SATOSA icon indicating copy to clipboard operation
SATOSA copied to clipboard

Published 20 hours ago verified publisher icon IdentityPython

SAML2 SP backend check scope on attributes and reject by default

Open skoranda opened this issue 6 years ago • 0 comments

The SAML2 SP backend should check the scope on scoped attributes asserted by an authenticating IdP and compare with the scope from the SAML metadata for the authenticating IdP and by default reject attributes that have the incorrect scope.

Since SATOSA is a proxy and there are some esoteric use cases where the SAML2 SP backend should consume scoped attributes from an authenticating IdP with the incorrect scope, this behavior should be configurable (with reject being the default).

Code Version

4.x

Expected Behavior

The SAML2 SP backend should check the scope on scoped attributes asserted by an authenticating IdP and compare with the scope from the SAML metadata for the authenticating IdP and by default reject attributes that have the incorrect scope.

Current Behavior

The SAML2 SP backend consumes all attributes from the authenticating IdP (provided there is an appropriate definition in internal_attributes.yaml) and makes them available to microservices.

skoranda avatar Oct 29 '19 13:10 skoranda