Skip to content

Ignore attribute with no attributeValue child #111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 9, 2015
Merged

Ignore attribute with no attributeValue child #111

merged 2 commits into from
Oct 9, 2015

Conversation

T1B0
Copy link

@T1B0 T1B0 commented Sep 7, 2015

A childless attribute (without attributeValue child node) like :

  <AttributeStatement>
    <Attribute Name="fubar.roles"/>
  ....
 </AttributeStatement>

would cause a typeError in saml.js#L582. this fix would ignore such attribute

Ignore attribute with no attributeValue child in response's Attribute…
68da152 
…Statement (childless attribute was causing typeError)
@T1B0
Copy link
Author

T1B0 commented Sep 7, 2015

Also please note that this is a quick-fix, according to SAML specs the attributeValue is defined as

<element name="Attribute" type="saml:AttributeType"/>
<complexType name="AttributeType">
  <complexContent>
    <extension base="saml:AttributeDesignatorType">
      <sequence>
        <element ref="saml:AttributeValue" maxOccurs="unbounded"/>
      </sequence>
    </extension>
  </complexContent>
</complexType>

and since the element is inside a "sequence", the minOccurs default value is 1, so the attributeValue is suposed to appears at least once for any attribute tag.
I don't know if you'd rather throw an error than just ignore a malformed attribute, i guess it depends on how strict you intend this lib to be.

@ploer
Copy link
Contributor

ploer commented Sep 8, 2015

Thanks for the PR! If it's something you've actually run into from a real IDP, then I'd definitely like to tolerate it.

Can you add a test case for this?

@T1B0
Copy link
Author

T1B0 commented Sep 9, 2015

just added a test case. and yes I actually run into this from a customer's private IDP, I've asked on which SAML lib they're based but didn't get an answer yet - i'll let you know if I find out

edit:
Just heard back from this customer, they uses a commercial provider called "sign&go" by ilex => http://www.ilex-international.com/en/our-products/signgo/ . so this is a legit, live use case I guess.

@T1B0
Copy link
Author

T1B0 commented Sep 10, 2015

had some feedback from an ilex developer, he pointed out that in SAML2.0 the attributeValue has become optional :

2.7.3.1 Element
The element identifies an attribute by name and optionally includes its value(s). It has the
AttributeType complex type. It is used within an attribute statement to express particular attributes ...

the xml-schema I quoted earlier was from SAML1.1 specs, where attributeValue were to occurs 1 or more per attribute

@ploer
Copy link
Contributor

ploer commented Oct 9, 2015

Thanks!

ploer added a commit that referenced this pull request Oct 9, 2015
@ploer
Merge pull request #111 from T1B0/childless-attribute
7d2a147 
Ignore attribute with no attributeValue child
@ploer ploer merged commit 7d2a147 into node-saml:master Oct 9, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@T1B0 @ploer