Skip to content

Instantly share code, notes, and snippets.

@RackerWilliams

RackerWilliams/more_changes.md

Created October 22, 2017 21:43
Show Gist options
  • Save RackerWilliams/edc0bbd2d143c354f30b6a90fdf4d97f to your computer and use it in GitHub Desktop.
Save RackerWilliams/edc0bbd2d143c354f30b6a90fdf4d97f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
more_changes.md

Old Behavior

There was no way to tell whether or not a SAML attribute should be rendered as an array or not. For example given the flowing SAML attributes:

 <saml2:Attribute Name="faws/canAddAWSAccount">
   <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
 </saml2:Attribute>
 <saml2:Attribute Name="faws/991049284483">
   <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
 </saml2:Attribute>
 <saml2:Attribute Name="faws/042423532529">
    <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
    <saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
 </saml2:Attribute>

They would be rendered to JSON as follows:

 {
  "RAX-AUTH:extendedAttributes": {
    "faws": {
      "canAddAWSAccount":"true",
      "991049284483": "fanatical_aws:admin",
      "042423532529": [
        "fanatical_aws:observer",
        "RackspaceReadOnly"
       ]
     }
   }
 }

The rule was that if an attribute contained a single value it would be rendered as a single value string, if it contained multiple values it would be rendered as an array. Unfortunately, 991049284483 was also meant to be an array.

New Behavior

We annotate attributes that should be multi-value with a mapping:multiValue extension.

 <saml2:Attribute Name="faws/canAddAWSAccount" mapping:multiValue="false">
   <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
 </saml2:Attribute>
 <saml2:Attribute Name="faws/991049284483" mapping:multiValue="true">
   <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
 </saml2:Attribute>
 <saml2:Attribute Name="faws/042423532529" mapping:multiValue="true">
    <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
    <saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
 </saml2:Attribute>

Because it is a proper optional attribute extension, it should be ignored by whoever processes the SAML assertion but it aids in the conversion of the extended attributes to JSON. So new JSON looks like this:

 {
  "RAX-AUTH:extendedAttributes": {
    "faws": {
      "canAddAWSAccount":"true",
      "991049284483": [
        "fanatical_aws:admin"
       ],
      "042423532529": [
        "fanatical_aws:observer",
        "RackspaceReadOnly"
       ]
     }
   }
 }

Note that a side effect of the change is that the multiValue attribute must also make its way to the XML version of the RAX-AUTH:exnededAttributes extension.

<RAX-AUTH:extendedAttributes>
   <group name="faws">
      <attribute name="canAddAWSAccount">
         <value>true</value>
      </attribute>
      <attribute name="991049284483" multiValue="true">
         <value>fanatical_aws:admin</value>
      </attribute>
      <attribute name="042423532529" multiValue="true">
         <value>fanatical_aws:observer</value>
         <value>RackspaceReadOnly</value>
      </attribute>
   </group>
</RAX-AUTH:extendedAttributes>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment