SAML2 frontend option to ignore SP RequestedAttributes #497
Description
Due to the way IdP attributes are filtered, an SP with invalid RequestedAttribute elements will block the issuance of required attributes, even when a compatible attribute map is offered in the config.
When the offending RequestedAttribute elements look like this:
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute Name="urn:mace:dir:attribute-def:uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
<md:RequestedAttribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
SATOSA can not issue a valid uid or schacHomeOrganization, resulting in an error on the SP side.
I'm aware there are multiple issues at stake here: The SP didn't add FriendlyName (but that's not mandatory) and it requests non-standard combinations of attribute Name and NameFormats.
But even when SATOSA is configured with a hand-crafted attribute-map that correctly handles theses attribute Name and NameFormats, SATOSA will not issue the required attributes, probably because of lacking FriendlyName, which is a bug in itself?
The easiest way to work around this, would be a SAML Frontend option to ignore_requestedattributes = true.
This can also be accomplished and worked around by configuring a copy of the SP metadata as a local metadata source and removing the offending RequestedAttribute elements, which is not our preferred way of solving this issue.