Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Old Behavior
- There was no way to tell whether or not a SAML attribute should be
- rendered as an array or not. For example given the flowing SAML
- attributes:
- ```xml
- <saml2:Attribute Name="faws/canAddAWSAccount">
- <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
- </saml2:Attribute>
- <saml2:Attribute Name="faws/991049284483">
- <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
- </saml2:Attribute>
- <saml2:Attribute Name="faws/042423532529">
- <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
- <saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
- </saml2:Attribute>
- ```
- They would be rendered to JSON as follows:
- ```json
- {
- "RAX-AUTH:extendedAttributes": {
- "faws": {
- "canAddAWSAccount":"true",
- "991049284483": "fanatical_aws:admin",
- "042423532529": [
- "fanatical_aws:observer",
- "RackspaceReadOnly"
- ]
- }
- }
- }
- ```
- The rule was that if an attribute contained a single value it would be
- rendered as a single value string, if it contained multiple values it
- would be rendered as an array. Unfortunately, `991049284483` was also
- meant to be an array.
- # New Behavior
- We annotate attributes that should be multi-value with a
- `mapping:multiValue` extension.
- ```xml
- <saml2:Attribute Name="faws/canAddAWSAccount" mapping:multiValue="false">
- <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
- </saml2:Attribute>
- <saml2:Attribute Name="faws/991049284483" mapping:multiValue="true">
- <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
- </saml2:Attribute>
- <saml2:Attribute Name="faws/042423532529" mapping:multiValue="true">
- <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
- <saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
- </saml2:Attribute>
- ```
- Because it is a proper optional attribute extension, it should be
- ignored by whoever processes the SAML assertion but it aids in the
- conversion of the extended attributes to JSON. So new JSON looks like
- this:
- ```json
- {
- "RAX-AUTH:extendedAttributes": {
- "faws": {
- "canAddAWSAccount":"true",
- "991049284483": [
- "fanatical_aws:admin"
- ],
- "042423532529": [
- "fanatical_aws:observer",
- "RackspaceReadOnly"
- ]
- }
- }
- }
- ```
- Note that a side effect of the change is that the multiValue attribute
- must also make its way to the XML version of the
- `RAX-AUTH:exnededAttributes` extension.
- ```xml
- <RAX-AUTH:extendedAttributes>
- <group name="faws">
- <attribute name="canAddAWSAccount">
- <value>true</value>
- </attribute>
- <attribute name="991049284483" multiValue="true">
- <value>fanatical_aws:admin</value>
- </attribute>
- <attribute name="042423532529" multiValue="true">
- <value>fanatical_aws:observer</value>
- <value>RackspaceReadOnly</value>
- </attribute>
- </group>
- </RAX-AUTH:extendedAttributes>
- ```
Add Comment
Please, Sign In to add comment