Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attributes not forwarded to SP #443

Open
walton-io opened this issue Sep 24, 2023 · 2 comments
Open

Attributes not forwarded to SP #443

walton-io opened this issue Sep 24, 2023 · 2 comments

Comments

@walton-io
Copy link

walton-io commented Sep 24, 2023
edited
Loading

Hello, Im sorry for posting here, hoping someone can help

What I am trying:
Google/G-Suite as the SAML IDP
AWS Workspaces as the SAML SP

in my saml2_backend.yaml
I had to set these the below to true

  mirror_force_authn: true
  memorize_idp: true

When I try to hit my unsolicited link with a target param in the url, I can get to google and authenticate.

Using the Chrome developer tools, I see the first SAMLResponse payload and that contains the correct attributes.

However the second SAMLResponse that comes from https://signin.aws.amazon.com/saml tells me the SAML response is invalid. When I decode the base64 for this response I can see the attributes are missing.

In the app logs logs, I see something like "backend attributes received" and I can also see logs relating to the custom nameID and attributes processor I've have configured.

I've spent some time digging and found other people having the same issue with satosa

https://lists.sunet.se/hyperkitty/list/[email protected]/thread/5CUGMZZ6TPNDTRCHV7IZOTQBGADPRV6N/

https://lists.sunet.se/hyperkitty/list/[email protected]/thread/IIRFENYNCM2UR3GKOKV6AES4F2OWPBUG/

https://lists.sunet.se/hyperkitty/list/[email protected]/thread/L6DHB5JROVGSFPULPPSFW7Y4XBDXEKUU/?sort=date

in my logs I see the below as well similar to the users in the links above

I've also double checked the name_format coming from AWS ...everything looks fine but no attributes.

Code Version

docker satosa:latest

Expected Behavior

Attributes should be included

Current Behavior

Seeing this in my logs... no attributes included to SP

Filter: []
returning attributes **{}**

I have also tried adding static attributes as per the examples/docs in this repo and those do not populate either.
@c00kiemon5ter
Copy link
Member

Hello,

I would suggest to open the debug log for the saml2 module.
To me what you describe sounds like the SP does not set any RequestedAttribute (that are set to be required) on its metadata, and that results into the attributes being filtered out.

@joaofilipedg
Copy link

Hello!

I am having a similar issue to what is described here. And I was indeed coming to the conclusion that the Frontend is only releasing the attributes Requested by the SP on its metadata.

@c00kiemon5ter, can you confirm if there is no way to configure the Frontend to release all internally mapped attributes, even those not requested by the SP?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c00kiemon5ter @joaofilipedg @walton-io