Support multiple attribute values per attribute

[jondavidjohn]

In an example SAML AttributeStatement found here, the point of providing AttributeValue is to provide the IDP options for input in the associated attribute.

This gem does not currently support supplying multiple AttributeValue elements for a given Attribute. Doesn't this actually mean the IDP could only provide a single value for this attribute, mostly rendering it useless?

   <saml:AttributeStatement>
     <saml:Attribute
       xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
       x500:Encoding="LDAP"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
       FriendlyName="eduPersonAffiliation">
       <saml:AttributeValue
         xsi:type="xs:string">member</saml:AttributeValue>
       <saml:AttributeValue
         xsi:type="xs:string">staff</saml:AttributeValue>
     </saml:Attribute>
   </saml:AttributeStatement>

Is there currently a way to accept multiple values per attribute? if not, would there be interest in a pull request to allow the attribute_value property to accept an array of values?

For example...

      settings.attributes_index = 0
      settings.attribute_consuming_service.configure do
        service_name "Service"
        service_index 0
        add_attribute(
          name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
          name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
          friendly_name: "eduPersonAffiliation"
          attribute_value: ["member", "staff"]
        )
      end

[pitbulk]

This gem does not currently support supplying multiple AttributeValue elements for a given Attribute.

We take all the values, you can see that test where the toolkit extracts multiple values.

Have you read the Retrieving Attributes section of the documentation?

Instead

response.attributes[:attr_name]   
#or
response.attributes.single(:attr_name)

use

response.attributes.multi(:attr_name)

[jondavidjohn]

Sorry 😕 was confused myself about how this all works (new to SAML). I realize now that this is for IDPs sending multiple values.

Is there a way to communicate (as an SP) to IDP implementors

1. The acceptable values for a given attribute?
2. Validation failures on said attributes?

[pitbulk]

1. At the AttributeConsumingService you can define RequestedAttribute elements with AttributeValue. (This data will be exposed on the SP's metadata).
2. I think SAML standard does not cover it, best approach will be just to inform the user that the Identity Provided is not offering valid values of the required attributes on the SSO flow.

Metadata for the OASIS SecurityAssertion Markup Language

2.4.4.2 Element <RequestedAttribute>

The <RequestedAttribute> element specifies a service provider's interest in a specific SAML
attribute, optionally including specific values. Its RequestedAttributeType complex type
extends the saml:AttributeType  with the following attribute:
isRequired  [Optional]
Optional XML  attribute indicates if the service requires the corresponding SAML attribute in
order to function at all (as opposed to me rely finding an attribute useful or desirable).

If specific <saml:AttributeValue> elements are included, then only matching values are
relevant to the service

Right now ruby-saml support 1), but you only are able to define 1 possible value for the requested attribute, if you want to contribute and improve it in order to support value/list, a PR is welcome.

[jondavidjohn]

If I were to make a PR, would you see it reasonable to optionally accept an array as the attribute_value?

[pitbulk]

Yes sure, that is what I suggested. Extend the current paramter to support also an array.

[jondavidjohn]

@pitbulk to which branch should I submit my PR?

[pitbulk]

master