Added method to generate a persistent user identifier, and an attributealter...

Added method to generate a persistent user identifier, and an attributealter function for generating the eduPersonTargetedID attribute.


git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@535 44740490-163a-0410-bde0-09ae8108e29a

attributealter/alterfunctions.php

@@ -97,3 +97,11 @@ function attributealter_realm(&$attributes, $spentityid = null, $idpentityid = n
 
 }
 
+function attributealter_edupersontargetedid(&$attributes, $spEntityId = null, $idpEntityId = null) {
+	assert('$spEntityId !== NULL');
+	assert('$idpEntityId !== NULL');
+
+	$userid = SimpleSAML_Utilities::generateUserIdentifier($idpEntityId, $spEntityId, $attributes);
+
+	$attributes['eduPersonTargetedID'] = array($userid);
+}

config-templates/config.php

@@ -55,6 +55,16 @@ $config = array (
 	'auth.adminpassword'		=> '123',
 	'admin.protectindexpage'	=> false,
 	'admin.protectmetadata'		=> false,
+
+	/**
+	 * This is a secret salt used by simpleSAMLphp when it needs to generate a secure hash
+	 * of a value. It must be changed from its default value to a secret value. The value of
+	 * 'secretsalt' can be any valid string of any length.
+	 *
+	 * A possible way to generate a random salt is by running the following command from a unix shell:
+	 * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
+	 */
+	'secretsalt' => 'defaultsecretsalt',
 	
 	/*
 	 * Some information about the technical persons running this installation.

docs/source/simplesamlphp-idp.xml

@@ -371,6 +371,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
               Features</emphasis> document.</para>
             </glossdef>
           </glossentry>
+
+          <glossentry>
+            <glossterm>userid.attribute</glossterm>
+
+            <glossdef>
+              <para>The attribute name of an attribute which uniquely
+              identifies the user. This attribute is used if simpleSAMLphp
+              needs to generate a persistent unique identifier for the
+              user. This option can be set in both the IdP-hosted and the
+              SP-remote metadata. The value in the sp-remote metadata has the
+              highest priority. The default value is
+              <literal>eduPersonPrincipalName</literal>.</para>
+            </glossdef>
+          </glossentry>
         </glosslist>
       </section>
 
@@ -605,6 +619,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
               not specify a sharedkey.</para>
             </glossdef>
           </glossentry>
+
+          <glossentry>
+            <glossterm>userid.attribute</glossterm>
+
+            <glossdef>
+              <para>The attribute name of an attribute which uniquely
+              identifies the user. This attribute is used if simpleSAMLphp
+              needs to generate a persistent unique identifier for the
+              user. This option can be set in both the IdP-hosted and the
+              SP-remote metadata. The value in the sp-remote metadata has the
+              highest priority. The default value is
+              <literal>eduPersonPrincipalName</literal>.</para>
+            </glossdef>
+          </glossentry>
         </glosslist>
       </section>
     </section>

lib/SimpleSAML/Utilities.php

@@ -3,6 +3,7 @@
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XHTML/Template.php');
 require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Logger.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
 
 /**
  * Misc static functions that is used several places.in example parsing and id generation.
@@ -806,6 +807,70 @@ class SimpleSAML_Utilities {
 		}
 	}
 
+
+	/**
+	 * This function is used to generate a non-revesible unique identifier for a user.
+	 * The identifier should be persistent (unchanging) for a given SP-IdP federation.
+	 * The identifier can be shared between several different SPs connected to the same IdP, or it
+	 * can be unique for each SP.
+	 *
+	 * @param $idpEntityId  The entity id of the IdP.
+	 * @param $spEntityId   The entity id of the SP.
+	 * @param $attributes   The attributes of the user.
+	 * @return A non-reversible unique identifier for the user.
+	 */
+	public static function generateUserIdentifier($idpEntityId, $spEntityId, $attributes) {
+		$metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+		$idpMetadata = $metadataHandler->getMetaData($idpEntityId, 'saml20-idp-hosted');
+		$spMetadata = $metadataHandler->getMetaData($spEntityId, 'saml20-sp-remote');
+
+		if(array_key_exists('userid.attribute', $spMetadata)) {
+			$attributeName = $spMetadata['userid.attribute'];
+		} elseif(array_key_exists('userid.attribute', $idpMetadata)) {
+			$attributeName = $idpMetadata['userid.attribute'];
+		} else {
+			$attributeName = 'eduPersonPrincipalName';
+		}
+
+		if(!array_key_exists($attributeName, $attributes)) {
+			throw new Exception('Missing attribute "' . $attributeName . '" for user. Cannot' .
+			                    ' generate user id.');
+		}
+
+		$attributeValue = $attributes[$attributeName];
+		if(count($attributeValue) !== 1) {
+			throw new Exception('Attribute "' . $attributeName . '" for user did not contain exactly' .
+			                    ' one value. Cannot generate user id.');
+		}
+
+		$attributeValue = $attributeValue[0];
+		if(empty($attributeValue)) {
+			throw new Exception('Attribute "' . $attributeName . '" for user was empty. Cannot' .
+			                    ' generate user id.');
+		}
+
+
+		$secretSalt = SimpleSAML_Configuration::getInstance()->getValue('secretsalt');
+		if(empty($secretSalt)) {
+			throw new Exception('The "secretsalt" configuration option must be set before user' .
+			                    ' ids can be generated.');
+		}
+		if($secretSalt === 'defaultsecretsalt') {
+			throw new Exception('The "secretsalt" configuration option must be set to a secret' .
+			                    ' value.');
+		}
+
+		$uidData = 'uidhashbase' . $secretSalt;
+		$uidData .= strlen($idpEntityId) . ':' . $idpEntityId;
+		$uidData .= strlen($spEntityId) . ':' . $spEntityId;
+		$uidData .= strlen($attributeValue) . ':' . $attributeValue;
+		$uidData .= $secretSalt;
+
+		$userid = hash('sha1', $uidData);
+
+		return $userid;
+	}
+
 }
 
 ?>
\ No newline at end of file

metadata-templates/saml20-idp-hosted.php

@@ -12,6 +12,7 @@
  *   - authority
  *
  * Optional Parameters:
+ *   - 'userid.attribute'
  *
  *
  * Request signing (optional paramters)

metadata-templates/saml20-sp-remote.php

@@ -19,6 +19,7 @@
  *   - 'simplesaml.attributes'	=>	true,
  *   - 'attributemap'		=>	'test',
  *   - 'attributes'			=>	array('mail'),
+ *   - 'userid.attribute'
  *
  * Request signing
  *    When request.signing is true the certificate of the sp 

www/admin/metadata.php

@@ -57,7 +57,7 @@ try {
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
 				array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
-				array('requireconsent','request.signing', 'authority', 'attributemap', 'attributealter')
+				array('requireconsent','request.signing', 'authority', 'attributemap', 'attributealter', 'userid.attribute')
 			);
 		}
 		$et->data['metadata.saml20-idp-hosted'] = $results;
@@ -67,7 +67,7 @@ try {
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
 				array('entityid', 'AssertionConsumerService'),
-				array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'attributemap', 'attributealter', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption')
+				array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'attributemap', 'attributealter', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute')
 			);
 		}
 		$et->data['metadata.saml20-sp-remote'] = $results;