-
Defect
-
Resolution: Cannot Reproduce
-
Major
-
1.1.0
-
None
This problem occurs when queerying the PCMDI attribute service - endpoint https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/attributeService.htm
I've tried querying the service for the attributes: first name, last name, e-mail address and group role. It responds asserting correctly that I have the CMIP5 Research role but it returns incorrect results for the first name, last name and e-mail address. - It returns an attribute statement containing attribute elements corresponding to these attribute names but the values were empty e.g.
.
.
.
<saml:AttributeStatement>
<saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute> ...
whereas I would expect something like:
<saml:AttributeStatement>
<saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string">myfirstname</saml:Attribute> ...
or if the value is not known or can't be returned to the client then the complete <saml:Attribute /> element should be omitted.
I've included the full output below ...
Calling Attribute Service 'https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/attributeService.htm' ...
DEBUG:ndg.soap.client:________________________________________________________________________________
DEBUG:ndg.soap.client:<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Header></soap11:Header>
<soap11:Body>
<samlp:AttributeQuery xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2010-08-05T12:50:31.610069Z" ID="3a3c0a5f-273b-48d2-99da-a0f4d5978aad">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">/O=Site A/CN=Authorisation Service</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:esg:openid">https://ceda.ac.uk/openid/Philip.Kershaw</saml:NameID>
</saml:Subject>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="GroupRole" Name="urn:esg:group:role" NameFormat="groupRole"></saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="LastName" Name="urn:esg:last:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EmailAddress" Name="urn:esg:email:address" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
</samlp:AttributeQuery>
</soap11:Body>
</soap11:Envelope>
SAML Response ...
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2010-08-05T12:50:32.916000Z" InResponseTo="3a3c0a5f-273b-48d2-99da-a0f4d5978aad" Version="2.0" ID="102bc2e4-f767-4010-97b6-08e189f4ad61">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">PCMDI DN</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2010-08-05T12:50:32.928000Z" ID="18c42a88-12e1-4133-b657-c31f65909e68">
<saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">PCMDI DN</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:esg:openid"></saml:NameID>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2010-08-06T12:50:32.928000Z" NotBefore="2010-08-05T12:50:32.928000Z"></saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute FriendlyName="LastName" Name="urn:esg:last:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute FriendlyName="EmailAddress" Name="urn:esg:email:address" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute FriendlyName="GroupRole" Name="urn:esg:group:role" NameFormat="groupRole">
<saml:AttributeValue>
<esg:groupRole xmlns:esg="http://www.earthsystemgrid.org" role="default" group="CMIP5 Research"></esg:groupRole>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
I've tried querying the service for the attributes: first name, last name, e-mail address and group role. It responds asserting correctly that I have the CMIP5 Research role but it returns incorrect results for the first name, last name and e-mail address. - It returns an attribute statement containing attribute elements corresponding to these attribute names but the values were empty e.g.
.
.
.
<saml:AttributeStatement>
<saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute> ...
whereas I would expect something like:
<saml:AttributeStatement>
<saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string">myfirstname</saml:Attribute> ...
or if the value is not known or can't be returned to the client then the complete <saml:Attribute /> element should be omitted.
I've included the full output below ...
Calling Attribute Service 'https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/attributeService.htm' ...
DEBUG:ndg.soap.client:________________________________________________________________________________
DEBUG:ndg.soap.client:<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Header></soap11:Header>
<soap11:Body>
<samlp:AttributeQuery xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2010-08-05T12:50:31.610069Z" ID="3a3c0a5f-273b-48d2-99da-a0f4d5978aad">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">/O=Site A/CN=Authorisation Service</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:esg:openid">https://ceda.ac.uk/openid/Philip.Kershaw</saml:NameID>
</saml:Subject>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="GroupRole" Name="urn:esg:group:role" NameFormat="groupRole"></saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="LastName" Name="urn:esg:last:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EmailAddress" Name="urn:esg:email:address" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
</samlp:AttributeQuery>
</soap11:Body>
</soap11:Envelope>
SAML Response ...
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2010-08-05T12:50:32.916000Z" InResponseTo="3a3c0a5f-273b-48d2-99da-a0f4d5978aad" Version="2.0" ID="102bc2e4-f767-4010-97b6-08e189f4ad61">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">PCMDI DN</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2010-08-05T12:50:32.928000Z" ID="18c42a88-12e1-4133-b657-c31f65909e68">
<saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">PCMDI DN</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:esg:openid"></saml:NameID>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2010-08-06T12:50:32.928000Z" NotBefore="2010-08-05T12:50:32.928000Z"></saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute FriendlyName="LastName" Name="urn:esg:last:name" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute FriendlyName="EmailAddress" Name="urn:esg:email:address" NameFormat="http://www.w3.org/2001/XMLSchema#string"></saml:Attribute>
<saml:Attribute FriendlyName="GroupRole" Name="urn:esg:group:role" NameFormat="groupRole">
<saml:AttributeValue>
<esg:groupRole xmlns:esg="http://www.earthsystemgrid.org" role="default" group="CMIP5 Research"></esg:groupRole>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>