Add SAML authenticator setting to allow repeat attribute names

[cwperks]

Description

Adds a new setting for SAML authentication to allow_repeat_attribute_names. Currently, the security plugin uses the Saml2Settings default of false which prevents repeat attributes with the same name in the SAML assertion.

Example of SAML Response where an attribute appears at most once per attribute name:

No repeat attribute names

http://test.entity neQI779y5e173nAgsI/3mnBkEV0gssO3zRRCZ/+xd2g= flsOEajENFQc1qQpx8DGZmQySAUQi5juDztIOuTvwkuY2MMRkVp9MeG72PsIStgg5wbcEn/47O+T NwS8Wey60F0oGErrhz1j56j27qwklPIRl5Q0sYPC3UIiyY5HYnvZDosrIdRWk5zotaD7l8kbXwJ0 3umoQzUQhTB7LGzGM3vbgsClhidKi4X3okXcQBS/DKeL+hE+Ry2scIVlM4jnAJlYXcedyl7JyRr/ TxWK6jXofc6CrJsqE2d0GkLBLbe5G7+xiQYywJC0gdNL7Vpk//78FvhWEQ8FLgT+TCwS/FeNl4cn Z7etIXrcLwe0Wk2MSw8g8EtLsrRqytD/zkjgeg== horst urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Admin Developer

Example with repeat attribute name (in this example role is the repeat attribute name):

With repeat attribute names

http://test.entity EYXZTcsxuHz/kfn9Y4CU2FuOAOOYr0KznMc77+knl4w= OwfhibGkbGa5r5/GkMXrBRhaowuvMeSl36E+VSLZqIktakvEFE/QJDupLOZR1Rk+G1Ru8/1PdyRK dd1dQ6DYUkJzlq/qMWEnkqqXdUb5Qk0YQtIFpwCv0X/aYn7T08sprVyQJx+/NICFWRiNDQKYPyBO 68vOpIK+qoM15DD1UCFzHWxqqKZ5YwIgJP/SKiFec5RIY940FK7xxwrBrQSGW+BWaexz2hLyAu2n ZqkQfA0LXDSCd4MXUrTOZYTNwhhYdFpOZzDoa4OrztjtpT8yusbOh5FqgOJOk9IFH5qQvKYMZgaD 9V5xgHQi9PpuZiuIKf0lijO7qVKvJiGYGH+M3A== horst urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Admin Developer

Currently, when there is a repeat attribute name the security plugin will produce the following error:

  1> com.onelogin.saml2.exception.ValidationError: Found an Attribute element with duplicated Name
  1>    at com.onelogin.saml2.authn.SamlResponse.getAttributes(SamlResponse.java:598) ~[java-saml-core-2.9.0.jar:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.extractRoles(AuthTokenProcessorHandler.java:383) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwt(AuthTokenProcessorHandler.java:289) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.handleImpl(AuthTokenProcessorHandler.java:164) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.handleLowLevel(AuthTokenProcessorHandler.java:221) ~[main/:?]
  1>    at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.lambda$handle$0(AuthTokenProcessorHandler.java:126) ~[main/:?]
  1>    at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) [?:?]

• Category

Enhancement

Issues Resolved

• Will add one shortly

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.