Add initial support for SAML Subject Id Attributes

The OASIS spec [SAML V2.0 Subject Identifier Attributes Profile](https://wiki.oasis-open.org/security/SAMLSubjectIDAttr) defines two new standard attributes intending to replace use of persistent NameIDs and the eduPersonTargetedID and eduPersonUniqueId SAML attributes. The updated Kantara [SAML V2.0 Interoperability Deployment Profile](https://kantarainitiative.github.io/SAMLprofiles/saml2int.html) will also standardize on these new attributes (cf. SDP-SP15 ibid.).

This commit adds the two new attributes:

* to the URN attribute maps
* to attribute definitions and translations of the locale system
* to the smartattributes:SmartID auth proc filter (after any other SAML attributes, but before the non-SAML ones).

Support for saml2int SDP-SP16 (attribute requirements signalling via Entity Attributes) is not included here.

attributemap/name2urn.php

@@ -112,6 +112,7 @@ $attributemap = array(
     'owner'                         => 'urn:mace:dir:attribute-def:owner',
     'pager'                         => 'urn:mace:dir:attribute-def:pager',
     'pagerTelephoneNumber'          => 'urn:mace:dir:attribute-def:pagerTelephoneNumber',
+    'pairwise-id'                   => 'urn:oasis:names:tc:SAML:attribute:pairwise-id',
     'personalSignature'             => 'urn:mace:dir:attribute-def:personalSignature',
     'personalTitle'                 => 'urn:mace:dir:attribute-def:personalTitle',
     'photo'                         => 'urn:mace:dir:attribute-def:photo',
@@ -163,6 +164,7 @@ $attributemap = array(
     'stateOrProvinceName'           => 'urn:mace:dir:attribute-def:stateOrProvinceName',
     'street'                        => 'urn:mace:dir:attribute-def:street',
     'streetAddress'                 => 'urn:mace:dir:attribute-def:streetAddress',
+    'subject-id'                    => 'urn:oasis:names:tc:SAML:attribute:subject-id',
     'subtreeMaximumQuality'         => 'urn:mace:dir:attribute-def:subtreeMaximumQuality',
     'subtreeMinimumQuality'         => 'urn:mace:dir:attribute-def:subtreeMinimumQuality',
     'supportedAlgorithms'           => 'urn:mace:dir:attribute-def:supportedAlgorithms',

attributemap/urn2name.php

@@ -184,4 +184,6 @@ $attributemap = array(
     'urn:mace:terena.org:attribute-def:schacUserPresenceID'       => 'schacUserPresenceID',
     'urn:mace:terena.org:attribute-def:schacUserPrivateAttribute' => 'schacUserPrivateAttribute',
     'urn:mace:terena.org:attribute-def:schacUserStatus'           => 'schacUserStatus',
+    'urn:oasis:names:tc:SAML:attribute:pairwise-id'               => 'pairwise-id',
+    'urn:oasis:names:tc:SAML:attribute:subject-id'                => 'subject-id',
 );

dictionaries/attributes.definition.json

@@ -47,12 +47,18 @@
 	"attribute_edupersontargetedid": {
 		"en": "Persistent pseudonymous ID"
 	},
+	"attribute_pairwise_id": {
+		"en": "Service-specific pseudonymous ID at home organization"
+	},
 	"attribute_edupersonprincipalname": {
 		"en": "Person's principal name at home organization"
 	},
 	"attribute_edupersonuniqueid": {
 		"en": "Person's non-reassignable, persistent pseudonymous ID at home organization"
 	},
+	"attribute_subject_id": {
+		"en": "Pseudonymous ID at home organization"
+	},
 	"attribute_edupersonorcid": {
 		"en": "ORCID researcher identifiers"
 	},

dictionaries/attributes.translation.json

@@ -566,6 +566,9 @@
 		"af": "Aanhoudende anonieme ID",
 		"el": "\u0391\u03b4\u03b9\u03b1\u03c6\u03b1\u03bd\u03ad\u03c2 \u03b1\u03bd\u03b1\u03b3\u03bd\u03c9\u03c1\u03b9\u03c3\u03c4\u03b9\u03ba\u03cc \u03c7\u03c1\u03ae\u03c3\u03c4\u03b7 \u03bc\u03b1\u03ba\u03c1\u03ac\u03c2 \u03b4\u03b9\u03ac\u03c1\u03ba\u03b5\u03b9\u03b1\u03c2"
 	},
+	"attribute_pairwise_id": {
+		"de": "Service-spezifische pseudonyme ID bei der Heimorganisation"
+	},
 	"attribute_edupersonprincipalname": {
 		"no": "Personlig ID hos organisasjonen",
 		"nn": "Brukarnamn hos din organisasjon",
@@ -608,6 +611,9 @@
 		"zh-tw": "\u500b\u4eba\u7121\u6cd5\u91cd\u65b0\u8a2d\u7f6e\uff0c\u65bc\u6240\u5c6c\u7d44\u7e54\u7684\u6c38\u4e45\u533f\u540d ID",
 		"el": "\u039c\u03cc\u03bd\u03b9\u03bc\u03bf, \u03b1\u03b4\u03b9\u03b1\u03c6\u03b1\u03bd\u03ad\u03c2 \u03b1\u03bd\u03b1\u03b3\u03bd\u03c9\u03c1\u03b9\u03c3\u03c4\u03b9\u03ba\u03cc \u03c7\u03c1\u03ae\u03c3\u03c4\u03b7 \u03c3\u03c4\u03bf\u03bd \u03bf\u03b9\u03ba\u03b5\u03af\u03bf \u03bf\u03c1\u03b3\u03b1\u03bd\u03b9\u03c3\u03bc\u03cc"
 	},
+	"attribute_subject_id": {
+		"de": "Pseudonyme ID bei der Heimorganisation"
+	},
 	"attribute_edupersonorcid": {
 		"zh-tw": "ORCID \u7814\u7a76\u8005\u8b58\u5225\u78bc",
 		"el": "\u0391\u03bd\u03b1\u03b3\u03bd\u03c9\u03c1\u03b9\u03c3\u03c4\u03b9\u03ba\u03ac \u03b5\u03c1\u03b5\u03c5\u03bd\u03b7\u03c4\u03ae ORCID"

lib/SimpleSAML/Locale/Translate.php

@@ -198,7 +198,7 @@ class Translate
     {
         // normalize attribute name
         $normName = strtolower($name);
-        $normName = str_replace(":", "_", $normName);
+        $normName = str_replace(array(":", "-"), "_", $normName);
 
         // check for an extra dictionary
         $extraDict = $this->configuration->getString('attributes.extradictionary', null);

modules/smartattributes/docs/smartattributes.md

@@ -17,6 +17,8 @@ The filter has the following configuration options:
 * `candidates`. An array of attributes names to consider as the identifier attribute. Defaults to:
 	* eduPersonTargetedID
 	* eduPersonPrincipalName
+	* pairwise-id
+	* subject-id
 	* openid
 	* facebook_targetedID
 	* twitter_targetedID

modules/smartattributes/lib/Auth/Process/SmartID.php

@@ -14,6 +14,8 @@ class SmartID extends \SimpleSAML\Auth\ProcessingFilter
     private $_candidates = array(
         'eduPersonTargetedID',
         'eduPersonPrincipalName',
+        'pairwise-id',
+        'subject-id',
         'openid',
         'facebook_targetedID',
         'twitter_targetedID',