Skip to content
This repository has been archived by the owner on Feb 14, 2020. It is now read-only.

Match "Requested Attributes" from metadata to ARP #449

Open
maartenk opened this issue Apr 14, 2014 · 6 comments
Open

Match "Requested Attributes" from metadata to ARP #449

maartenk opened this issue Apr 14, 2014 · 6 comments
Assignees
@relaxnow
Labels
0 - Backlog enhancement

Comments

@maartenk
Copy link

The requested attributes for an SP can be set in the SAML metadata. Currently these values are not handeld by Janus

As a feature request: the Requested Attributes to be concept ARP for that specific SP, so we don't need to set those manually anymore (just check/adjust them).
@pmeulen
Copy link
Contributor

pmeulen commented Apr 30, 2014

Now that we store the ARP in the SP connection instead of separately, this should be much easier to implement.

@maartenk how many SPs (that you import) publish this information?

@maartenk
Copy link
Author

maartenk commented May 1, 2014

@pmeulen The exact amounts i'm not sure, but basically every (new) edugain SP as well as every new SP which provide the requested attributes correctly via SURFconext Registration form.
Preferably both the required as well as the optional items. (Based on the the isRequired setting).

<!-- example for the required attribute: mail -->
<md:RequestedAttribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true" />

@relaxnow relaxnow self-assigned this May 8, 2015
@relaxnow
Copy link
Contributor

Preferably both the required as well as the optional items. (Based on the the isRequired setting).

ARP currently only have the power to filter attributes, not halt SSO because attributes are missing.
This would require some significant modifications to the APIs and EB.
Let's start with being able to import all RequestedAttribute elements into the ARP.

@thijskh
Copy link
Contributor

thijskh commented May 13, 2015

Agreed. Blocking access based on (absense of) attributes is a different (but existing) project.

@maartenk
Copy link
Author

On 12 mei 2015, at 23:07, Boy Baukema [email protected] wrote:

Let's start with being able to import all RequestedAttribute elements into the ARP.

Agree. That is what i aimed for.

relaxnow pushed a commit that referenced this issue May 13, 2015
Fix for issue #449 Match "Requested Attributes" from metadata to ARP
f35b6bd
@relaxnow relaxnow mentioned this issue May 13, 2015
Merged
@relaxnow
Copy link
Contributor

I now have an initial implementation that uses all RequestedAttribute fields it finds in the first AttributeConsumingService and tries to make an ARP out of that.

Note that while I did do denormalization of OID to URN and the other way, the normalization that SSP has is not as good as the one EngineBlock has.

For instance on one test SP it was unable to see that the SP requested the SHO attribute because we use the URN and the SP had the URI in it's RequestedAttributes but SSP doesn't have the mapping for that.

Also you can't chose to NOT import the new ARP, much like Allowed Connections you'll always get it.

And we don't do anything with RequestedAttribute > AttributeValue elements, we just always do *.

And of course we don't do anything with isRequired.

thijskh added a commit that referenced this issue May 13, 2015
@thijskh
Merge pull request #581 from janus-ssp/feature/449-import-arp-from-re…
c33085a 
…quested-attributes

Fix for issue #449 Match "Requested Attributes" from metadata to ARP
@relaxnow relaxnow mentioned this issue May 13, 2015
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@relaxnow relaxnow

Labels
0 - Backlog enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@relaxnow @maartenk @lucasvanlierop @pmeulen @thijskh