EntityAttribute metadata filter generates duplicate attributes

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

A metadata filter like this:

<MetadataFilter xsi:type="EntityAttributes">
                    <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source">
                                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
                    </saml:Attribute>
                    <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>

                    <saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent">
                                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
                    </saml:Attribute>
                    <Entity>[https://sp1.example.org/shibboleth</Entity|https://sp1.example.org/shibboleth%3c/Entity]>
                    <Entity>[https://p2.example.org/shibboleth</Entity|https://p2.example.org/shibboleth%3c/Entity]>
                </MetadataFilter>

Generates the first attribute twice:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
            <saml:Attribute Name="[http://macedir.org/entity-category]"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>[http://id.incommon.org/category/registered-by-incommon</saml:AttributeValue|http://id.incommon.org/category/registered-by-incommon%3c/saml:AttributeValue]>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                <saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
            </saml:Attribute>
        </mdattr:EntityAttributes>

Environment

None

Activity

Scott Cantor

April 15, 2020 at 10:22 PM

Added duplicate detection to the EntityAttributes filter to prevent creation of Attribute. I left values alone for now. This is much harder given the possibility of complex values, even though simple strings may be the common case. I think it's not worth bothering given that it shouldn't hurt much and doesn't make the XML as visibly ugly as the duplicate Attributes do.

Scott Cantor

April 15, 2020 at 9:11 PM

Algorithm filter is fixed. The duplicate detection is primitive but for the filter's use cases just comparing by algorithm should be the right answer.

Scott Cantor

April 14, 2020 at 9:49 PM

NameIDFormat filter is fixed. The others are much tougher.

Keith Wessel

April 14, 2020 at 9:44 PM

Yes, that in fact is how I detected it. I love the new mdquery functionality that lets me see the metadata after receipt and processing by the IdP. And I was testing my entity attributes using it when I discovered this issue.

Scott Cantor

April 14, 2020 at 6:44 PM

I'm guessing this as actually noticed as a consequence of querying the IdP for metadata. I hadn't thought about it but that's a good means of verifying the filter behavior, which makes a little more inclined to see if this is fixable without undue effort.

Resize issue view side panel

Fixed

Details

Assignee

Scott Cantor

Reporter

Keith Wessel

Created October 30, 2019 at 2:54 PM

Updated May 29, 2020 at 1:43 PM

Resolved April 15, 2020 at 10:22 PM

EntityAttribute metadata filter generates duplicate attributes

Description

Environment

Activity

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Flag notifications

Something's gone wrong

Something's gone wrong

Something's gone wrong