An empty SAML Attribute field could be selected and saved to use for user matching.
Obviously, it will cause the user match to fail.
- Have 2 portal running with IdP and SP SAML role according to the documentation: 7.4-SAML-S1-S4
- Login to Identity Provider (localhost:8080) as Instance Admin
- Go to Control Panel / USERS / Users and Organization
- Define a new End User as [email protected] / test
- Login to SP (www.able.com:8080) as Instance Administrator
- Go to Control Panel / Security / SAML
- Switch to Identity Provider Connections tab
- Open the IP1 connection's settings
- Scroll down to Attribute Mapping
- Remove all fields
- Select " Match Using a Specific SAML Attribute Mapping " at User Resolution
- Select the empty User Field Expression row and mark it as "Use to Match Users"
- Save the form
- Logout as Instance administrator from SP
- Try to sign in to SP using [email protected] / test
The End User's login fails
The Identity Provider Connection form shouldn't allow saving if the Match Using a Specific SAML Attribute Mapping option is selected, and there are only empty Attribute Mapping fields are marked as "Use to Match Users".