Skip to content

SAML attributes not parsed correctly with prefixed XML elements #8864

Closed
@JoakimLofgren

Description

@JoakimLofgren

Describe the bug
When grabbing the email attribute (urn:oid:0.9.2342.19200300.100.1.3) from the SimpleSaml2AuthenticatedPrincipal / DefaultSaml2AuthenticatedPrincipal the output is XML and not the expected email.

Until #8861 is merged, the following workaround is used to access the attributes:

val principal = objectMapper.convertValue(auth.principal, Map::class.java)
val attributes = principal["attributes"] as Map<String, List<String>>

The value returned is:

<?xml version="1.0" encoding="UTF-8"?>
<saml2:AttributeValue 
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:type="xs:anyType">
  [email protected]
</saml2:AttributeValue>

This seems to be due to prefixed XML elements, as the issue does not occur when non-prefixed XML elements that specify the xmlns attribute are used instead.

Google SAML produces XML with prefixed XML elements, e.g.:

<saml2:AttributeStatement>
    <saml2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
            [email protected]
        </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

And e.g. https://github.com/amdonov/lite-idp produces non-prefixed XML elements:

<AttributeStatement xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="urn:oid:0.9.2342.19200300.100.1.3"
               Name="urn:oid:0.9.2342.19200300.100.1.3"
               NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns="urn:oasis:names:tc:SAML:2.0:assertion">[email protected]
        </AttributeValue>
    </Attribute>
</AttributeStatement>

This was tested with the versions 5.4.0-M2 and 5.4.0-SNAPSHOT (as of today).

To Reproduce

  • Setup a Google SAML SP (or other SAML software that produces prefixed XML elements).
  • Try to grab the email attribute (urn:oid:0.9.2342.19200300.100.1.3) from SimpleSaml2AuthenticatedPrincipal / DefaultSaml2AuthenticatedPrincipal.

Expected behavior
The email is returned.

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions