Suppose that the SAML assertion did not contain roles
. Then then
policy:
---
mapping:
rules:
- local:
user:
domain: "{D}"
name: "{D}"
email: "{D}"
roles: "{D}"
expire: "{D}"
version: RAX-1
Would return something like:
{
"local": {
"user": {
"domain":"323676",
"name":"john.doe",
"email":"no-reply@rackspace.com",
"roles": [
],
"expire":"2013-11-17T16:19:06.298Z"
}
}
}
Notice the empty roles
array.
Likewise the policy:
---
mapping:
rules:
- local:
user:
domain: "{D}"
name: "{D}"
email: "{D}"
expire: "{D}"
version: RAX-1
Notice roles is not specified in the policy at all... would return the same thing.
{
"local": {
"user": {
"domain":"323676",
"name":"john.doe",
"email":"no-reply@rackspace.com",
"roles": [
],
"expire":"2013-11-17T16:19:06.298Z"
}
}
}
In other words we always return standard attributes -- even if they are not specified in the policy.
If a standard value is not specifed in the policy, then it will not return in the set of attributes.
Suppose that the SAML assertion did not contain roles
. Then then
policy:
---
mapping:
rules:
- local:
user:
domain: "{D}"
name: "{D}"
email: "{D}"
roles: "{D}"
expire: "{D}"
version: RAX-1
Would return something like:
{
"local": {
"user": {
"domain":"323676",
"name":"john.doe",
"email":"no-reply@rackspace.com",
"roles": [
],
"expire":"2013-11-17T16:19:06.298Z"
}
}
}
Notice the empty roles
array.
Now the policy:
---
mapping:
rules:
- local:
user:
domain: "{D}"
name: "{D}"
email: "{D}"
expire: "{D}"
version: RAX-1
Notice roles is not specified in the policy at all... would return
{
"local": {
"user": {
"domain":"323676",
"name":"john.doe",
"email":"no-reply@rackspace.com",
"expire":"2013-11-17T16:19:06.298Z"
}
}
}
notcie no roles.
Ensure backwards compatibility given that we've created a new standard
attribute groups
. So given the current default policy you won't see
groups...but if you specify a policy that does contain groups you will,
though the list of groups may be empty.
Technically, this is a backwarads incompatible change because you are now required to specified roles to send the roles attribute, but because our default policy always sent roles anyway, I think we're good.