It doesn't seem that Jakub Jirutka has verified this issue as fixed. I am hitting this issue now and have debugged the code to find that the change made in the pull request here does not get invoked while processing the attribute value:
<saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
|
<saml2:AttributeValue>
|
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="http://your.domain/sales-post-sig/">fpirfQ6UDwH8oYvHPK8tI0456nE=</saml2:NameID>
|
</saml2:AttributeValue>
|
</saml2:Attribute>
|
I believe that we need some handling of this inside SAML2AuthenticationHandler.getRoles(). I think we may be able to check for an instanceof NameIDType and then add the getValue of it to the roles.
I will try and poc this and possibly provide a patch.
Has anyone actually verified the existing code to work with testshib?
|