Improvements in handling attribute definitions and requested attributes in MetadataRequestedAttributesAttributeReleasePolicy

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Improvements in handling attribute definitions and requested attributes in MetadataRequestedAttributesAttributeReleasePolicy

Marcin Roman
Hi, I created pull request https://github.com/apereo/cas/pull/5124
I would like to break it to 2 separate patches and submit it to master branch.
Could you comment on these proposed changes?

1. Add support for getRequestedDefinitions to MetadataRequestedAttributesAttributeReleasePolicy.
This change is a continuation of https://github.com/apereo/cas/pull/5051, which creates attributes when requested based on attribute definitions.

2. Change of getAttributesForSamlRegisteredService in MetadataRequestedAttributesAttributeReleasePolicy.

Instead of selecting attributes for release using RequestedAttributes Name or FriendlyName provided in SP metadata:
- try to search for SamlIdPAttributeDefinition in AttributeDefinitionStore using urn provided Name attribute of RequestedAttribute ,
- if such SamlIdPAttributeDefinition exists, then use the key provided in this attribute definition to search and release user attribute,
- if above fails, then try to search for user attribute using RequestedAttribute FriendlyName.

Sample RequestedAttribute definition in SP metadata looks like this: 
       <md:RequestedAttribute FriendlyName="schacPersonalUniqueCode" Name="urn:oid:1.3.6.1.4.1.25178.1.2.14" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

Without this change it is necessary to define attribute twice to handle resolution by both urn and friendly name, ex.:
    "schacPersonalUniqueCode" : {
     "@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
     "key" : "schacPersonalUniqueCode",
     "name" : "schacPersonalUniqueCode",
     "urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
     "friendlyName" : "schacPersonalUniqueCode"
   },
    "urn:oid:1.3.6.1.4.1.25178.1.2.14" : {
     "@class" : "org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition",
     "key" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
     "name" : "schacPersonalUniqueCode",
     "urn" : "urn:oid:1.3.6.1.4.1.25178.1.2.14",
     "friendlyName" : "schacPersonalUniqueCode",
     "attribute" : "schacPersonalUniqueCode",  
    },

Besides, selecting attributes using urn provided in attribute definition is more robust then using friendly names, because friendly names are inconsistently used in SP metadata.

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/31f09b74-c3e1-4ff5-9ec7-262ce707674bn%40apereo.org.