Empty AttributeStatement throwing validation error

Question

Empty AttributeStatement throwing validation error

mclmax opened this issue 7 months ago · 3 comments

mclmax commented 7 months ago

Code Version

pysaml2==7.4.2

Expected Behavior

Hi folks,

I'm hoping I can get some assistance here.

We're running into an issue, specifically when using an AWS Idp, where in the request response step we're receiving a blank AttributeStatement element: <saml2:AttributeStatement/>.

I know very little about SAML and was hoping you folks could shed some light on where the issue may lie here. Is this valid SAML and should it pass validation? Or is this our Idp sending us nonsense?

For what it's worth if we manually add additional attributes while configuring the app in AWS things work as expected.

Thanks so much!
Max

Current Behavior

Currently we're hitting this:

failed validating <Element '{urn:oasis:names:tc:SAML:2.0:assertion}AttributeStatement' at 0x7ffb334f2a70> with XsdGroup(model='choice', occurs=[1, None]): Reason: The content of element 'saml:AttributeStatement' is not complete.

Possible Solution

Steps to Reproduce

Setup AWS Idp with no attributes (besides default Subject)
Try and login

Answer 1 · 2024-02-16T12:47:16.000Z

@c00kiemon5ter any help would be much appreciated :) totally willing to try a PR with more context! thanks

Answer 2 · 2024-02-18T19:18:35.000Z

Hi @mclmax ,

This is not an issue with pysaml2 - pysaml2 here just correctly refuses an invalid assertion. The SAML 2.0 spec clearly states (pg 29) that an AttributeStatement must contain one or more of either an Attribute or EncryptedAttribute element. So the assertion is invalid (at XML schema level) and pysaml2 is right to reject it.

It appears to be an issue with the AWS IdP - if there are no attributes to render, it should skip the AttributeStatement element altogether instead of rendering an empty one.

You may try reporting it as a bug to AWS ... but not sure how that will go. You can point to the SAML 2.0 spec if it helps.

With the bug in place, probably the easiest workaround for you is to pass a synthetic attribute ....

Hope this helps.

Cheers,
Vlad

Answer 3 · 2024-02-19T10:27:12.000Z

Hi @vladimir-mencl-eresearch,

Thanks a bunch for taking the time to edumacate me!

Heh, we'll try our luck with an AWS bug report but also not super optimistic.

Yep, the synthetic attribute is doing the trick for us a the moment.

Thanks again!
Max