Issue #86: With --info-sssd yes, attributes are not in SAML response - ipsilon

ipsilon

#86 With --info-sssd yes, attributes are not in SAML response

Closed: Fixed None Opened 10 years ago by adelton.

I have Ipsilon configured with

ipsilon-server-install --pam yes --info-sssd yes --info-sssd-domain example.com --krb yes --krb-realms EXAMPLE.COM

and I can see mod_lookup_identity enabled and configured in /etc/ipsilon/idp/idp.conf and ifp is enabled and configured in /etc/sssd/sssd.conf and looking at /idp/admin/providers/saml I have the default attribute mapping

    # 1     From *          To *

and the default allowed attributes

    # 1     Name *

However, the

POST /saml2/postResponse

on the SP after successful Kerberos authentication has an empty

   <saml:AttributeStatement/>

element so I don't see the values populated on SP in MELLON_* environment variables.

Rob advised patching Ipsilon with

diff --git a/ipsilon/login/common.py b/ipsilon/login/common.py
index 60f6df1..1835f72 100644
--- a/ipsilon/login/common.py
+++ b/ipsilon/login/common.py
@@ -79,6 +79,8 @@ class LoginManagerBase(PluginConfig, PluginObject):
         # create session login including all the userdata just gathered
         session.login(username, userdata)

+        session.save_user_attrs(userdata)
+
         # save username into a cookie if parent was form base auth
         if auth_type == 'password':
             cookie = SecureCookie(USERNAME_COOKIE, username)

and that fixes the problem, even if I'm not sure it's the correct fix because f7b6d96 seems to suggest session.login was supposed to do the saving.

nkinder commented 10 years ago

Fields changed

design_link: =>
milestone: => 1.0 m3
owner: => rcritten
status: new => assigned

rcritten commented 10 years ago

The data wasn't being saved because there is a short-circuit at the top of login where if the current user matches the user in the session then just return.

This is a problem because when authenticating via authform or authkrb the login first comes in from remote_login() with no userdata. A subsequent call to login() after calling the info plugins is thus a no-op.

Add a conditional in login such that if the user matches and the existing userattrs is empty, save the supplied user attrs.

patch_available: 0 => 1
status: assigned => accepted

rcritten commented 10 years ago

master: 2667fc1

resolution: => fixed
status: accepted => closed

nkinder commented 9 years ago

Fields changed

rhbz: => 0

Metadata Update from @nkinder:
- Issue assigned to rcritten
- Issue set to the milestone: 1.0 m3

8 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

Major

Milestone

1.0 m3

rhbz

design_link

None

type

defect

component

framework

version

0.4.0

sensitive

patch_available

ipsilon

Source Code

#86 With --info-sssd yes, attributes are not in SAML response Closed: Fixed None Opened 10 years ago by adelton.

Metadata

#86 With --info-sssd yes, attributes are not in SAML response

Closed: Fixed None Opened 10 years ago by adelton.