Missing attributes in LDAP cause empty values to be returned in SAML and OIDC
Concerned version
Version: 2.0.6
Platform: Nginx, LDAP
Summary
When a LDAP entry contains no value for a requested exported variable, it is stored in session as an empty string.
This is fine when using the handler or CAS issuer, because empty strings are not exported as headers/cas attribute. But :
- OIDC will return an empty claim (
5.3.2: If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.
) - SAML will not detect that the attribute is missing, so even if it's required it will send an empty value
Logs
[debug] Store in session key test
Possible fixes
I intend to store "undef" instead of an empty string if no attribute value was found in UserDB::LDAP::setSessionInfo. The portal store
method does not store a session key if its value is undef.