Saml Auth Module - Get all attributes in otoroshi-claim header

Question

Saml Auth Module - Get all attributes in otoroshi-claim header

Closed this issue 6 months ago · 0 comments

Hello, I tried working with the Saml Auth Module to handle the application auth process.

I configured the Saml provider (Ping Federate) to give the following attributes for the authenticated user :

NameID to contains the user email
givenName and sn to get a readable name
memberOf to get the authorised groups

I get this Saml Response :

<samlp:Response Version="2.0"
                ID="NsOng_cMmQF2ofvk-SVYqkHuiim"
                IssueInstant="2024-08-29T07:34:51.722Z"
                Destination="http://privateapps-local.altima-assurances.fr:8085/privateapps/generic/callback"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://idp-altima.fed</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#NsOng_cMmQF2ofvk-SVYqkHuiim">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>...</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>...</ds:SignatureValue>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>
  <saml:Assertion ID="g0fVP5MdojxhefzfWTFnA.pD5V_"
                  IssueInstant="2024-08-29T07:34:52.133Z"
                  Version="2.0"
                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>http://idp-altima.fed</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#g0fVP5MdojxhefzfWTFnA.pD5V_">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
          <ds:DigestValue>...</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>...</ds:SignatureValue>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qproust@altima-assurances.fr</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="http://privateapps-local.altima-assurances.fr:8085/privateapps/generic/callback"
                                      NotOnOrAfter="2024-08-29T07:39:52.133Z" /></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2024-08-29T07:29:52.133Z"
                     NotOnOrAfter="2024-08-29T07:39:52.133Z">
      <saml:AudienceRestriction>
        <saml:Audience>com:altima:local</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex="g0fVP5MdojxhefzfWTFnA.pD5V_"
                         AuthnInstant="2024-08-29T07:34:51.771Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="givenName"
                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml:AttributeValue xsi:type="xs:string"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Quentin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="memberOf"
                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml:AttributeValue xsi:type="xs:string"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">CN=AD-GROUP-LINUX-SSH,OU=INFORMATIQUE,DC=ALTIMA,DC=LOCAL</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">CN=GG_TOKEN_DEV_OPS,OU=Groupes,OU=NIORT,DC=ALTIMA,DC=LOCAL</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">CN=Sourcing,OU=LISTE_DISTRIBUTION,OU=INFORMATIQUE,DC=ALTIMA,DC=LOCAL</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">CN=Terme,OU=LISTE_DISTRIBUTION,OU=INFORMATIQUE,DC=ALTIMA,DC=LOCAL</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn"
                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml:AttributeValue xsi:type="xs:string"
                             xmlns:xs="http://www.w3.org/2001/XMLSchema"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">PROUST</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

And Otoroshi send the otoroshi-claim header with the user info

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJPdG9yb3NoaSIsInN1YiI6InFwcm91c3RAYWx0aW1hLWFzc3VyYW5jZXMuZnIiLCJhdWQiOiJOZXcgcm91dGUiLCJleHAiOjE3MjQ5MTc1ODUsImlhdCI6MTcyNDkxNzU1NSwibmJyIjoxNzI0OTE3NTU1LCJqdGkiOiI4Y2IyZDFhY2MtMzY0YS00YTZhLWE2ZTEtMTUyNDE0Nzg3MzI3IiwiYWNjZXNzX3R5cGUiOiJ1c2VyIiwidXNlciI6eyJuYW1lIjoiTm8gbmFtZSIsImVtYWlsIjoicXByb3VzdEBhbHRpbWEtYXNzdXJhbmNlcy5mciIsInByb2ZpbGUiOnsibmFtZSI6Ik5vIG5hbWUiLCJlbWFpbCI6InFwcm91c3RAYWx0aW1hLWFzc3VyYW5jZXMuZnIifSwibWV0YWRhdGEiOm51bGwsInRhZ3MiOltdfX0.zfN1VG_dDNGqX_7ToY_Rz2ibBrI5ah6yGy3LYVLD_GhKRtI-7B0J_RdK3WsRx7MyCsqhZZh10aT79MEVvMse_w

Decoded :

{
  "iss": "Otoroshi",
  "sub": "qproust@altima-assurances.fr",
  "aud": "New route",
  "exp": 1724917585,
  "iat": 1724917555,
  "nbr": 1724917555,
  "jti": "8cb2d1acc-364a-4a6a-a6e1-152414787327",
  "access_type": "user",
  "user": {
    "name": "No name",
    "email": "qproust@altima-assurances.fr",
    "profile": {
      "name": "No name",
      "email": "qproust@altima-assurances.fr"
    },
    "metadata": null,
    "tags": []
  }
}

Only the email (NameID) is present in the jwt.

Would it be possible to add the other attributes in the jwt ? by default or with a configuration in the auth module