Use the attribute name instead of friendly-name to configure SATOSA #198
Description
SATOSA invokes pysaml2 internally and converts the received attributes from their name to their friendly name and that is the name that is used by the internal_attributes.yaml file to map the attributes to an internal representation (an internal name).
To achieve this, pysaml2 makes use of provided attribute maps. Attribute maps are arranged by the name-format of the attributes - one map for name-format uri, one map for name-format basic, etc. Pysaml2 first looks the attribute's name-format to pick the right mapping from the attribute maps files, and then looks up the attribute name. If the attribute was not found it is left out, unless the allow_unknown_attributes setting has been set.
This can lead to situations where the attributes are wrongly mapped or left out because the attribute was not found in the provided maps (a friendly name was not set, etc). In addition friendly-names are optional and by the specification:
[friendly-name] MUST NOT be used as a basis for formally identifying SAML attributes
To resolve this, one can provide an empty attribute map using the configuration option attribute_maps_dir and set allow_unknown_attributes. This will result in attributes being handled by their Name. This means that references to attributes should be done in the canonical name form, ie in internal_attributes.yaml a mapping of eduPersonUniqueId should be written as urn:oid:1.3.6.1.4.1.5923.1.1.1.13.
example configuration:
module: satosa.backends.saml2.SAMLBackend
name: Saml2
config:
sp_config:
attribute_map_dir: attributemaps
allow_unknown_attributes: yes
[...]where attributemaps is a directory relative to the proxy_conf.yaml configuration file, and contains the following
# filename: __init__.py
__all__ = ["empty"]
# filename: empty.py
MAP = {"identifier": "", "fro": {}, "to": {}}
Track issue on pysaml2: IdentityPython/pysaml2#549