pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard

Published 20 hours ago verified publisher icon IdentityPython

AttributeConverter lower case keys conflict

Open stinovlas opened this issue 4 years ago • 5 comments

class AttributeConverter converts all _to and _fro keys to lower case. This causes conflict of DateOfBirth and dateOfBirth attributes defined in saml2.attributemaps.saml_uri.MAP.

Code Version

master

Expected Behavior

AttributeConverter should prevent conflict in key names – e. g. by not converting them to lower case

Current Behavior

AttributeConverter.to_format outputs the value that was added last

stinovlas avatar Jun 16 '21 12:06 stinovlas

This is known and ugly at the moment.

See also #489 and #549

c00kiemon5ter avatar Jul 26 '21 21:07 c00kiemon5ter

@c00kiemon5ter Thank you for the reference! Solution proposed in #549 is indeed more robust than just keeping the casing of FriendlyName. I just don't understand why there is lower case conversion at all. It loses information and it doesn't seem to add any value.

stinovlas avatar Jul 27 '21 06:07 stinovlas

I just don't understand why there is lower case conversion at all.

TBH, I am not sure either. It suppose that this is related to some use case that, back then, was easier to handle with lower case everywhere (maybe related to LDAP?). I will try to have a look to understand the implication of changing this - I remember that calls tolower are not just in one place.

c00kiemon5ter avatar Jul 27 '21 12:07 c00kiemon5ter

@c00kiemon5ter Hi, is there any progress on #549 and/or #810? The way I understand it currently it is not possible to add a custom SAML attribute to SAML frontend, because it messes up attribute name conversions and never releases the attribute to the SP.

My current workaround is to use the full attribute name (e.g. OID) everywhere - in attributemaps (mapping OID to OID and back), in internalattributes both as saml name and internal name, and in remote XML metadata as the FriendlyName (which is ugly). This was the only way for me to make it work, I hope there is an alternative.

melanger avatar Nov 03 '21 14:11 melanger

@melanger , if it helps, I've been able to extend the attribute mappings provided by pysaml2 with my own extensions by using a custom attribute_map_dir, where I dropped a file that loads the pysaml2 mappings and merges local changes into them:

from saml2.attributemaps.saml_uri import MAP

__Tuakiri_MAP = {
    'identifier': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
    'fro': {
        'urn:oid:1.3.6.1.4.1.27856.1.2.5': 'auEduPersonSharedToken',
        'urn:oid:0.9.2342.19200300.100.1.41': 'mobile',
    },
    'to': {
        'auEduPersonSharedToken': 'urn:oid:1.3.6.1.4.1.27856.1.2.5',
        'mobile': 'urn:oid:0.9.2342.19200300.100.1.41',
    },
}

MAP['fro'].update(__Tuakiri_MAP['fro'])
MAP['to'].update(__Tuakiri_MAP['to'])

Happy to provide more info on this - but should be obvious from the above.

vladimir-mencl-eresearch avatar Nov 25 '21 00:11 vladimir-mencl-eresearch