Incomplete SAML Attribute Mapping in Teleport for Multiple Roles

[programmerq]

Expected behavior:

When multiple roles are assumed in Teleport, all the roles should be sent as attributes in the roles SAML assertion.

Current behavior:

Only one of the multiple assumed roles appears in the SAML assertion. When two roles are assumed, the SAML assertion to the SP only includes one role and omits the other. All of the user's normal roles are still present. It only allows for one role to appear instead of all of the assumed roles.

Bug details:

• Teleport version: 15.x

• Recreation steps:

  1. User assumes one or more access requests in the Teleport Web UI, so they have at least two roles assumed.
  2. User expects all assumed roles to be passed as attributes in a SAML assertion.
  3. Only one assumed role is included in the SAML assertion.

• Debug logs:

  • Given this screenshot (manually redacted to generic values) that shows multiple assumed roles:
  • The following SAML assertion looks like this snippet:

  <saml:AttributeStatement>
  <saml:Attribute FriendlyName="role" Name="urn:example:attributes:role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname—format:uri">
    <saml:AttributeValue ...>developers</saml:AttributeValue>
    <saml:AttributeValue ...>contractors</saml:AttributeValue>
    <saml:AttributeValue ...>db-admin</saml:AttributeValue>
    <!-- Missing AttributeValue for qa-admin -->
  </saml:Attribute>
  </saml:AttributeStatement>
  

edit1: The first version indicated the issue was that it would include roles from only one access request. The actual issue is that it only includes exactly one role, even if a single access request has multiple roles.