Skip to content

Add attribute count to SamlAttribute toString #131173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tvernum merged 3 commits into from
Jul 16, 2025
Merged

Add attribute count to SamlAttribute toString #131173

tvernum merged 3 commits into from
Jul 16, 2025

Conversation

@tvernum
Copy link
Contributor

@tvernum tvernum commented Jul 14, 2025

Sometimes SAML IdPs send what should be a list of values as a single comma-separated string.

That is, we expect something using SAML's multi-valued attribute feature:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://idp.example.org/attributes/groups" FriendlyName="groups"> <saml:AttributeValue>engineering</saml:AttributeValue> <saml:AttributeValue>elasticsearch-admins</saml:AttributeValue> <saml:AttributeValue>employees</saml:AttributeValue> </saml:Attribute>

but we get

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://idp.example.org/attributes/groups" FriendlyName="groups"> <saml:AttributeValue>engineering,elasticsearch-admins,employees</saml:AttributeValue> </saml:Attribute>

In order to help detect these cases, this commit changes the toString() on SamlAttribute to include the length (e.g. (len=1)) at the end

Relates: #84379, #102769
@tvernum
Add attribute count to SamlAttribute toString
13d1c9f 
Sometimes SAML IdPs send what _should_ be a list of values as a single comma-separated string. That is, we expect something using SAML's multi-valued attribute feature: <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://idp.example.org/attributes/groups" FriendlyName="groups"> <saml:AttributeValue>engineering</saml:AttributeValue> <saml:AttributeValue>elasticsearch-admins</saml:AttributeValue> <saml:AttributeValue>employees</saml:AttributeValue> </saml:Attribute> but we get <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://idp.example.org/attributes/groups" FriendlyName="groups"> <saml:AttributeValue>engineering,elasticsearch-admins,employees</saml:AttributeValue> </saml:Attribute> In order to help detect these cases, this commit changes the `toString()` on `SamlAttribute` to include the length (e.g. `(len=1)`) at the end Relates: elastic#84379, elastic#102769
@tvernum tvernum requested a review from ankit--sethi July 14, 2025 02:41
@tvernum tvernum added >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v9.2.0 labels Jul 14, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jul 14, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jul 14, 2025

Pinging @elastic/es-security (Team:Security)
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jul 14, 2025

Hi @tvernum, I've created a changelog YAML for you.
@tvernum
Copy link
Contributor Author

tvernum commented Jul 16, 2025

Ping @ankit--sethi
@tvernum tvernum enabled auto-merge (squash) July 16, 2025 02:14
@tvernum tvernum merged commit dc48b4b into elastic:main Jul 16, 2025
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v9.2.0

3 participants

@tvernum @elasticsearchmachine @ankit--sethi