Comments (6)
Keycloak's IdP sends role attributes as
<saml:AttributeStatement>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
and python3-saml fails on this. I don't think having to patch the library locally is an acceptable solution here...
EDIT: You can configure Keycloak to send a single role attribute with a Mapper:
Still, being able to configure e.g. attribute names that are accepted as duplicates would be handy.
from python3-saml.
If you want to send different values of the Role, send several "saml:AttributeValue" nodes instead of several repeated "saml:Attribute":
<saml:AttributeStatement>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Employee</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Matthew Owens</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Users</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>authenticated</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
from python3-saml.
So yes that is another way of accomplishing the same thing. The issue I have is that requires a change to happen on the Identity Provider side. As a Service Provider I can't control the response from the Identity Provider.
From my understanding both approaches are valid in terms of their markup. If that is the case then shouldn't both markups be supported?
from python3-saml.
On v1.2.0 we avoid the use of multiple saml:Attribute values with the same name,
that was a recommendation from an external security audit.
If you can't control how the IdP sends the data:
1- Remove the duplicate restriction
2- Replace this line by
attributes[attr_name] = array_merge(attributes[attr_name], values);
from python3-saml.
That was the fix I currently have. Glad to see I am on the right path to a fix :)
I'd like to be able to take more information back to my IdP. I'm curious how it's a security concern?
from python3-saml.
While multiple instances of saml:AttributeStatement/
saml:Attribute are allowed by the specification, it is uncommon for multiple instances with the same Name attribute to be included. Duplicate attributes could allow for the injection (in an unsigned area or stripped via signature transforms) of a fake identity information.
from python3-saml.
Related Issues (20)
- this is uninstalable on linux and windows HOT 1
- Segmentation fault with lxml 5.0.0 on Linux HOT 3
- Getting Segfault issue when login using SAML HOT 22
- Allow unsigned SAMLResponse HOT 1
- Cannot work with non-namespaced metadata xml HOT 1
- settings parser throws "idp cert not found" exception HOT 7
- Urgent - demo_django | page redirecting back to django login page HOT 1
- Callback stuck on auth.process_response HOT 7
- Serialization of OneLogin_Saml2_Settings HOT 1
- NameIDFormat - PascalCase? HOT 2
- OneLogin_Saml2_IdPMetadataParser.get_metadata not compatible with self-signed certificates HOT 2
- Regardiing exposing the options of<md:EncryptionMethod in metadata HOT 1
- Using WAYF/Discovery with shibboleth HOT 1
- Error with Passenger HOT 2
- `auth.get_last_response_xml()` has user data and `auth.logout()` is logging-out , but `auth.process_response()` is None and `auth.is_authenticated()` is False HOT 1
- Cannot generate_metadata_xml in Python 3.12
- Tests fail due to expired timestamps HOT 2
- Facing the xmlsec Error: (100, 'lxml & xmlsec libxml2 library version mismatch') HOT 1
- Initialization of OneLogin_Saml2_Auth from a Stream HOT 1
- Error while hitting process_response() HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python3-saml.