From 1187bac6aca3e8cd2ed9f7d1b8bc2219e6378328 Mon Sep 17 00:00:00 2001
From: peter <peter-@users.noreply.github.com>
Date: Fri, 14 Sep 2018 12:41:25 +0200
Subject: [PATCH] Add initial support for SAML Subject Id Attributes

The OASIS spec [SAML V2.0 Subject Identifier Attributes Profile](https://wiki.oasis-open.org/security/SAMLSubjectIDAttr) defines two new standard attributes intending to replace use of persistent NameIDs and the eduPersonTargetedID and eduPersonUniqueId SAML attributes. The updated Kantara [SAML V2.0 Interoperability Deployment Profile](https://kantarainitiative.github.io/SAMLprofiles/saml2int.html) will also standardize on these new attributes (cf. SDP-SP15 ibid.).

This commit adds the two new attributes:

* to the URN attribute maps
* to attribute definitions and translations of the locale system
* to the smartattributes:SmartID auth proc filter (after any other SAML attributes, but before the non-SAML ones).

Support for saml2int SDP-SP16 (attribute requirements signalling via Entity Attributes) is not included here.
---
 attributemap/name2urn.php                            | 2 ++
 attributemap/urn2name.php                            | 2 ++
 dictionaries/attributes.definition.json              | 6 ++++++
 dictionaries/attributes.translation.json             | 6 ++++++
 lib/SimpleSAML/Locale/Translate.php                  | 2 +-
 modules/smartattributes/docs/smartattributes.md      | 2 ++
 modules/smartattributes/lib/Auth/Process/SmartID.php | 2 ++
 7 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/attributemap/name2urn.php b/attributemap/name2urn.php
index 477f6c665..9286f6fe3 100644
--- a/attributemap/name2urn.php
+++ b/attributemap/name2urn.php
@@ -112,6 +112,7 @@ $attributemap = array(
     'owner'                         => 'urn:mace:dir:attribute-def:owner',
     'pager'                         => 'urn:mace:dir:attribute-def:pager',
     'pagerTelephoneNumber'          => 'urn:mace:dir:attribute-def:pagerTelephoneNumber',
+    'pairwise-id'                   => 'urn:oasis:names:tc:SAML:attribute:pairwise-id',
     'personalSignature'             => 'urn:mace:dir:attribute-def:personalSignature',
     'personalTitle'                 => 'urn:mace:dir:attribute-def:personalTitle',
     'photo'                         => 'urn:mace:dir:attribute-def:photo',
@@ -163,6 +164,7 @@ $attributemap = array(
     'stateOrProvinceName'           => 'urn:mace:dir:attribute-def:stateOrProvinceName',
     'street'                        => 'urn:mace:dir:attribute-def:street',
     'streetAddress'                 => 'urn:mace:dir:attribute-def:streetAddress',
+    'subject-id'                    => 'urn:oasis:names:tc:SAML:attribute:subject-id',
     'subtreeMaximumQuality'         => 'urn:mace:dir:attribute-def:subtreeMaximumQuality',
     'subtreeMinimumQuality'         => 'urn:mace:dir:attribute-def:subtreeMinimumQuality',
     'supportedAlgorithms'           => 'urn:mace:dir:attribute-def:supportedAlgorithms',
diff --git a/attributemap/urn2name.php b/attributemap/urn2name.php
index 66cd8589a..fc8d4d97d 100644
--- a/attributemap/urn2name.php
+++ b/attributemap/urn2name.php
@@ -184,4 +184,6 @@ $attributemap = array(
     'urn:mace:terena.org:attribute-def:schacUserPresenceID'       => 'schacUserPresenceID',
     'urn:mace:terena.org:attribute-def:schacUserPrivateAttribute' => 'schacUserPrivateAttribute',
     'urn:mace:terena.org:attribute-def:schacUserStatus'           => 'schacUserStatus',
+    'urn:oasis:names:tc:SAML:attribute:pairwise-id'               => 'pairwise-id',
+    'urn:oasis:names:tc:SAML:attribute:subject-id'                => 'subject-id',
 );
diff --git a/dictionaries/attributes.definition.json b/dictionaries/attributes.definition.json
index c04dcfc27..ee8866765 100644
--- a/dictionaries/attributes.definition.json
+++ b/dictionaries/attributes.definition.json
@@ -47,12 +47,18 @@
 	"attribute_edupersontargetedid": {
 		"en": "Persistent pseudonymous ID"
 	},
+	"attribute_pairwise_id": {
+		"en": "Service-specific pseudonymous ID at home organization"
+	},
 	"attribute_edupersonprincipalname": {
 		"en": "Person's principal name at home organization"
 	},
 	"attribute_edupersonuniqueid": {
 		"en": "Person's non-reassignable, persistent pseudonymous ID at home organization"
 	},
+	"attribute_subject_id": {
+		"en": "Pseudonymous ID at home organization"
+	},
 	"attribute_edupersonorcid": {
 		"en": "ORCID researcher identifiers"
 	},
diff --git a/dictionaries/attributes.translation.json b/dictionaries/attributes.translation.json
index 3e6b7cbec..4b859cf4f 100644
--- a/dictionaries/attributes.translation.json
+++ b/dictionaries/attributes.translation.json
@@ -566,6 +566,9 @@
 		"af": "Aanhoudende anonieme ID",
 		"el": "\u0391\u03b4\u03b9\u03b1\u03c6\u03b1\u03bd\u03ad\u03c2 \u03b1\u03bd\u03b1\u03b3\u03bd\u03c9\u03c1\u03b9\u03c3\u03c4\u03b9\u03ba\u03cc \u03c7\u03c1\u03ae\u03c3\u03c4\u03b7 \u03bc\u03b1\u03ba\u03c1\u03ac\u03c2 \u03b4\u03b9\u03ac\u03c1\u03ba\u03b5\u03b9\u03b1\u03c2"
 	},
+	"attribute_pairwise_id": {
+		"de": "Service-spezifische pseudonyme ID bei der Heimorganisation"
+	},
 	"attribute_edupersonprincipalname": {
 		"no": "Personlig ID hos organisasjonen",
 		"nn": "Brukarnamn hos din organisasjon",
@@ -608,6 +611,9 @@
 		"zh-tw": "\u500b\u4eba\u7121\u6cd5\u91cd\u65b0\u8a2d\u7f6e\uff0c\u65bc\u6240\u5c6c\u7d44\u7e54\u7684\u6c38\u4e45\u533f\u540d ID",
 		"el": "\u039c\u03cc\u03bd\u03b9\u03bc\u03bf, \u03b1\u03b4\u03b9\u03b1\u03c6\u03b1\u03bd\u03ad\u03c2 \u03b1\u03bd\u03b1\u03b3\u03bd\u03c9\u03c1\u03b9\u03c3\u03c4\u03b9\u03ba\u03cc \u03c7\u03c1\u03ae\u03c3\u03c4\u03b7 \u03c3\u03c4\u03bf\u03bd \u03bf\u03b9\u03ba\u03b5\u03af\u03bf \u03bf\u03c1\u03b3\u03b1\u03bd\u03b9\u03c3\u03bc\u03cc"
 	},
+	"attribute_subject_id": {
+		"de": "Pseudonyme ID bei der Heimorganisation"
+	},
 	"attribute_edupersonorcid": {
 		"zh-tw": "ORCID \u7814\u7a76\u8005\u8b58\u5225\u78bc",
 		"el": "\u0391\u03bd\u03b1\u03b3\u03bd\u03c9\u03c1\u03b9\u03c3\u03c4\u03b9\u03ba\u03ac \u03b5\u03c1\u03b5\u03c5\u03bd\u03b7\u03c4\u03ae ORCID"
diff --git a/lib/SimpleSAML/Locale/Translate.php b/lib/SimpleSAML/Locale/Translate.php
index 9f20168fa..0e52228a1 100644
--- a/lib/SimpleSAML/Locale/Translate.php
+++ b/lib/SimpleSAML/Locale/Translate.php
@@ -198,7 +198,7 @@ class Translate
     {
         // normalize attribute name
         $normName = strtolower($name);
-        $normName = str_replace(":", "_", $normName);
+        $normName = str_replace(array(":", "-"), "_", $normName);
 
