From 9bd14a38584d3ee6c85759f7bfdccda83f732eb8 Mon Sep 17 00:00:00 2001
From: Tom Judge <tomjudge@cisco.com>
Date: Apr 20 2016 22:41:09 +0000
Subject: Fix handling attributes with multiple values (e.g. groups)


When handling attributes with more than one value provide a single
saml:Attribute with multiple saml:AttributeValue's.

I.e.

<saml:Attribute Name="groups"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue>group1</saml:AttributeValue>
       <saml:AttributeValue>group2</saml:AttributeValue>
</saml:Attribute>

Not:

<saml:Attribute Name="groups"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue>group1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="groups"
           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue>group2</saml:AttributeValue>
</saml:Attribute>

This fixes handling of attributes with more than one value for pac4j
based clients (Such as the Jenkins SAML plugin).

---

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 08423a6..1c75830 100644
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -319,18 +319,22 @@ class AuthenticateRequest(ProviderPageBase):
                 continue
             if not isinstance(values, list):
                 values = [values]
+            attr = lasso.Saml2Attribute()
+            attr.name = key
+            attr.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
+            attr.attributeValue = []
+            vals = []
             for value in values:
-                attr = lasso.Saml2Attribute()
-                attr.name = key
-                attr.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
                 value = str(value).encode('utf-8')
                 self.debug('value %s' % value)
                 node = lasso.MiscTextNode.newWithString(value)
                 node.textChild = True
                 attrvalue = lasso.Saml2AttributeValue()
                 attrvalue.any = [node]
-                attr.attributeValue = [attrvalue]
                 attrstat.attribute = attrstat.attribute + (attr,)
+                vals.append(attrvalue)
+
+            attr.attributeValue = vals
 
         self.debug('Assertion: %s' % login.assertion.dump())