#86 With --info-sssd yes, attributes are not in SAML response
Closed: Fixed None Opened 6 years ago by adelton.

I have Ipsilon configured with

ipsilon-server-install --pam yes --info-sssd yes --info-sssd-domain example.com --krb yes --krb-realms EXAMPLE.COM

and I can see mod_lookup_identity enabled and configured in /etc/ipsilon/idp/idp.conf and ifp is enabled and configured in /etc/sssd/sssd.conf and looking at /idp/admin/providers/saml I have the default attribute mapping

    # 1     From *          To *

and the default allowed attributes

    # 1     Name *

However, the

POST /saml2/postResponse

on the SP after successful Kerberos authentication has an empty

   <saml:AttributeStatement/>

element so I don't see the values populated on SP in MELLON_* environment variables.

Rob advised patching Ipsilon with

diff --git a/ipsilon/login/common.py b/ipsilon/login/common.py
index 60f6df1..1835f72 100644
--- a/ipsilon/login/common.py
+++ b/ipsilon/login/common.py
@@ -79,6 +79,8 @@ class LoginManagerBase(PluginConfig, PluginObject):
         # create session login including all the userdata just gathered
         session.login(username, userdata)

+        session.save_user_attrs(userdata)
+
         # save username into a cookie if parent was form base auth
         if auth_type == 'password':
             cookie = SecureCookie(USERNAME_COOKIE, username)

and that fixes the problem, even if I'm not sure it's the correct fix because f7b6d96 seems to suggest session.login was supposed to do the saving.


Fields changed

design_link: =>
milestone: => 1.0 m3
owner: => rcritten
status: new => assigned

The data wasn't being saved because there is a short-circuit at the top of login where if the current user matches the user in the session then just return.

This is a problem because when authenticating via authform or authkrb the login first comes in from remote_login() with no userdata. A subsequent call to login() after calling the info plugins is thus a no-op.

Add a conditional in login such that if the user matches and the existing userattrs is empty, save the supplied user attrs.

patch_available: 0 => 1
status: assigned => accepted

master: 2667fc1

resolution: => fixed
status: accepted => closed

Fields changed

rhbz: => 0

Metadata Update from @nkinder:
- Issue assigned to rcritten
- Issue set to the milestone: 1.0 m3

4 years ago

Login to comment on this ticket.

Metadata