Message Title

michael cirioli created an issue

PLINK-647

Issue Type:	Bug
Affects Versions:	PLINK_2.6.0.CR5
Assignee:	Shane Bryzak
Components:	BASE
Created:	12/Dec/14 11:19 AM
Environment:	Issue is present in stock EAP 6.3GA/6.3.2 versions of PL
Priority:	Major
Reporter:	michael cirioli

When using the IdPFilter (as opposed to IDPWebBrowserSSOValve) in conjunction with a custom attribute manager, the following issues occur:

1. Custom attribute manager is not invoked.
2. Every time an IdP-initiated SAML request is made, an additional (duplicated) block of Role attributes are added to the resulting SAML assertion. For example, if you access a url like this http://localhost:8080/idp/?SAML_VERSION=2.0&TARGET=https://training-lms-test.redhat.com/Saml/Logon&SAML_BINDING=POST, you will see a saml assertion similar to this:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
IssueInstant="2014-12-12T16:18:31.996Z"
MajorVersion="1"
MinorVersion="1"
ResponseID="ID_ccf93504-1f2b-4102-8a26-81d1577f466f"
>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="ID_62d6d29f-5368-4065-b068-5cf67381836d"
IssueInstant="2014-12-12T16:18:06.393Z"
Issuer="http://localhost:8080/idp/"
MajorVersion="1"
MinorVersion="1"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
>
<saml:Conditions NotBefore="2014-12-12T16:18:04.393Z"
NotOnOrAfter="2014-12-12T16:18:13.393Z"
/>
<saml:AuthenticationStatement AuthenticationInstant="2014-12-12T16:18:06.393Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:NameIdentifier>vkumar51</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Attribute AttributeName="Role"
AttributeNamespace="urn:picketlink:role"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>idp_authenticated</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute AttributeName="Role"
AttributeNamespace="urn:picketlink:role"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>idp_authenticated</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute AttributeName="Role"
AttributeNamespace="urn:picketlink:role"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>idp_authenticated</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

This behavior does not occur if you use the SAML valve, however we have other requirements that dictate we use the IDPFilter.

Add Comment

This message was sent by Atlassian JIRA