Check new OASIS subject identifiers

[iay]

From @nroy:

We’d like you to develop a new rule and add it to the import stage, to warn about entity descriptors which request either of the two new OASIS SAML subject identifiers, but fail to also use exactly one of the four defined entity attributes to request them as defined in the spec.

My response:

This might be pretty horrific as an XSLT check, but it's probably easy in Java. The critical part would be specification: I need to re-read the original text, of course, but one thing that might really help a lot would be a set of litmus tests.

By that I mean, one or more files with an <EntityDescriptor> that should be accepted, and one or more files with an <EntityDescriptor> that should be rejected. The more the better, really. Is that something someone could come up with?

This issue is a good place to hash out the details.

[nroy]

Error messages logged by InCommon's MDA deployment when filtering these around about May 27, 2020:

  [java] ERROR - Item https://attribute-viewer.aai.switch.ch/shibboleth (CH) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:pairwise-id with SAML 2.0 NameFormat (pairwiseSubjectIdentifier)
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subjectIdentifier)
     [java] ERROR - Item https://attribute-viewer-test.aai.switch.ch/shibboleth (CH) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:pairwise-id with SAML 2.0 NameFormat (pairwiseSubjectIdentifier)
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subjectIdentifier)
     [java] ERROR - Item https://aai.ni4os.eu/proxy/module.php/saml/sp/metadata.php/sso (GR) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subject-id)
     [java] ERROR - Item https://proxy.acc.eduteams.org/metadata/backend.xml (NL) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subject-id)
     [java] ERROR - Item https://proxy.eduteams.org/metadata/backend.xml (NL) was marked with the following Error status messages
     [java] ERROR -     check_reqattr: RequestedAttribute uses unknown name urn:oasis:names:tc:SAML:attribute:subject-id with SAML 2.0 NameFormat (subject-id)

[nroy]

Here are a couple entity descriptors showing good and bad behavior when requesting these. The first one is 100% good. The second one has two error conditions: A breaking (entity descriptor should be rejected) error in that it requires the OASIS SAML subject identifiers via an invalid mechanism using undefined syntax, and a non-breaking (results in WARN log message on import, but does not reject the entity descriptor) issue resulting from the requested attributes being optional.

good-and-bad-oasis-saml-subject-identifier-requests.xml.txt

[iay]

Moved to incommon-v13 milestone as v12 was already used for the HSM update.