         // check for an extra dictionary
         $extraDict = $this->configuration->getString('attributes.extradictionary', null);
diff --git a/modules/smartattributes/docs/smartattributes.md b/modules/smartattributes/docs/smartattributes.md
index f6015259a..06fd24141 100644
--- a/modules/smartattributes/docs/smartattributes.md
+++ b/modules/smartattributes/docs/smartattributes.md
@@ -17,6 +17,8 @@ The filter has the following configuration options:
 * `candidates`. An array of attributes names to consider as the identifier attribute. Defaults to:
 	* eduPersonTargetedID
 	* eduPersonPrincipalName
+	* pairwise-id
+	* subject-id
 	* openid
 	* facebook_targetedID
 	* twitter_targetedID
diff --git a/modules/smartattributes/lib/Auth/Process/SmartID.php b/modules/smartattributes/lib/Auth/Process/SmartID.php
index 2dbde82f9..4a23cf7c6 100644
--- a/modules/smartattributes/lib/Auth/Process/SmartID.php
+++ b/modules/smartattributes/lib/Auth/Process/SmartID.php
@@ -14,6 +14,8 @@ class SmartID extends \SimpleSAML\Auth\ProcessingFilter
     private $_candidates = array(
         'eduPersonTargetedID',
         'eduPersonPrincipalName',
+        'pairwise-id',
+        'subject-id',
         'openid',
         'facebook_targetedID',
         'twitter_targetedID',
-- 
GitLab