Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SAML authenticator setting to allow repeat attribute names #21

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

cwperks
Copy link
Owner

@cwperks cwperks commented Feb 9, 2024

Description

Adds a new setting for SAML authentication to allow_repeat_attribute_names. Currently, the security plugin uses the Saml2Settings default of false which prevents repeat attributes with the same name in the SAML assertion.

Example of SAML Response where an attribute appears at most once per attribute name:

No repeat attribute names http://test.entity neQI779y5e173nAgsI/3mnBkEV0gssO3zRRCZ/+xd2g= flsOEajENFQc1qQpx8DGZmQySAUQi5juDztIOuTvwkuY2MMRkVp9MeG72PsIStgg5wbcEn/47O+T NwS8Wey60F0oGErrhz1j56j27qwklPIRl5Q0sYPC3UIiyY5HYnvZDosrIdRWk5zotaD7l8kbXwJ0 3umoQzUQhTB7LGzGM3vbgsClhidKi4X3okXcQBS/DKeL+hE+Ry2scIVlM4jnAJlYXcedyl7JyRr/ TxWK6jXofc6CrJsqE2d0GkLBLbe5G7+xiQYywJC0gdNL7Vpk//78FvhWEQ8FLgT+TCwS/FeNl4cn Z7etIXrcLwe0Wk2MSw8g8EtLsrRqytD/zkjgeg== horst urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Admin Developer

Example with repeat attribute name (in this example role is the repeat attribute name):

With repeat attribute names http://test.entity EYXZTcsxuHz/kfn9Y4CU2FuOAOOYr0KznMc77+knl4w= OwfhibGkbGa5r5/GkMXrBRhaowuvMeSl36E+VSLZqIktakvEFE/QJDupLOZR1Rk+G1Ru8/1PdyRK dd1dQ6DYUkJzlq/qMWEnkqqXdUb5Qk0YQtIFpwCv0X/aYn7T08sprVyQJx+/NICFWRiNDQKYPyBO 68vOpIK+qoM15DD1UCFzHWxqqKZ5YwIgJP/SKiFec5RIY940FK7xxwrBrQSGW+BWaexz2hLyAu2n ZqkQfA0LXDSCd4MXUrTOZYTNwhhYdFpOZzDoa4OrztjtpT8yusbOh5FqgOJOk9IFH5qQvKYMZgaD 9V5xgHQi9PpuZiuIKf0lijO7qVKvJiGYGH+M3A== horst urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Admin Developer

Currently, when there is a repeat attribute name the security plugin will produce the following error:

  1> com.onelogin.saml2.exception.ValidationError: Found an Attribute element with duplicated Name
  1>    at com.onelogin.saml2.authn.SamlResponse.getAttributes(SamlResponse.java:598) ~[java-saml-core-2.9.0.jar:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.extractRoles(AuthTokenProcessorHandler.java:383) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwt(AuthTokenProcessorHandler.java:289) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.handleImpl(AuthTokenProcessorHandler.java:164) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.handleLowLevel(AuthTokenProcessorHandler.java:221) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.lambda$handle$0(AuthTokenProcessorHandler.java:126) ~[main/:?]
  1>    at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) [?:?]
  • Category

Enhancement

Issues Resolved

  • Will add one shortly

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Craig Perkins <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant