Merge pull request #424 from piraveena/saml-fed-idp

Introduce config to send unsplitted SAML multi valued attributes
wso2-extensions · Jun 26, 2024 · 31246ac · 31246ac
2 parents 800b8b4 + 4f4854f
commit 31246ac
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 7 deletions.
diff --git a/...n.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/...n.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -70,6 +70,7 @@ public class SAMLSSOConstants {
     public static final String SAML_SP_CERTIFICATE_EXPIRY_VALIDATION_ENABLED = "SSOService.SAMLSPCertificateExpiryValidationEnable";
     public static final String SAML_IDP_INIT_LOGOUT_RESPONSE_SIGNING_ENABLED = "SSOService.SAMLIdpInitLogoutResponseSigningEnabled";
     public static final String SAML_ASSERTION_ENCRYPT_WITH_APP_CERT = "SSOService.SAMLAssertionEncyptWithAppCert";
+    public static final String SEPARATE_MULTI_ATTRS_FROM_IDPS_USING_ATTRIBUTE_SEPARATOR = "SSOService.SeparateMultiAttributesFromIdP";
     public static final String START_SOAP_BINDING = "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\">" +
             "<SOAP-ENV:Body>";
     public static final String END_SOAP_BINDING = "</SOAP-ENV:Body>" +

diff --git a/...ava/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java b/...ava/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java
@@ -340,15 +340,23 @@ protected AttributeStatement buildAttributeStatement(Map<String, String> claims)
         String claimSeparator = claims.get(IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR);
         String userAttributeSeparator;
         if (StringUtils.isNotBlank(claimSeparator)) {
-            userAttributeSeparator = claimSeparator;
-        } else {
             /*
-             * In the SAML outbound authenticator, multivalued attributes are concatenated using the primary user
-             * store's attribute separator. Therefore, to ensure uniformity, the multi-attribute separator from
-             * the primary user store is utilized for separating multivalued attributes when MultiAttributeSeparator
-             * is not available in the claims.
+            If there are any sp requested claims, then the multi attribute separator claim will be available.
              */
-            userAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
+            userAttributeSeparator = claimSeparator;
+        } else {
+            if (!SAMLSSOUtil.separateMultiAttributesFromIdPEnabled()) {
+                userAttributeSeparator = IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR_DEFAULT;
+            } else {
+                /*
+                 * In the SAML outbound authenticator, multivalued attributes are concatenated using the primary user
+                 * store's attribute separator. Therefore, to ensure uniformity, the multi-attribute separator from
+                 * the primary user store is utilized for separating multivalued attributes when MultiAttributeSeparator
+                 * is not available in the claims.
+                 */
+                userAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
+            }
+
         }
         claims.remove(IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR);
         claims.remove(FrameworkConstants.IDP_MAPPED_USER_ROLES);

diff --git a/...n.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java b/...n.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
@@ -2756,4 +2756,23 @@ public static boolean isSAMLIdpInitLogoutResponseSigningEnabled() {
         return Boolean.parseBoolean(IdentityUtil.getProperty(
                 SAMLSSOConstants.SAML_IDP_INIT_LOGOUT_RESPONSE_SIGNING_ENABLED));
     }
+
+    /**
+     * SeparateMultiAttributesFromIdP config is used to separate the multi-valued attributes sent from the IdPs.
+     * This config is used when the SP doesn't request any claim in IS, and all the claims from the IdP are passed
+     * to the SP.
+     *
+     * @return false if 'separateMultiAttributesFromIdP' config is disabled. By default, this config is enabled in the
+     * product.
+     */
+    public static boolean separateMultiAttributesFromIdPEnabled() {
+
+        String separateMultiAttributesFromIdPEnabledConfig = IdentityUtil.getProperty(
+                SAMLSSOConstants.SEPARATE_MULTI_ATTRS_FROM_IDPS_USING_ATTRIBUTE_SEPARATOR);
+        if (StringUtils.isNotEmpty(separateMultiAttributesFromIdPEnabledConfig)) {
+            return Boolean.parseBoolean(separateMultiAttributesFromIdPEnabledConfig);
+        } else {
+            return true;
+        }
+    }
 }