Skip to content

Check new OASIS subject identifiers #10

Open
iay opened this issue Jun 29, 2020 · 2 comments
Open

Check new OASIS subject identifiers #10

iay opened this issue Jun 29, 2020 · 2 comments
Assignees
Milestone

Comments

@iay
Copy link
Contributor

@iay iay commented Jun 29, 2020

From @nroy:

We’d like you to develop a new rule and add it to the import stage, to warn about entity descriptors which request either of the two new OASIS SAML subject identifiers, but fail to also use exactly one of the four defined entity attributes to request them as defined in the spec.

My response:

This might be pretty horrific as an XSLT check, but it's probably easy in Java. The critical part would be specification: I need to re-read the original text, of course, but one thing that might really help a lot would be a set of litmus tests.

By that I mean, one or more files with an <EntityDescriptor> that should be accepted, and one or more files with an <EntityDescriptor> that should be rejected. The more the better, really. Is that something someone could come up with?

This issue is a good place to hash out the details.

@iay iay added this to the incommon-v10 milestone Jun 29, 2020
@iay iay self-assigned this Jun 29, 2020
@nroy
Copy link

@nroy nroy commented Jun 29, 2020

Error messages logged by InCommon's MDA deployment when filtering these around about May 27, 2020:

  [java] ERROR - Item https://attribute-viewer.aai.switch.ch/shibboleth (CH) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:pairwise-id with SAML 2.0 NameFormat (pairwiseSubjectIdentifier)
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subjectIdentifier)
     [java] ERROR - Item https://attribute-viewer-test.aai.switch.ch/shibboleth (CH) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:pairwise-id with SAML 2.0 NameFormat (pairwiseSubjectIdentifier)
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subjectIdentifier)
     [java] ERROR - Item https://aai.ni4os.eu/proxy/module.php/saml/sp/metadata.php/sso (GR) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subject-id)
     [java] ERROR - Item https://proxy.acc.eduteams.org/metadata/backend.xml (NL) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subject-id)
     [java] ERROR - Item https://proxy.eduteams.org/metadata/backend.xml (NL) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subject-id)
@nroy
Copy link

@nroy nroy commented Jun 29, 2020

Here are a couple entity descriptors showing good and bad behavior when requesting these. The first one is 100% good. The second one has two error conditions: A breaking (entity descriptor should be rejected) error in that it requires the OASIS SAML subject identifiers via an invalid mechanism using undefined syntax, and a non-breaking (results in WARN log message on import, but does not reject the entity descriptor) issue resulting from the requested attributes being optional.

good-and-bad-oasis-saml-subject-identifier-requests.xml.txt

@iay iay modified the milestones: incommon-v10, incommon-v11 Aug 12, 2020
Sign in to join this conversation on GitHub.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.