pysaml2 should not try to convert attribute Names to attribute FriendlyNames.

[c00kiemon5ter]

Expected Behavior

Attributes should be untouched and specified by their Name (which is a required attribute). As FriendlyName is an optional attribute, one cannot rely on that and must-not as specified by the specification.

Section 2.7.3.1, § FriendlyName, line 1271
This attribute's value MUST NOT be used as a basis for formally identifying SAML attributes

Convertion from Name to FriendlyName should be explicit and handled by the user.

Current Behavior

Internally pysaml2 converts attribute names to friendly names and uses the latter for most operations, like filtering, metadata generation (RequestedAttributes element), creation of class members, etc. This is achieved through the AttributeConverter class, the helper functions defined in attribute_converter module and the attributemaps files. These allows for some control over the conversion process.

Possible Solution

Only depend on attribute Name. It is the only way to guarantee robustness and is required to be in line with the specification. This questions the value of attribute_converter module; whether it is needed at all. The user of the library (the application) should be responsible for such a conversion, which most probably would be used to present an interface where friendly-names could be used in place of the non-descriptive name identifiers.

[c00kiemon5ter]

Related to #548

[c00kiemon5ter]

Semi-related to #524

[c00kiemon5ter]

Friendly names are used in the configuration:

• Policy configuration

name_form
Which name-form that should be used when sending assertions. Using this information the attribute name in the data source will be mapped to the friendly name, and the saml attribute name will be taken from the uri/oid defined in the attribute map.

(breaking) This should be removed.

• Requested attributes

It is mandatory that at least name or friendly_name is set.

(breaking) Name should be mandatory.

• Optional attributes

Since the attribute names used here are the user friendly ones an attribute map must exist, so that the server can use the full name when communicating with other servers.

(breaking) Switch to using names.

• Required attributes

the names given are expected to be the user friendly names.

(breaking) Switch to using names.

[c00kiemon5ter]

Call chains into attribute_converter

[c00kiemon5ter]

Related to #556

[mrvanes]

Mind that one added value of the attributemaps is the possibility to know attributename-format when generating attributes, it facilitates the notion of 'known' vs 'unknown' attributes and it may be used to generate friendyName attribute to the attribute xml element (how confusing!)

[c00kiemon5ter]

Related to #403