feat: Fix wrong session attributes (crewjam#598)

* feat: Fix wrong session attributes

* supply both eduPersonPrincipalName and mail attributes

---------

Co-authored-by: Stojan Dimitrovski <[email protected]>

Author: crewjam

identity_provider.go

@@ -38,13 +38,14 @@ type Session struct {
 	NameIDFormat string
 	SubjectID    string
 
-	Groups                []string
-	UserName              string
-	UserEmail             string
-	UserCommonName        string
-	UserSurname           string
-	UserGivenName         string
-	UserScopedAffiliation string
+	Groups                 []string
+	UserName               string
+	UserEmail              string
+	UserCommonName         string
+	UserSurname            string
+	UserGivenName          string
+	UserScopedAffiliation  string
+	EduPersonPrincipalName string `json:",omitempty"`
 
 	CustomAttributes []Attribute
 }
@@ -662,13 +663,33 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 	}
 
 	if session.UserEmail != "" {
+		attributes = append(attributes, Attribute{
+			FriendlyName: "mail",
+			Name:         "urn:oid:0.9.2342.19200300.100.1.3",
+			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+			Values: []AttributeValue{{
+				Type:  "xs:string",
+				Value: session.UserEmail,
+			}},
+		})
+	}
+	if session.EduPersonPrincipalName != "" || session.UserEmail != "" {
+		value := session.EduPersonPrincipalName
+		if value == "" {
+			// We used to set eduPersonPrincipalName (urn:oid:1.3.6.1.4.1.5923.1.1.1.6)
+			// to the value of session.UserEmail. It is more correct to set
+			// mail (urn:oid:0.9.2342.19200300.100.1.3). To avoid breaking things,
+			// we preserve the former behavior.
+			value = session.UserEmail
+		}
+
 		attributes = append(attributes, Attribute{
 			FriendlyName: "eduPersonPrincipalName",
 			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
 			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
 			Values: []AttributeValue{{
 				Type:  "xs:string",
-				Value: session.UserEmail,
+				Value: value,
 			}},
 		})
 	}
@@ -709,7 +730,7 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 
 	if session.UserScopedAffiliation != "" {
 		attributes = append(attributes, Attribute{
-			FriendlyName: "uid",
+			FriendlyName: "scopedAffiliation",
 			Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.9",
 			NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
 			Values: []AttributeValue{{

identity_provider_test.go

@@ -605,6 +605,17 @@ func TestIDPMakeAssertion(t *testing.T) {
 					},
 				},
 			},
+			{
+				FriendlyName: "mail",
+				Name:         "urn:oid:0.9.2342.19200300.100.1.3",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "[email protected]",
+					},
+				},
+			},
 			{
 				FriendlyName: "eduPersonPrincipalName",
 				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
@@ -978,6 +989,17 @@ func TestIDPRequestedAttributes(t *testing.T) {
 					},
 				},
 			},
+			{
+				FriendlyName: "mail",
+				Name:         "urn:oid:0.9.2342.19200300.100.1.3",
+				NameFormat:   "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+				Values: []AttributeValue{
+					{
+						Type:  "xs:string",
+						Value: "[email protected]",
+					},
+				},
+			},
 			{
 				FriendlyName: "eduPersonPrincipalName",
 				Name:         "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",