Added support for attribute handling at SAML 2 SP. In examlpe attribute alter

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@503 44740490-163a-0410-bde0-09ae8108e29a

Added support for attribute handling at SAML 2 SP. In examlpe attribute alter
12ee7ca8 · Andreas Åkre Solberg · bae81f5e · 12ee7ca8 · 12ee7ca8 · 12ee7ca8
Commit 12ee7ca8 authored 17 years ago by Andreas Åkre Solberg
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -7,7 +7,7 @@
  <articleinfo>
    <date>2007-10-15</date>

-    <pubdate>Wed Apr 16 10:24:40 2008</pubdate>
+    <pubdate>Tue Apr 22 10:22:44 2008</pubdate>

    <author>
      <firstname>Andreas Åkre</firstname>
@@ -508,20 +508,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
          </glossentry>

          <glossentry>
-            <glossterm>simplesaml.attributes</glossterm>
+            <glossterm>attributes</glossterm>

            <glossdef>
-              <para>Boolean, default <literal>true</literal>: Send an
-              attribute statement to the SP.</para>
+              <para>Array of attributes sent to the SP. If this field is not
+              set, the SP receives all attributes available at the IdP.</para>
            </glossdef>
          </glossentry>

          <glossentry>
-            <glossterm>attributes</glossterm>
+            <glossterm>simplesaml.attributes</glossterm>

            <glossdef>
-              <para>Array of attributes sent to the SP. If this field is not
-              set, the SP receives all attributes available at the IdP.</para>
+              <para>Boolean, default <literal>true</literal>: Send an
+              attribute statement to the SP.</para>
            </glossdef>
          </glossentry>


--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -7,7 +7,7 @@
  <articleinfo>
    <date>2007-10-15</date>

-    <pubdate>Thu Mar 27 20:48:28 2008</pubdate>
+    <pubdate>Tue Apr 22 10:23:15 2008</pubdate>

    <author>
      <firstname>Andreas Åkre</firstname>
@@ -48,7 +48,8 @@
    <para>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
    Shibboleth 1.3 Service Provider. Although the configuration is similar for
    the two alternatives, there are some differences in configuration and
-    metadata differs somewhat, so they are treated in separate chapters.</para>
+    metadata differs somewhat, so they are treated in separate
+    chapters.</para>
  </section>

  <section>
@@ -72,17 +73,17 @@
  <section>
    <title>Configuring metadata for SAML 2.0 SP</title>

-    <para>To set up a SAML 2.0 SP, configure two metadata files: 
+    <para>To set up a SAML 2.0 SP, configure two metadata files:
    <filename>saml20-sp-hosted.php</filename> and
    <filename>saml20-idp-remote.php</filename>. The former represents the SAML
-    entity of your SP, the latter lists all the SAML 2.0
-    IdPs you trust to authenticate users, and how to connect to them.</para>
+    entity of your SP, the latter lists all the SAML 2.0 IdPs you trust to
+    authenticate users, and how to connect to them.</para>

    <section>
      <title>Configuring SAML 2.0 SP Hosted metadata</title>

-      <para>To se tup these metadata, you must know the host name of your
-      web server, and select an entity ID for this server. The IdP may impose
+      <para>To se tup these metadata, you must know the host name of your web
+      server, and select an entity ID for this server. The IdP may impose
      restrictions on your choice of entity ID.</para>

      <note>
@@ -92,9 +93,10 @@

        <itemizedlist>
          <listitem>
-            <para><ulink url="http://docs.feide.no/fs-0051--en.html">Regulations for 
-            SAML 2.0 entityIDs
-            for Feide Services</ulink> (Feide Fact Sheet #51)</para>
+            <para><ulink
+            url="http://docs.feide.no/fs-0051--en.html">Regulations for SAML
+            2.0 entityIDs for Feide Services</ulink> (Feide Fact Sheet
+            #51)</para>
          </listitem>
        </itemizedlist>
      </note>
@@ -178,11 +180,10 @@

              <para>If you leave out this entry, the default value
              <literal>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</literal>
-              is used in the authentication request. If you set the
-              value to <literal>null</literal>, the
-              <literal>samlp:NameIDPolicy</literal> element is
-              completely removed from the request.</para>
-              
+              is used in the authentication request. If you set the value to
+              <literal>null</literal>, the
+              <literal>samlp:NameIDPolicy</literal> element is completely
+              removed from the request.</para>
            </glossdef>
          </glossentry>

