribute mapping profiles see https://backstage.forgerock.com/knowledge/kb/book/b78765801#saml2
Examples for federations using URIs for attribute exchange are the Research & Education federations (> 10000 entities), eIDAS (European eID), AT eGov federation.
In this case I cannot provide a PR, I am not a JS developer, sorry.
The current implementation is mixing up the basic and x500 SAML attribute profiles.
The "SAML profiles" specification defines how attribute names are communicated. A very common way is to use URIs to have a unique id for an attribute, along with an optional friendly name. This is specified in Section 8.2 of above document. The correct way to interpret attribute names for a SMAL library is to map the URI to a name that the application can understand. A typical map using LDAP-based attributes could look like this: