Handling of multi-valued CommonName and mail attributes

[phavekes]

This issue is imported from pivotal - Originaly created at Jun 10, 2016 by Pieter van der Meulen

The urn:mace:dir:attribute-def:cn and urn:mace:dir:attribute-def:mail attributes that are used by Stepup are multi-value attributes. See:
http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html#cn
http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html#mail
https://wiki.surfnet.nl/display/surfconextdev/Attributes+in+SURFconext

We have had a discussion on how to handle this case. As far as we know IdPs in the SURFconext federation do not provide more than one value for these attributes, but in theory they could.

The current behavior is to silently take the first value and ignore others. Both mail and CN are verified during the registration process by respectively the SS and the RA.
Adding support for a user having multiple email addresses and common names is a significant amount of work. Lacking a usecase it does not make sense to implement this.

What should be the behavior be? Options:

1. Take first value of mail and CN (current behavior)
2. Take first value of mail and CN and log a warning
3. Generate an error when a multi-valued mail or CN attribute is received by the selfservice

This should only affect the SelfService component because that is the only place where a new identity can be introduced. The Gateway or the RA must ignore these attributes.

[phavekes]

Ad discussed we go for option #2 (Pieter van der Meulen - Jul 4, 2016)

[phavekes]

Tested authenticating with an account with two values for the mail and cn attributes.
This logs two messages at level WARNING from selfservice, ra and gateway are silent:

• 'Found "2" values for attribute "mail", using first value'
• 'Found "2" values for attribute "commonName", using first value' (Pieter van der Meulen - Sep 23, 2016)