There was no way to tell whether or not a SAML attribute should be rendered as an array or not. For example given the flowing SAML attributes:
<saml2:Attribute Name="faws/canAddAWSAccount">
<saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="faws/991049284483">
<saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="faws/042423532529">
<saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
<saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
</saml2:Attribute>
They would be rendered to JSON as follows:
{
"RAX-AUTH:extendedAttributes": {
"faws": {
"canAddAWSAccount":"true",
"991049284483": "fanatical_aws:admin",
"042423532529": [
"fanatical_aws:observer",
"RackspaceReadOnly"
]
}
}
}
The rule was that if an attribute contained a single value it would be
rendered as a single value string, if it contained multiple values it
would be rendered as an array. Unfortunately, 991049284483
was also
meant to be an array.
We annotate attributes that should be multi-value with a
mapping:multiValue
extension.
<saml2:Attribute Name="faws/canAddAWSAccount" mapping:multiValue="false">
<saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="faws/991049284483" mapping:multiValue="true">
<saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="faws/042423532529" mapping:multiValue="true">
<saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
<saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
</saml2:Attribute>
Because it is a proper optional attribute extension, it should be ignored by whoever processes the SAML assertion but it aids in the conversion of the extended attributes to JSON. So new JSON looks like this:
{
"RAX-AUTH:extendedAttributes": {
"faws": {
"canAddAWSAccount":"true",
"991049284483": [
"fanatical_aws:admin"
],
"042423532529": [
"fanatical_aws:observer",
"RackspaceReadOnly"
]
}
}
}
Note that a side effect of the change is that the multiValue attribute
must also make its way to the XML version of the
RAX-AUTH:exnededAttributes
extension.
<RAX-AUTH:extendedAttributes>
<group name="faws">
<attribute name="canAddAWSAccount">
<value>true</value>
</attribute>
<attribute name="991049284483" multiValue="true">
<value>fanatical_aws:admin</value>
</attribute>
<attribute name="042423532529" multiValue="true">
<value>fanatical_aws:observer</value>
<value>RackspaceReadOnly</value>
</attribute>
</group>
</RAX-AUTH:extendedAttributes>