Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Filter engine removes "duplicate" scoped values based soley on the value and ignores the scope

Description

I think the attached attribute-resolver.xml and attribute-filter.xml should release two values of eduPersonScopedAffiliation - member@domain1.invalid and member@domain2.invalid (and in versions up to 2.2.1 they do). But in versions from 2.3.0 they don't:

  1. /opt/shibboleth-idp-2.3.2/bin/version.sh
    shibboleth-identityprovider version 2.3.2

  2. /opt/shibboleth-idp-2.3.2/bin/aacli.sh --configDir=/opt/shibboleth-idp-2.3.2/conf/ --principal=jw35

<?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">member@domain1.invalid</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

I've also attached the idp-process.log output from running the above command.

I've masked this priority 'major' because it prevents me from upgrading beyond 2.2.1 which I need to do to avoid at least two subsequent vulnerabilities.

Environment

Linux (Sles10). Fresh install of shibboleth-identityprovider-2.3.2 with only attribute-resolver.xml, attribute-filter.xml and logging.xml (to enable DEBUG logging) modified.

Attachments

3
  • 27 Jul 2011, 02:42 PM
  • 27 Jul 2011, 02:42 PM
  • 27 Jul 2011, 02:42 PM

Activity

ChadCJuly 28, 2011 at 12:04 PM

Fixed in rev 998

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created July 27, 2011 at 2:42 PM
Updated July 28, 2011 at 12:04 PM
Resolved July 28, 2011 at 12:04 PM