From 03912728a9eaee1cdf44e0c58ecb71e872d23138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20P=C3=A9rez=20Crespo?= <jaime.perez@uninett.no> Date: Mon, 6 Jan 2014 20:11:58 +0000 Subject: [PATCH] New add_candidate option when configuring SmartID, to allow the user to decide whether to prepend or not the candidate attribute name to the resulting value. Issue #605. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3318 44740490-163a-0410-bde0-09ae8108e29a --- .../smartattributes/docs/smartattributes.txt | 37 +++++++++++++------ .../lib/Auth/Process/SmartID.php | 16 +++++++- 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/modules/smartattributes/docs/smartattributes.txt b/modules/smartattributes/docs/smartattributes.txt index fbee41c6f..0c2c8c136 100644 --- a/modules/smartattributes/docs/smartattributes.txt +++ b/modules/smartattributes/docs/smartattributes.txt @@ -1,17 +1,17 @@ SmartAttributes module ====================== -The SmartAttributes module provides authentication processing filters that add attributes. -The logic in these filters exceeds what is possible with the standard filters such as [`core:AttributeAdd`], [`core:AttributeAlter`], and [`core:AttributeMap`]. +The SmartAttributes module provides authentication processing filters to add attributes. +The logic in this filter exceeds what is possible with the standard filters such, as [`core:AttributeAdd`], [`core:AttributeAlter`], and [`core:AttributeMap`]. `smartattributes:SmartID` ========================= -Filter to add an identifier attribute, based on the first non-empty attribute from a given list of attribute names. -This is usefull when there are multiple SAML IdPs configured, and there is no common identifier among them. -For example some IdPs sent eduPersonPrincipalName, while others sent eduPersonTargetedID. If any of the social network are configured as authsource, they will sent yet another identifier. +A filter to add an identifier attribute, based on the first non-empty attribute from a given list of attribute names. +This is useful when there are multiple SAML IdPs configured, and there is no common identifier among them. +For example some IdPs send eduPersonPrincipalName, while others send eduPersonTargetedID. If any of the social networks are configured as an authsource, they will send yet another identifier. The filter has the following configuration options: * `candidates`. An array of attributes names to consider as the identifier attribute. Defaults to: @@ -24,9 +24,10 @@ The filter has the following configuration options: * myspace_targetedID * linkedin_targetedID * `id_attribute`. A string to use as the name of the newly added attribute. Defaults to `smart_id`. -* `add_authority`. A boolean to indicate whether or not to append the SAML AuthenticatingAuthority to the resulting identifier. This can be useful to indicate what SAML IdP was used, in case the original identifier is not scoped. Defaults to `true`. +* `add_authority`. A boolean to indicate whether or not to append the SAML AuthenticatingAuthority to the resulting identifier. This can be useful to indicate what SAML IdP was used, in case the original identifier is not scoped. Defaults to `TRUE`. +* `add_candidate`. A boolean to indicate whether or not to prepend the candidate attribute name to the resulting identifier. This can be useful to indicate the attribute originating the identifier. Defaults to `TRUE`. -The generated identifiers have the form: +The generated identifiers have the following form: `AttributeName:AttributeValue!AuthenticatingAuthority` @@ -46,11 +47,10 @@ Without any configuration: ), -This will add an attribute called `smart_id` with this value: +This will add an attribute called `smart_id` with a value looking like, for example: `eduPersonTargetedID:c4bcbe7ca8eac074f65291fd5524caa88f3115c8!https://login.terena.org/idp/saml2/idp/metadata.php` - Custom configuration: 'authproc' => array( @@ -58,11 +58,26 @@ Custom configuration: 'class' => 'smartattributes:SmartID', 'candidates' => array('eduPersonTargetedID', 'eduPersonPrincipalName'), 'id_attribute' => 'FooUniversityLocalID', - 'add_authority' => false + 'add_authority' => FALSE, ), ), -This will add an attribute called `FooUniversityLocalID` with this value: +This will add an attribute called `FooUniversityLocalID` with a value like: `eduPersonTargetedID:c4bcbe7ca8eac074f65291fd5524caa88f3115c8` +If you also want to remove the name of the originating attribute, you could configure it like this: + + 'authproc' => array( + 50 => array( + 'class' => 'smartattributes:SmartID', + 'candidates' => array('eduPersonTargetedID', 'eduPersonPrincipalName'), + 'id_attribute' => 'FooUniversityLocalID', + 'add_authority' => FALSE, + 'add_candidate' => FALSE, + ), + ), + +Resulting in: + +`c4bcbe7ca8eac074f65291fd5524caa88f3115c8` diff --git a/modules/smartattributes/lib/Auth/Process/SmartID.php b/modules/smartattributes/lib/Auth/Process/SmartID.php index 2520bf828..7e7e921e7 100644 --- a/modules/smartattributes/lib/Auth/Process/SmartID.php +++ b/modules/smartattributes/lib/Auth/Process/SmartID.php @@ -31,6 +31,11 @@ class sspmod_smartattributes_Auth_Process_SmartID extends SimpleSAML_Auth_Proces */ private $_add_authority = true; + /** + * Whether to prepend the CandidateID, separated by ':' + */ + private $_add_candidate = true; + /** * Attributes which should be added/appended. * @@ -65,15 +70,22 @@ class sspmod_smartattributes_Auth_Process_SmartID extends SimpleSAML_Auth_Proces } } + if (array_key_exists('add_candidate', $config)) { + $this->_add_candidate = $config['add_candidate']; + if (!is_bool($this->_add_candidate)) { + throw new Exception('SmartID authproc configuration error: \'add_candidate\' should be a boolean.'); + } + } + } private function addID($attributes, $request) { foreach ($this->_candidates as $idCandidate) { if (isset($attributes[$idCandidate][0])) { if(($this->_add_authority) && (isset($request['saml:AuthenticatingAuthority'][0]))) { - return $idCandidate.':'.$attributes[$idCandidate][0] . '!' . $request['saml:AuthenticatingAuthority'][0]; + return ($this->_add_candidate ? $idCandidate.':' : '').$attributes[$idCandidate][0] . '!' . $request['saml:AuthenticatingAuthority'][0]; } else { - return $idCandidate.':'.$attributes[$idCandidate][0]; + return ($this->_add_candidate ? $idCandidate.':' : '').$attributes[$idCandidate][0]; } } } -- GitLab