Skip to content

Instantly share code, notes, and snippets.

@RackerWilliams

RackerWilliams/changes.md

Last active October 21, 2017 18:55
Show Gist options
  • Save RackerWilliams/56533cf02fe28ad279b395cd579bfc21 to your computer and use it in GitHub Desktop.
Save RackerWilliams/56533cf02fe28ad279b395cd579bfc21 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
changes.md

Old Behavior

Suppose that the SAML assertion did not contain roles. Then then policy:

---
mapping:
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{D}"
        roles: "{D}"
        expire: "{D}"
  version: RAX-1

Would return something like:

{
  "local": {
    "user": {
      "domain":"323676",
      "name":"john.doe",
      "email":"no-reply@rackspace.com",
      "roles": [

       ],
      "expire":"2013-11-17T16:19:06.298Z"
     }
   }
 }

Notice the empty roles array.

Likewise the policy:

---
mapping:
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{D}"
        expire: "{D}"
  version: RAX-1

Notice roles is not specified in the policy at all... would return the same thing.

{
  "local": {
    "user": {
      "domain":"323676",
      "name":"john.doe",
      "email":"no-reply@rackspace.com",
      "roles": [

       ],
      "expire":"2013-11-17T16:19:06.298Z"
     }
   }
 }

In other words we always return standard attributes -- even if they are not specified in the policy.

New behavior

If a standard value is not specifed in the policy, then it will not return in the set of attributes.

Suppose that the SAML assertion did not contain roles. Then then policy:

---
mapping:
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{D}"
        roles: "{D}"
        expire: "{D}"
  version: RAX-1

Would return something like:

{
  "local": {
    "user": {
      "domain":"323676",
      "name":"john.doe",
      "email":"no-reply@rackspace.com",
      "roles": [

       ],
      "expire":"2013-11-17T16:19:06.298Z"
     }
   }
 }

Notice the empty roles array.

Now the policy:

---
mapping:
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{D}"
        expire: "{D}"
  version: RAX-1

Notice roles is not specified in the policy at all... would return

{
  "local": {
    "user": {
      "domain":"323676",
      "name":"john.doe",
      "email":"no-reply@rackspace.com",
      "expire":"2013-11-17T16:19:06.298Z"
     }
   }
 }

notcie no roles.

Why the change?

Ensure backwards compatibility given that we've created a new standard attribute groups. So given the current default policy you won't see groups...but if you specify a policy that does contain groups you will, though the list of groups may be empty.

Technically, this is a backwarads incompatible change because you are now required to specified roles to send the roles attribute, but because our default policy always sent roles anyway, I think we're good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment