Can't handle HTTP multiple attribute values in Perl

Question

I'm facing with a really strange issue. I interfaced a SAML authentication with OTRS which is an ITSM written in Perl and the Identity Provider sends the attributes as follow :

LoginName : dev-znuny02
mail      : [email protected]
Profile   : company.autre.idp.v2()
Profile   : company.autre.mcf.sp(dev)
givenName : MyName
sn        : Test2

I handle these with a module called Mod_Auth_Mellon and as you can see the attribute Profile is multivaluated. In short I retrieve all of these values with the following snippet :

sub new {
  my ( $Type, %Param ) = @_;

  # allocate new hash for object
  my $Self = {};
  bless( $Self, $Type );
  $Self->{ConfigObject}    = $Kernel::OM->Get('Kernel::Config');
  $Self->{UserObject}      = Kernel::System::User->new( %{$Self} );

  # Handle header's attributes
  $Self->{loginName} = 'MELLON_LoginName';
  $Self->{eMail}     = 'MELLON_mail';
  $Self->{Profile_0} = 'MELLON_Profile_0';
  $Self->{Profile_1} = 'MELLON_Profile_1';
  $Self->{gName}     = 'MELLON_givenName';
  $Self->{sName}     = 'MELLON_sn';


  return $Self;
}

sub Auth {
  my ( $Self, %Param ) = @_;

  # get params
  my $lname       =  $ENV{$Self->{loginName}};
  my $email       =  $ENV{$Self->{eMail}};
  my $profile0    =  $ENV{$Self->{Profile_0}};
  my $profile1    =  $ENV{$Self->{Profile_1}};
  my $gname       =  $ENV{$Self->{gName}};
  my $sname       =  $ENV{$Self->{sName}};
  ...
}

I can handle all the values of the attributes except the attribute Profile. When I take a look to the documentation, they said :

If an attribute has multiple values, then they will be stored as MELLON_<name>_0, MELLON_<name>_1, MELLON_<name>_2

To be sure, I activated the diagnostics of the Mellon module and indeed I receive the information correctly :

  ...
  MELLON_LoginName   : dev_znuny02
  MELLON_LoginName_0 : dev_znuny02
  MELLON_mail        : [email protected]
  MELLON_mail_0      : [email protected]
  MELLON_Profile     : company.autre.idp.v2()
  MELLON_Profile_0   : company.autre.idp.v2()
  MELLON_Profile_1   : company.autre.mcf.sp(dev)
  ...

When I try to manipulate the MELLON_Profile_0 or MELLON_Profile_1 attributes in the Perl script, the variable assigned to it seems empty. Do you have any idea on what can be the issue here ?

Any help is welcome ! Thanks a lot guys

PS : I have no control on the Identity Provider so I can't edit the attributes sent

Answer 1

I didn't managed to make it work but I found a workaround to prevent users who don't have the Profile attribute value from logging into the application:

MellonCond Profile company.autre.mcf.sp(dev)

according the documentation :

You can also utilize SAML attributes to control whether Mellon authentication succeeds (a form of authorization). So even though the IdP may have successfully authenticated the user you can apply additional constraints via the MellonCond directive. The basic idea is that each MellonCond directive specifies one condition that either evaluates to True or False.