0

I'm facing with a really strange issue. I interfaced a SAML authentication with OTRS which is an ITSM written in Perl and the Identity Provider sends the attributes as follow :

LoginName : dev-znuny02
mail      : test2@company.dev
Profile   : company.autre.idp.v2()
Profile   : company.autre.mcf.sp(dev)
givenName : MyName
sn        : Test2

I handle these with a module called Mod_Auth_Mellon and as you can see the attribute Profile is multivaluated. In short I retrieve all of these values with the following snippet :

sub new {
  my ( $Type, %Param ) = @_;

  # allocate new hash for object
  my $Self = {};
  bless( $Self, $Type );
  $Self->{ConfigObject}    = $Kernel::OM->Get('Kernel::Config');
  $Self->{UserObject}      = Kernel::System::User->new( %{$Self} );

  # Handle header's attributes
  $Self->{loginName} = 'MELLON_LoginName';
  $Self->{eMail}     = 'MELLON_mail';
  $Self->{Profile_0} = 'MELLON_Profile_0';
  $Self->{Profile_1} = 'MELLON_Profile_1';
  $Self->{gName}     = 'MELLON_givenName';
  $Self->{sName}     = 'MELLON_sn';


  return $Self;
}

sub Auth {
  my ( $Self, %Param ) = @_;

  # get params
  my $lname       =  $ENV{$Self->{loginName}};
  my $email       =  $ENV{$Self->{eMail}};
  my $profile0    =  $ENV{$Self->{Profile_0}};
  my $profile1    =  $ENV{$Self->{Profile_1}};
  my $gname       =  $ENV{$Self->{gName}};
  my $sname       =  $ENV{$Self->{sName}};
  ...
}

I can handle all the values of the attributes except the attribute Profile. When I take a look to the documentation, they said :

If an attribute has multiple values, then they will be stored as MELLON_<name>_0, MELLON_<name>_1, MELLON_<name>_2

To be sure, I activated the diagnostics of the Mellon module and indeed I receive the information correctly :

  ...
  MELLON_LoginName   : dev_znuny02
  MELLON_LoginName_0 : dev_znuny02
  MELLON_mail        : test2@company.dev
  MELLON_mail_0      : test2@company.dev
  MELLON_Profile     : company.autre.idp.v2()
  MELLON_Profile_0   : company.autre.idp.v2()
  MELLON_Profile_1   : company.autre.mcf.sp(dev)
  ...

When I try to manipulate the MELLON_Profile_0 or MELLON_Profile_1 attributes in the Perl script, the variable assigned to it seems empty. Do you have any idea on what can be the issue here ?

Any help is welcome ! Thanks a lot guys

PS : I have no control on the Identity Provider so I can't edit the attributes sent

Caner
  • 72
  • 1
  • 7
  • Perhaps you need to be initialising the object's attributes with the values from the environment variables, instead of the names of environment keys. – Rob Jan 11 '22 at 11:14
  • Thank you for your answer. I already tried it but there is no difference – Caner Jan 11 '22 at 11:40
  • Have you verified that the environment variables are actually set? – Rob Jan 11 '22 at 12:08
  • Also, it makes more sense to actually initialise the attributes with the values from environment variables. Otherwise you don't have the values in the object. – Rob Jan 11 '22 at 12:09
  • Yes I verified that the env variables are set and other env variables work fine. – Caner Jan 11 '22 at 12:37

1 Answers1

0

I didn't managed to make it work but I found a workaround to prevent users who don't have the Profile attribute value from logging into the application:

MellonCond Profile company.autre.mcf.sp(dev)

according the documentation :

You can also utilize SAML attributes to control whether Mellon authentication succeeds (a form of authorization). So even though the IdP may have successfully authenticated the user you can apply additional constraints via the MellonCond directive. The basic idea is that each MellonCond directive specifies one condition that either evaluates to True or False.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Caner
  • 72
  • 1
  • 7