diff --git a/attributealter/alterfunctions.php b/attributealter/alterfunctions.php
index 9f765c2fddef6b7f3ffa94084ff2525b99be5781..3e3ec46b299d3f98e53b06e5e801b1166a98b089 100644
--- a/attributealter/alterfunctions.php
+++ b/attributealter/alterfunctions.php
@@ -97,3 +97,11 @@ function attributealter_realm(&$attributes, $spentityid = null, $idpentityid = n
}
+function attributealter_edupersontargetedid(&$attributes, $spEntityId = null, $idpEntityId = null) {
+ assert('$spEntityId !== NULL');
+ assert('$idpEntityId !== NULL');
+
+ $userid = SimpleSAML_Utilities::generateUserIdentifier($idpEntityId, $spEntityId, $attributes);
+
+ $attributes['eduPersonTargetedID'] = array($userid);
+}
diff --git a/config-templates/config.php b/config-templates/config.php
index a6bfd6a937c60ba7c61da9457e2432b34941acd6..2b80c424db377f1efa7bab315097d9670965eba7 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -55,6 +55,16 @@ $config = array (
'auth.adminpassword' => '123',
'admin.protectindexpage' => false,
'admin.protectmetadata' => false,
+
+ /**
+ * This is a secret salt used by simpleSAMLphp when it needs to generate a secure hash
+ * of a value. It must be changed from its default value to a secret value. The value of
+ * 'secretsalt' can be any valid string of any length.
+ *
+ * A possible way to generate a random salt is by running the following command from a unix shell:
+ * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
+ */
+ 'secretsalt' => 'defaultsecretsalt',
/*
* Some information about the technical persons running this installation.
diff --git a/docs/source/simplesamlphp-idp.xml b/docs/source/simplesamlphp-idp.xml
index 288d561244644180dcd586513c1be688db9f0339..f62bb7d7e289a569a28bfe893174b59a12cf052e 100644
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -371,6 +371,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
Features</emphasis> document.</para>
</glossdef>
</glossentry>
+
+ <glossentry>
+ <glossterm>userid.attribute</glossterm>
+
+ <glossdef>
+ <para>The attribute name of an attribute which uniquely
+ identifies the user. This attribute is used if simpleSAMLphp
+ needs to generate a persistent unique identifier for the
+ user. This option can be set in both the IdP-hosted and the
+ SP-remote metadata. The value in the sp-remote metadata has the
+ highest priority. The default value is
+ <literal>eduPersonPrincipalName</literal>.</para>
+ </glossdef>
+ </glossentry>
</glosslist>
</section>
@@ -605,6 +619,20 @@ openssl x509 -req -days 60 -in server2.csr -signkey server2.key -out server2.crt
not specify a sharedkey.</para>
</glossdef>
</glossentry>
+
+ <glossentry>
+ <glossterm>userid.attribute</glossterm>
+
+ <glossdef>
+ <para>The attribute name of an attribute which uniquely
+ identifies the user. This attribute is used if simpleSAMLphp
+ needs to generate a persistent unique identifier for the
+ user. This option can be set in both the IdP-hosted and the
+ SP-remote metadata. The value in the sp-remote metadata has the
+ highest priority. The default value is
+ <literal>eduPersonPrincipalName</literal>.</para>
+ </glossdef>
+ </glossentry>
</glosslist>
</section>
</section>
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index 7b9ec58168d1392d1d24f1682c8aafb0a4287639..3bacd2b58c70e37d2d27bf90caa9e2954eba6c52 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -3,6 +3,7 @@
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/XHTML/Template.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Logger.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
/**
* Misc static functions that is used several places.in example parsing and id generation.
@@ -806,6 +807,70 @@ class SimpleSAML_Utilities {
}
}
+
+ /**
+ * This function is used to generate a non-revesible unique identifier for a user.
+ * The identifier should be persistent (unchanging) for a given SP-IdP federation.
+ * The identifier can be shared between several different SPs connected to the same IdP, or it
+ * can be unique for each SP.
