Giter VIP home page Giter VIP logo

Comments (6)

akx avatar akx commented on September 2, 2024 1

Keycloak's IdP sends role attributes as

      <saml:AttributeStatement>
         <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>

and python3-saml fails on this. I don't think having to patch the library locally is an acceptable solution here...

EDIT: You can configure Keycloak to send a single role attribute with a Mapper:

Screenshot 2020-08-06 at 9 50 07

Still, being able to configure e.g. attribute names that are accepted as duplicates would be handy.

from python3-saml.

pitbulk avatar pitbulk commented on September 2, 2024

If you want to send different values of the Role, send several "saml:AttributeValue" nodes instead of several repeated "saml:Attribute":

       <saml:AttributeStatement>
            <saml:Attribute Name="Role">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Employee</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Matthew Owens</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Users</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >authenticated</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>

from python3-saml.

lost-osiris avatar lost-osiris commented on September 2, 2024

So yes that is another way of accomplishing the same thing. The issue I have is that requires a change to happen on the Identity Provider side. As a Service Provider I can't control the response from the Identity Provider.

From my understanding both approaches are valid in terms of their markup. If that is the case then shouldn't both markups be supported?

from python3-saml.

pitbulk avatar pitbulk commented on September 2, 2024

On v1.2.0 we avoid the use of multiple saml:Attribute values with the same name,
that was a recommendation from an external security audit.

If you can't control how the IdP sends the data:
1- Remove the duplicate restriction
2- Replace this line by

attributes[attr_name] = array_merge(attributes[attr_name], values);

from python3-saml.

lost-osiris avatar lost-osiris commented on September 2, 2024

That was the fix I currently have. Glad to see I am on the right path to a fix :)

I'd like to be able to take more information back to my IdP. I'm curious how it's a security concern?

from python3-saml.

pitbulk avatar pitbulk commented on September 2, 2024

While multiple instances of saml:AttributeStatement/
saml:Attribute are allowed by the specification, it is uncommon for multiple instances with the same Name attribute to be included. Duplicate attributes could allow for the injection (in an unsigned area or stripped via signature transforms) of a fake identity information.

from python3-saml.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.