Skip to content

SP metadata does not comply to OASIS SAML Attribute Profiles #1898

New issue
New issue
Open
Open
SP metadata does not comply to OASIS SAML Attribute Profiles#1898
@mrvanes

Description

@mrvanes
mrvanes
opened on Dec 10, 2025

Currently EB metadata (e.g. as received from SURFConext) inserts the following <md:RequestedAttribute> elements inside the <md:AttributeConsumingService> element:

<md:RequestedAttribute Name="urn:mace:dir:attribute-def:cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

For a strict IdP (like SATOSA) it is impossible to comply with this statement and thus results in an empty SAML assertion delivered to EB using default configuration.

  1. urn:mace:dir:attribute-def:cn is not NameFormat urn:oasis:names:tc:SAML:2.0:attrname-format:uri, it is in NameFormat ...:basic.
  2. urn:mace:terena.org:attribute-def:schacHomeOrganization does not exist in ...:basic so the NameFormat is correctly requested as ...:uri, but the name of schacHomeOrganization in format uri is urn:oid:1.3.6.1.4.1.25178.1.2.9.

It would be best to leave <md:RequestedAttribute> out of the metadata at all, to prevent unwanted side-effects of doing it wrong.

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, Chapter 8 SAML Attribute Profiles.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions