diff --git a/docs/source/simplesamlphp-idp.xml b/docs/source/simplesamlphp-idp.xml
index 3e1feaef2b5bba0d2ef9c116a2759fcad71ed0df..4ae2351b1fb2b6863b599c586e50df208ed2648c 100644
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Wed Apr 16 10:24:40 2008</pubdate>
+ <pubdate>Tue Apr 22 10:22:44 2008</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -508,20 +508,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
</glossentry>
<glossentry>
- <glossterm>simplesaml.attributes</glossterm>
+ <glossterm>attributes</glossterm>
<glossdef>
- <para>Boolean, default <literal>true</literal>: Send an
- attribute statement to the SP.</para>
+ <para>Array of attributes sent to the SP. If this field is not
+ set, the SP receives all attributes available at the IdP.</para>
</glossdef>
</glossentry>
<glossentry>
- <glossterm>attributes</glossterm>
+ <glossterm>simplesaml.attributes</glossterm>
<glossdef>
- <para>Array of attributes sent to the SP. If this field is not
- set, the SP receives all attributes available at the IdP.</para>
+ <para>Boolean, default <literal>true</literal>: Send an
+ attribute statement to the SP.</para>
</glossdef>
</glossentry>
diff --git a/docs/source/simplesamlphp-sp.xml b/docs/source/simplesamlphp-sp.xml
index d46a3a87e1149252c4567ce41be122e6771caf2f..ad536ca1e24fe93265872c50a21655c73775ef15 100644
--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -7,7 +7,7 @@
<articleinfo>
<date>2007-10-15</date>
- <pubdate>Thu Mar 27 20:48:28 2008</pubdate>
+ <pubdate>Tue Apr 22 10:23:15 2008</pubdate>
<author>
<firstname>Andreas Ă…kre</firstname>
@@ -48,7 +48,8 @@
<para>simpleSAMLphp can run as both a SAML 2.0 Service Provider and as a
Shibboleth 1.3 Service Provider. Although the configuration is similar for
the two alternatives, there are some differences in configuration and
- metadata differs somewhat, so they are treated in separate chapters.</para>
+ metadata differs somewhat, so they are treated in separate
+ chapters.</para>
</section>
<section>
@@ -72,17 +73,17 @@
<section>
<title>Configuring metadata for SAML 2.0 SP</title>
- <para>To set up a SAML 2.0 SP, configure two metadata files:
+ <para>To set up a SAML 2.0 SP, configure two metadata files:
<filename>saml20-sp-hosted.php</filename> and
<filename>saml20-idp-remote.php</filename>. The former represents the SAML
- entity of your SP, the latter lists all the SAML 2.0
- IdPs you trust to authenticate users, and how to connect to them.</para>
+ entity of your SP, the latter lists all the SAML 2.0 IdPs you trust to
+ authenticate users, and how to connect to them.</para>
<section>
<title>Configuring SAML 2.0 SP Hosted metadata</title>
- <para>To se tup these metadata, you must know the host name of your
- web server, and select an entity ID for this server. The IdP may impose
+ <para>To se tup these metadata, you must know the host name of your web
+ server, and select an entity ID for this server. The IdP may impose
restrictions on your choice of entity ID.</para>
<note>
@@ -92,9 +93,10 @@
<itemizedlist>
<listitem>
- <para><ulink url="http://docs.feide.no/fs-0051--en.html">Regulations for
- SAML 2.0 entityIDs
- for Feide Services</ulink> (Feide Fact Sheet #51)</para>
+ <para><ulink
+ url="http://docs.feide.no/fs-0051--en.html">Regulations for SAML
+ 2.0 entityIDs for Feide Services</ulink> (Feide Fact Sheet
+ #51)</para>
</listitem>
</itemizedlist>
</note>
@@ -178,11 +180,10 @@
<para>If you leave out this entry, the default value
<literal>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</literal>
- is used in the authentication request. If you set the
- value to <literal>null</literal>, the
- <literal>samlp:NameIDPolicy</literal> element is
- completely removed from the request.</para>
-
+ is used in the authentication request. If you set the value to
+ <literal>null</literal>, the
+ <literal>samlp:NameIDPolicy</literal> element is completely
+ removed from the request.</para>
</glossdef>
</glossentry>
@@ -205,6 +206,35 @@
as software-PKI.</para>
</glossdef>
</glossentry>
+
+ <glossentry>
+ <glossterm>attributemap</glossterm>
+
+ <glossdef>
+ <para>Mapping table for translating attribute names. For further
+ information, see the <emphasis>Advances Features</emphasis>
+ document.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>attributealter</glossterm>
+
+ <glossdef>
+ <para>Table of custom functions that injects or modifies
+ attributes. For further information, see the <emphasis>Advances
+ Features</emphasis> document.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>attributes</glossterm>
+
+ <glossdef>
+ <para>Array of attributes sent to the SP. If this field is not
+ set, the SP receives all attributes available at the IdP.</para>
+ </glossdef>
+ </glossentry>
</glosslist>
</section>
@@ -213,16 +243,17 @@
<para>simpleSAMLphp supports signing the HTTP-REDIRECT authentication
request, but by default it will not sign it. Note that if you want to
- sign the authentication requests, you will need a
- keypair/certificate at the SP.</para>
+ sign the authentication requests, you will need a keypair/certificate
+ at the SP.</para>
<glosslist>
<glossentry>
<glossterm>request.signing</glossterm>
<glossdef>
- <para>Boolean, default <literal>false</literal>. To turn on signing of
- authentication requests, set this flag to true.</para>
+ <para>Boolean, default <literal>false</literal>. To turn on
+ signing of authentication requests, set this flag to
+ true.</para>
</glossdef>
</glossentry>
@@ -385,6 +416,26 @@
of your SP as the SPNameQualifier.</para>
</glossdef>
</glossentry>
+
+ <glossentry>
+ <glossterm>attributemap</glossterm>
+
+ <glossdef>
+ <para>Mapping table for translating attribute names. For further
+ information, see the <emphasis>Advances Features</emphasis>
+ document.</para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>attributealter</glossterm>
+
+ <glossdef>
+ <para>Table of custom functions that injects or modifies
+ attributes. For further information, see the <emphasis>Advances
+ Features</emphasis> document.</para>
+ </glossdef>
+ </glossentry>
</glosslist>
</section>
@@ -401,8 +452,8 @@
<glossterm>request.signing</glossterm>
<glossdef>
- <para>Boolean, default <literal>false</literal>. To turn on signing authentication
- requests, set this flag to true.</para>
+ <para>Boolean, default <literal>false</literal>. To turn on
+ signing authentication requests, set this flag to true.</para>
</glossdef>
</glossentry>
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index 50634e27f03d28d411c210acd69657429158afb4..1070a3e22e1a22a11fb84cc23e665727866e0757 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -34,7 +34,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'host'),
- array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn', 'AuthnContextClassRef', 'SPNameQualifier')
+ array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn', 'AuthnContextClassRef', 'SPNameQualifier', 'attributemap', 'attributealter', 'attributes')
);
}
$et->data['metadata.saml20-sp-hosted'] = $results;
@@ -44,7 +44,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'SingleSignOnService', 'SingleLogoutService', 'certFingerprint'),
- array('name', 'description', 'base64attributes', 'certificate', 'hint.cidr', 'saml2.relaxvalidation', 'SingleLogoutServiceResponse', 'request.signing')
+ array('name', 'description', 'base64attributes', 'certificate', 'hint.cidr', 'saml2.relaxvalidation', 'SingleLogoutServiceResponse', 'request.signing', 'attributemap', 'attributealter')
);
}
$et->data['metadata.saml20-idp-remote'] = $results;
diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php
index 91081ca63673107c5354bc00ebbe56a9ac3d7d6a..e1445896d7be49017ad2b780ed834a2bfa7be100 100644
--- a/www/saml2/sp/AssertionConsumerService.php
+++ b/www/saml2/sp/AssertionConsumerService.php
@@ -6,6 +6,7 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Session.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Logger.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XML/AttributeFilter.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XML/SAML20/AuthnRequest.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Bindings/SAML20/HTTPPost.php');
@@ -49,6 +50,17 @@ try {
SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Successfully created local session from Authentication Response');
+ $idpmetadata = $metadata->getMetaData($session->getIdP(), 'saml20-idp-remote');
+ $spmetadata = $metadata->getMetaDataCurrent();
+
+
+ /*
+ * Attribute handling
+ */
+ $attributes = $session->getAttributes();
+ $afilter = new SimpleSAML_XML_AttributeFilter($config, $attributes);
+ $afilter->process($idpmetadata, $spmetadata);
+
/**
* Make a log entry in the statistics for this SSO login.
*/
@@ -63,6 +75,15 @@ try {
}
}
SimpleSAML_Logger::stats('saml20-sp-SSO ' . $metadata->getMetaDataCurrentEntityID() . ' ' . $session->getIdP() . ' ' . $realmstr);
+
+
+ $afilter->processFilter($idpmetadata, $spmetadata);
+
+ $session->setAttributes($afilter->getAttributes());
+ SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Completed attribute handling');
+
+
+