[Satosa-dev] breaking change to LDAP attribute store microservice?

Scott Koranda skoranda at gmail.com
Sun Sep 17 18:49:58 CEST 2017


(Apologies in advance for a long and detailed note. TL;DR I want to make a
breaking change but I think I am directly working with everyone using the

I would like to make a breaking change to the LDAP attribute store
microservice. Specifically I want to change the name and syntax for the
configuration option 'idp_identifier' (but not the functionality).

That configuration option is used to determine what value(s) is used for
the LDAP filter that is constructed to search for user records in LDAP.
Currently a simple configuration would be

  - eppn
ldap_identifier_attribute: uid

That configuration would take the value asserted by the IdP for eppn (the
SATOSA internal name for that attribute as it is "seen" by the
microservice) and use it to construct the filter value, eg. '
skoranda at uwm.edu', so that for example the LDAP filter would be

(uid=skoranda at uwm.edu)

More complicated configurations that include the ability to combine values
including NameID values asserted by the IdP are included in the example

But there are two problems I have with the current configuration and its

1) The value that is used to construct the LDAP filter may not be directly
coming (asserted by) an IdP. It may have been constructed using another
microservice(s) that runs prior to the LDAP attribute store. So I think
instead of


I want to name the configuration option


2) The syntax as seen in the current example is poor. After a helpful
dialogue with Ivan I prefer this syntax, which I think better illustrates
what is going on (this would be a fairly complicated example):

  - attribute_names: [epuid]
  - attribute_names: [eppn, name_id]
     name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  - attribute_names: [eppn, edupersontargetedid]
  - attribute_names: [eppn]
  - attribute_names: [name_id]
    name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    add_scope: issuer_entityid
  - attribute_names: [edupersontargetedid]
    add_scope: issuer_entityid

The simple configuration from above would become

  - attribute_names: [eppn]

An intermediate example configuration would be

  - attribute_names: [eppn]
  - attribute_names: [edupersontargetedid]
    add_scope: issuer_entityid

Normally I would of course prefer not to make a breaking change, but I
think I am working with everyone using the microservice and can direcftly
help them transition and I think it is early enough in the evolution of the
microservice that some flux is expected/allowed.



Scott K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sunet.se/pipermail/satosa-dev/attachments/20170917/fa6a3315/attachment.html>

More information about the Satosa-dev mailing list