+ *
+ * @param $idpEntityId The entity id of the IdP.
+ * @param $spEntityId The entity id of the SP.
+ * @param $attributes The attributes of the user.
+ * @return A non-reversible unique identifier for the user.
+ */
+ public static function generateUserIdentifier($idpEntityId, $spEntityId, $attributes) {
+ $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+ $idpMetadata = $metadataHandler->getMetaData($idpEntityId, 'saml20-idp-hosted');
+ $spMetadata = $metadataHandler->getMetaData($spEntityId, 'saml20-sp-remote');
+
+ if(array_key_exists('userid.attribute', $spMetadata)) {
+ $attributeName = $spMetadata['userid.attribute'];
+ } elseif(array_key_exists('userid.attribute', $idpMetadata)) {
+ $attributeName = $idpMetadata['userid.attribute'];
+ } else {
+ $attributeName = 'eduPersonPrincipalName';
+ }
+
+ if(!array_key_exists($attributeName, $attributes)) {
+ throw new Exception('Missing attribute "' . $attributeName . '" for user. Cannot' .
+ ' generate user id.');
+ }
+
+ $attributeValue = $attributes[$attributeName];
+ if(count($attributeValue) !== 1) {
+ throw new Exception('Attribute "' . $attributeName . '" for user did not contain exactly' .
+ ' one value. Cannot generate user id.');
+ }
+
+ $attributeValue = $attributeValue[0];
+ if(empty($attributeValue)) {
+ throw new Exception('Attribute "' . $attributeName . '" for user was empty. Cannot' .
+ ' generate user id.');
+ }
+
+
+ $secretSalt = SimpleSAML_Configuration::getInstance()->getValue('secretsalt');
+ if(empty($secretSalt)) {
+ throw new Exception('The "secretsalt" configuration option must be set before user' .
+ ' ids can be generated.');
+ }
+ if($secretSalt === 'defaultsecretsalt') {
+ throw new Exception('The "secretsalt" configuration option must be set to a secret' .
+ ' value.');
+ }
+
+ $uidData = 'uidhashbase' . $secretSalt;
+ $uidData .= strlen($idpEntityId) . ':' . $idpEntityId;
+ $uidData .= strlen($spEntityId) . ':' . $spEntityId;
+ $uidData .= strlen($attributeValue) . ':' . $attributeValue;
+ $uidData .= $secretSalt;
+
+ $userid = hash('sha1', $uidData);
+
+ return $userid;
+ }
+
}
?>
\ No newline at end of file
diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php
index d87cef831aa9b9c5cd4065a0bec06d6b41a67ad7..73ec7b00fae1afff873d85b8d176abada1d61e36 100644
--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -12,6 +12,7 @@
* - authority
*
* Optional Parameters:
+ * - 'userid.attribute'
*
*
* Request signing (optional paramters)
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index a3e47e257d0c5652217d02c3f2f110844a9a93c7..c9f6b88aedd23ad1978a162cf16b49d8bf2c5347 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -19,6 +19,7 @@
* - 'simplesaml.attributes' => true,
* - 'attributemap' => 'test',
* - 'attributes' => array('mail'),
+ * - 'userid.attribute'
*
* Request signing
* When request.signing is true the certificate of the sp
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index c690214458f5f251a20e286cca54ef2e8ec8b67a..0c7f982f965e49abf33382ae18326ae4c4b6437b 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -57,7 +57,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
- array('requireconsent','request.signing', 'authority', 'attributemap', 'attributealter')
+ array('requireconsent','request.signing', 'authority', 'attributemap', 'attributealter', 'userid.attribute')
);
}
$et->data['metadata.saml20-idp-hosted'] = $results;
@@ -67,7 +67,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'AssertionConsumerService'),
- array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'attributemap', 'attributealter', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption')
+ array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'attributemap', 'attributealter', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute')
);
}
$et->data['metadata.saml20-sp-remote'] = $results;