-
Tim van Dijen authoredTim van Dijen authored
Authentication Processing Filters in SimpleSAMLphp
In SimpleSAMLphp, there is an API where you can do stuff at the IdP after authentication is complete, and just before you are sent back to the SP. The same API is available on the SP, after you have received a successful Authentication Response from the IdP and before you are sent back to the SP application.
Authentication processing filters postprocess authentication information received from authentication sources. It is possible to use this for additional authentication checks, requesting the user's consent before delivering attributes about the user, modifying the user's attributes, and other things which should be performed before returning the user to the service provider he came from.
Examples of neat things to do using Authentication Processing Filters:
- Filter out a subset of available attributes that are sent to a SP.
- Modify the name of attributes.
- Generate new attributes that are composed of others, for example eduPersonTargetedID.
- Ask the user for consent, before the user is sent back to a service.
- Implement basic Access Control on the IdP (not neccessarily a good idea), limiting access for some users to some SPs.
Be aware that Authentication Proccessing Filters do replace some of the previous features in SimpleSAMLphp, named:
attributemap
attributealter
attribute filter
Later in this document, we will desribe in detail the alternative Authentication Proccessing Filters that will replicate these functionalities.
How to configure Auth Proc Filters
Auth Proc Filters can be set globally, or to be specific for only one SP or one IdP. That means there are five locations where you can configure Auth Proc Filters: