1:21 p.m.
Am 2019-05-06 um 14:08 schrieb Scott Koranda
<skoranda at gmail.com>:
Hi,
For a SAML proxy deployment (no OIDC here yet) I need a sophisticated
attribute release policy that should be largely driven by SAML metadata
entity categories. The policy is essentially to release the union of
attributes for each of the entity categories REFEDs R&S, CoCo, and a few
others to which the entity belongs.
Later I am sure there will need to be per-entity adjustments (there
always are...).
Have other deployments already implemented tooling to implement such a
policy?
I don't see that the SAMLFrontend (or its sub classes) has the requisite
functionality. Or that pySAML2 has it--the policy based functionality
appears to mostly be around statically configured filtering and not
driven by SAML metadata. Am I missing existing functionality?
pysaml2 had entity-category based AR since early on, and requested-attribute-based release
was implemented later. The documentation seems however to be limited to static
restrictions:
https://github.com/IdentityPython/pysaml2/blob/master/docs/howto/config.rst…
If I need to develop the functionality, then I am wondering if it is
best done by implementing a response microservice(s), or to evolve the
SAMLFrontend code?
It should work via Metadata, therefore it should go into the frontend. Peeking into
assertion.py
<https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/assertion.py> I see
quite some filtering mechanisms - with some guessing and trying that could be a starting
point.
IIRC there was a long thread about AR on this list some time ago, discussing the semantics
of combining EC and requested-attributes based metadata. Maybe thats worth digging out.
Cheers, Rainer