SP metadata does not comply to OASIS SAML Attribute Profiles

[mrvanes]

Currently EB metadata (e.g. as received from SURFConext) inserts the following <md:RequestedAttribute> elements inside the <md:AttributeConsumingService> element:

<md:RequestedAttribute Name="urn:mace:dir:attribute-def:cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

For a strict IdP (like SATOSA) it is impossible to comply with this statement and thus results in an empty SAML assertion delivered to EB using default configuration.

1. urn:mace:dir:attribute-def:cn is not NameFormat urn:oasis:names:tc:SAML:2.0:attrname-format:uri, it is in NameFormat ...:basic.
2. urn:mace:terena.org:attribute-def:schacHomeOrganization does not exist in ...:basic so the NameFormat is correctly requested as ...:uri, but the name of schacHomeOrganization in format uri is urn:oid:1.3.6.1.4.1.25178.1.2.9.
3. It would be nice if the non-mandatory attribute FriendlyName could be added to the RequestedAttribute elements of the SP metadata. SATOSA (incorrectly) breaks on them missing, .e.g.

<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization" isRequired="true"/>

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, Chapter 8 SAML Attribute Profiles.

[baszoetekouw]

Note that you should use the metadata at https://metadata.surfconext.nl instead of the one from engine. Will need to fix this regardless.

See also https://github.com/SURFnet/SURFconext-TPM/issues/240 for SURfconext-specific issue

[baszoetekouw]

(merged #1897 into this issue)