When using the IdPFilter (as opposed to IDPWebBrowserSSOValve) in conjunction with a custom attribute manager, the following issues occur:
1. Custom attribute manager is not invoked. 2. Every time an IdP-initiated SAML request is made, an additional (duplicated) block of Role attributes are added to the resulting SAML assertion. For example, if you access a url like this http://localhost:8080/idp/?SAML_VERSION=2.0&TARGET=https://training-lms-test.redhat.com/Saml/Logon&SAML_BINDING=POST, you will see a saml assertion similar to this:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2014-12-12T16:18:31.996Z" MajorVersion="1" MinorVersion="1" ResponseID="ID_ccf93504-1f2b-4102-8a26-81d1577f466f" > <samlp:Status> <samlp:StatusCode Value="samlp:Success" /> </samlp:Status> <saml:Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="ID_62d6d29f-5368-4065-b068-5cf67381836d" IssueInstant="2014-12-12T16:18:06.393Z" Issuer="http://localhost:8080/idp/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > <saml:Conditions NotBefore="2014-12-12T16:18:04.393Z" NotOnOrAfter="2014-12-12T16:18:13.393Z" /> <saml:AuthenticationStatement AuthenticationInstant="2014-12-12T16:18:06.393Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" > <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier>vkumar51</saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Attribute AttributeName="Role" AttributeNamespace="urn:picketlink:role" > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >idp_authenticated</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement> <saml:Attribute AttributeName="Role" AttributeNamespace="urn:picketlink:role" > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >idp_authenticated</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement> <saml:Attribute AttributeName="Role" AttributeNamespace="urn:picketlink:role" > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >idp_authenticated</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
This behavior does not occur if you use the SAML valve, however we have other requirements that dictate we use the IDPFilter.
|