SATOSA icon indicating copy to clipboard operation
SATOSA copied to clipboard
verified publisher icon IdentityPython

SAML2 frontend option to ignore SP RequestedAttributes

Open mrvanes opened this issue 3 months ago • 1 comments

Due to the way IdP attributes are filtered, an SP with invalid RequestedAttribute elements will block the issuance of required attributes, even when a compatible attribute map is offered in the config.

When the offending RequestedAttribute elements look like this:

<md:RequestedAttribute Name="urn:mace:dir:attribute-def:cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

SATOSA can not issue a valid uid or schacHomeOrganization, resulting in an error on the SP side.

I'm aware there are multiple issues at stake here: The SP didn't add FriendlyName (but that's not mandatory) and it requests non-standard combinations of attribute Name and NameFormats.

But even when SATOSA is configured with a hand-crafted attribute-map that correctly handles theses attribute Name and NameFormats, SATOSA will not issue the required attributes, probably because of lacking FriendlyName, which is a bug in itself?

The easiest way to work around this, would be a SAML Frontend option to ignore_requestedattributes = true.

This can also be accomplished and worked around by configuring a copy of the SP metadata as a local metadata source and removing the offending RequestedAttribute elements, which is not our preferred way of solving this issue.

mrvanes avatar Dec 10 '25 09:12 mrvanes

Adding FriendlyName to the local copy of the SP metadata resolves the poblem.

mrvanes avatar Dec 10 '25 11:12 mrvanes