Currently EB metadata (e.g. as received from SURFConext) inserts the following <md:RequestedAttribute> elements inside the <md:AttributeConsumingService> element:
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
For a strict IdP (like SATOSA) it is impossible to comply with this statement and thus results in an empty SAML assertion delivered to EB using default configuration.
urn:mace:dir:attribute-def:cn is not NameFormat urn:oasis:names:tc:SAML:2.0:attrname-format:uri, it is in NameFormat ...:basic.urn:mace:terena.org:attribute-def:schacHomeOrganization does not exist in ...:basic so the NameFormat is correctly requested as ...:uri, but the name of schacHomeOrganization in format uri is urn:oid:1.3.6.1.4.1.25178.1.2.9.- It would be nice if the non-mandatory attribute FriendlyName could be added to the RequestedAttribute elements of the SP metadata. SATOSA (incorrectly) breaks on them missing, .e.g.
<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization" isRequired="true"/>
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, Chapter 8 SAML Attribute Profiles.
Currently EB metadata (e.g. as received from SURFConext) inserts the following
<md:RequestedAttribute>elements inside the<md:AttributeConsumingService>element:For a strict IdP (like SATOSA) it is impossible to comply with this statement and thus results in an empty SAML assertion delivered to EB using default configuration.
urn:mace:dir:attribute-def:cnis not NameFormaturn:oasis:names:tc:SAML:2.0:attrname-format:uri, it is in NameFormat...:basic.urn:mace:terena.org:attribute-def:schacHomeOrganizationdoes not exist in...:basicso the NameFormat is correctly requested as...:uri, but the name ofschacHomeOrganizationin formaturiisurn:oid:1.3.6.1.4.1.25178.1.2.9.https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, Chapter 8 SAML Attribute Profiles.