From 11761807f4ea895dc10962a69d5913787513d980 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Fri, 18 Jun 2010 07:50:37 +0000
Subject: [PATCH] SAML: do not send empty Attribute Statement (#109)

---
 .../lib/Lemonldap/NG/Portal/IssuerDBSAML.pm   | 41 +++++++++++--------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
index 2b793f673..83f67c105 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@@ -825,9 +825,12 @@ sub issuerForUnAuthUser {
         }
 
         # Create attribute statement
+        if ( scalar @returned_attributes ) {
         my $attribute_statement;
 
-        eval { $attribute_statement = Lasso::Saml2AttributeStatement->new(); };
+            eval {
+                $attribute_statement = Lasso::Saml2AttributeStatement->new();
+            };
         if ($@) {
             $self->checkLassoError($@);
             $self->returnSOAPMessage();
@@ -851,6 +854,7 @@ sub issuerForUnAuthUser {
 
         # Set response assertion
         $query->response->Assertion( ($assertion) );
+        }
 
         # Build response
         $att_response = $self->buildAttributeResponse($query);
@@ -1304,20 +1308,6 @@ sub issuerForAuthUser {
 
             }
 
-            # Create attribute statement
-            my $attribute_statement;
-
-            eval {
-                $attribute_statement = Lasso::Saml2AttributeStatement->new();
-            };
-            if ($@) {
-                $self->checkLassoError($@);
-                return PE_ERROR;
-            }
-
-            # Register attributes in attribute statement
-            $attribute_statement->Attribute(@attributes);
-
             # Get response assertion
             my @response_assertions = $login->response->Assertion;
 
@@ -1330,9 +1320,28 @@ sub issuerForAuthUser {
             $response_assertions[0]
               ->set_subject_name_id( $login->nameIdentifier );
 
+            # Create attribute statement
+            if ( scalar @attributes ) {
+
+            my $attribute_statement;
+
+            eval {
+                    $attribute_statement =
+                      Lasso::Saml2AttributeStatement->new();
+            };
+            if ($@) {
+                $self->checkLassoError($@);
+                return PE_ERROR;
+            }
+
+            # Register attributes in attribute statement
+            $attribute_statement->Attribute(@attributes);
+
             # Add attribute statement in response assertion
             my @attributes_statement = ($attribute_statement);
-            $response_assertions[0]->AttributeStatement(@attributes_statement);
+                $response_assertions[0]
+                  ->AttributeStatement(@attributes_statement);
+            }
 
             # Get AuthnStatement
             my @authn_statements = $response_assertions[0]->AuthnStatement();