@@ -205,6 +206,35 @@
              as software-PKI.</para>
            </glossdef>
          </glossentry>
+
+          <glossentry>
+            <glossterm>attributemap</glossterm>
+
+            <glossdef>
+              <para>Mapping table for translating attribute names. For further
+              information, see the <emphasis>Advances Features</emphasis>
+              document.</para>
+            </glossdef>
+          </glossentry>
+
+          <glossentry>
+            <glossterm>attributealter</glossterm>
+
+            <glossdef>
+              <para>Table of custom functions that injects or modifies
+              attributes. For further information, see the <emphasis>Advances
+              Features</emphasis> document.</para>
+            </glossdef>
+          </glossentry>
+
+          <glossentry>
+            <glossterm>attributes</glossterm>
+
+            <glossdef>
+              <para>Array of attributes sent to the SP. If this field is not
+              set, the SP receives all attributes available at the IdP.</para>
+            </glossdef>
+          </glossentry>
        </glosslist>
      </section>

@@ -213,16 +243,17 @@

        <para>simpleSAMLphp supports signing the HTTP-REDIRECT authentication
        request, but by default it will not sign it. Note that if you want to
-        sign the authentication requests, you will need a
-        keypair/certificate at the SP.</para>
+        sign the authentication requests, you will need a keypair/certificate
+        at the SP.</para>

        <glosslist>
          <glossentry>
            <glossterm>request.signing</glossterm>

            <glossdef>
-              <para>Boolean, default <literal>false</literal>. To turn on signing of
-              authentication requests, set this flag to true.</para>
+              <para>Boolean, default <literal>false</literal>. To turn on
+              signing of authentication requests, set this flag to
+              true.</para>
            </glossdef>
          </glossentry>

@@ -385,6 +416,26 @@
              of your SP as the SPNameQualifier.</para>
            </glossdef>
          </glossentry>
+
+          <glossentry>
+            <glossterm>attributemap</glossterm>
+
+            <glossdef>
+              <para>Mapping table for translating attribute names. For further
+              information, see the <emphasis>Advances Features</emphasis>
+              document.</para>
+            </glossdef>
+          </glossentry>
+
+          <glossentry>
+            <glossterm>attributealter</glossterm>
+
+            <glossdef>
+              <para>Table of custom functions that injects or modifies
+              attributes. For further information, see the <emphasis>Advances
+              Features</emphasis> document.</para>
+            </glossdef>
+          </glossentry>
        </glosslist>
      </section>

@@ -401,8 +452,8 @@
            <glossterm>request.signing</glossterm>

            <glossdef>
-              <para>Boolean, default <literal>false</literal>. To turn on signing authentication
-              requests, set this flag to true.</para>
+              <para>Boolean, default <literal>false</literal>. To turn on
+              signing authentication requests, set this flag to true.</para>
            </glossdef>
          </glossentry>


--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -34,7 +34,7 @@ try {
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
 				array('entityid', 'host'),
-				array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn', 'AuthnContextClassRef', 'SPNameQualifier')
+				array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn', 'AuthnContextClassRef', 'SPNameQualifier', 'attributemap', 'attributealter', 'attributes')
 			);
 		}
 		$et->data['metadata.saml20-sp-hosted'] = $results;
@@ -44,7 +44,7 @@ try {
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
 				array('entityid', 'SingleSignOnService', 'SingleLogoutService', 'certFingerprint'),
-				array('name', 'description', 'base64attributes', 'certificate', 'hint.cidr', 'saml2.relaxvalidation', 'SingleLogoutServiceResponse', 'request.signing')
+				array('name', 'description', 'base64attributes', 'certificate', 'hint.cidr', 'saml2.relaxvalidation', 'SingleLogoutServiceResponse', 'request.signing', 'attributemap', 'attributealter')
 			);
 		}
 		$et->data['metadata.saml20-idp-remote'] = $results;

--- a/www/saml2/sp/AssertionConsumerService.php
+++ b/www/saml2/sp/AssertionConsumerService.php
@@ -6,6 +6,7 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Session.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Logger.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XML/AttributeFilter.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XML/SAML20/AuthnRequest.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Bindings/SAML20/HTTPPost.php');
@@ -49,6 +50,17 @@ try {
 	SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Successfully created local session from Authentication Response');
 	
 	
+	$idpmetadata = $metadata->getMetaData($session->getIdP(), 'saml20-idp-remote');
+	$spmetadata = $metadata->getMetaDataCurrent();
+	
+	
+	/*
+	 * Attribute handling
+	 */
+	$attributes = $session->getAttributes();
+	$afilter = new SimpleSAML_XML_AttributeFilter($config, $attributes);
+	$afilter->process($idpmetadata, $spmetadata);
+	
 	/**
 	 * Make a log entry in the statistics for this SSO login.
 	 */
@@ -63,6 +75,15 @@ try {
 		}
 	} 
 	SimpleSAML_Logger::stats('saml20-sp-SSO ' . $metadata->getMetaDataCurrentEntityID() . ' ' . $session->getIdP() . ' ' . $realmstr);
+	
+	
+	$afilter->processFilter($idpmetadata, $spmetadata);
+			
+	$session->setAttributes($afilter->getAttributes());
+	SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Completed attribute handling');
+	
+	
+