Simple Attribute aggregation testing and improvement suggestions

Description

I did some testing work regarding the newly implemented attribute aggregation for 2.2. The main conclusion is that everything seems to work fine
I was testing with an SP compiled from SVN sources and two 2.1 IdPs and a 1.3 IdP the following cases:

  • Statically configured entityId in shibboleth2.xml to fetch more attributes from another IdP (with correct or non existing entityID)

  • Case where the attribute that is used as nameId is filtered out

  • Two entityIDs configured for aggregation (with correct or non existing entityId)

  • One statically configured entityId and one entityId coming via a refrenced attribute (with correct or non existing entityId)

  • Two IdPs contained in referenced attribute (with correct or non existing entityId)

  • Statically configured the same entityID twice

  • Statically configured entityID which is also contained in referenced attribute

In all cases things seem to work as expected and as it makes sense in my opinion. So, good job and thank you for that very promising new feature

I nevertheless have two minor suggestions for improvements:

Attribute deduplication:
I'm not sure how relevant this actually would be in a real use case but having multiple attribute sources queried can result in duplicate attribute values that are provided to applications by the SP and are also used SP internally. I don't see a reason why it could make sense to have multiple duplicate values but maybe I haven't thought hard enough about this Having the same values for an attribute multiple times may be confusing and cause unnecessary computation work within the SP as well as potential applications using the attributes.

Prevent multiple queries to same IdP:
It can happen that the same IdP is queried multiple times because of attribute aggregation. This can happen if a (dumb) SP admin statically configures the same entityID multiple times in shibboleth2.xml or if one entityID is configured there and the same entityID comes via a referenced attribute. In both cases the SP will query this IdP twice altough this makes (in my opinion) little sense. So, this probably could be optimized.

Environment

None

Activity

Scott Cantor December 17, 2010 at 2:39 PM

Closing after release.

Former user January 21, 2010 at 4:39 AM
Edited

Thanks Scott!
I've tested rev 3220 and confirm this is fixed.

2010-01-21 10:35:48 DEBUG Shibboleth.AttributeResolver.Query [1] resolveAttributes: found AttributeStatement in input to new session, skipping query
2010-01-21 10:35:48 DEBUG Shibboleth.AttributeResolver.SimpleAggregation [1] resolveAttributes: using input attribute (Shib-SwissEP-UniqueID) as identifier for queries
2010-01-21 10:35:48 DEBUG Shibboleth.AttributeResolver.SimpleAggregation [1] resolveAttributes: skipping previously queried attribute source (https://kiwi.unil.ch/idp/shibboleth)

Former user January 19, 2010 at 9:47 AM
Edited

The SimpleAggregation resolver still queries a statically configured entityID even if this entityID is the one that issued the authentication+attribute assertion. Given the following config:
<AttributeResolver type="Chaining">
<AttributeResolver type="Query"/>
<AttributeResolver type="SimpleAggregation" attributeId="Shib-SwissEP-UniqueID" format="urn:oid:2.16.756.1.2.5.1.1.1">
<Entity>https://kiwi.unil.ch/idp/shibboleth</Entity>
</AttributeResolver>
</AttributeResolver>
I see in the log:
2010-01-18 15:23:35 DEBUG Shibboleth.SSO.SAML2 [34]: extracting pushed attributes...
[...]
2010-01-18 15:23:35 DEBUG Shibboleth.AttributeFilter [34]: filtering 17 attribute(s) from (https://kiwi.unil.ch/idp/shibboleth)
[...]
2010-01-18 15:23:35 DEBUG Shibboleth.SSO.SAML2 [34]: resolving attributes...
2010-01-18 15:23:35 DEBUG Shibboleth.AttributeResolver.Query [34] resolveAttributes: found AttributeStatement in input to new session, skipping query
2010-01-18 15:23:35 DEBUG Shibboleth.AttributeResolver.SimpleAggregation [34] resolveAttributes: using input attribute (Shib-SwissEP-UniqueID) as identifier for queries
2010-01-18 15:23:35 DEBUG Shibboleth.AttributeResolver.SimpleAggregation [34] resolveAttributes: issuing SAML query to (https://kiwi.unil.ch/idp/shibboleth)

Scott Cantor June 23, 2009 at 12:47 PM

Closing after releases.

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Created June 8, 2009 at 4:26 AM
Updated June 24, 2021 at 3:04 PM
Resolved January 20, 2010 at 3:16 PM