From b4deda71ae43c62b6c6d6a77715f48a09255c029 Mon Sep 17 00:00:00 2001 From: Olav Morken <olav.morken@uninett.no> Date: Fri, 16 Mar 2012 14:59:26 +0000 Subject: [PATCH] Rename SAML 2.0 IdP option AttributeNameFormat to attributes.NameFormat. Add 'attributes.NameFormat' as the preferred name for this option, so that it matches what the metadata parser extracts. Backwards compatibility with 'AttributeNameFormat' is also provided. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3049 44740490-163a-0410-bde0-09ae8108e29a --- docs/simplesamlphp-idp.txt | 2 +- docs/simplesamlphp-reference-idp-hosted.txt | 4 ++- docs/simplesamlphp-reference-sp-remote.txt | 4 ++- metadata-templates/saml20-idp-hosted.php | 2 +- modules/authX509/docs/authX509.txt | 2 +- modules/core/docs/authproc_targetedid.txt | 2 +- modules/saml/lib/IdP/SAML2.php | 40 ++++++++++++++++++--- 7 files changed, 45 insertions(+), 11 deletions(-) diff --git a/docs/simplesamlphp-idp.txt b/docs/simplesamlphp-idp.txt index 4be6f07fa..b246dec66 100644 --- a/docs/simplesamlphp-idp.txt +++ b/docs/simplesamlphp-idp.txt @@ -154,7 +154,7 @@ The [interoperable SAML 2 profile](http://saml2int.org/profile/current) specifie We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration: - 'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt index 08fa994aa..c4490b1a7 100644 --- a/docs/simplesamlphp-reference-idp-hosted.txt +++ b/docs/simplesamlphp-reference-idp-hosted.txt @@ -133,7 +133,7 @@ The following SAML 2.0 options are available: : Note that this option can be set for each SP in the SP-remote metadata. -`AttributeNameFormat` +`attributes.NameFormat` : What value will be set in the Format field of attribute statements. This parameter can be configured multiple places, and the actual value used is fetched from metadata by the following @@ -163,6 +163,8 @@ The following SAML 2.0 options are available: any value in the SP-remote metadata overrides the one configured in the IdP metadata. +: (This option was previously named `AttributeNameFormat`.) + `https.certificate` : The certificate used by the webserver when handling connections. This certificate will be added to the generated metadata of the IdP, diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt index a3d9c68c4..bc1592535 100644 --- a/docs/simplesamlphp-reference-sp-remote.txt +++ b/docs/simplesamlphp-reference-sp-remote.txt @@ -123,7 +123,7 @@ The following SAML 2.0 options are available: : The value of this option is specified in one of several [endpoint formats](./simplesamlphp-metadata-endpoints). -`AttributeNameFormat` +`attributes.NameFormat` : What value will be set in the Format field of attribute statements. This parameter can be configured multiple places, and the actual value used is fetched from metadata by the following @@ -153,6 +153,8 @@ The following SAML 2.0 options are available: entry in the SP-remote metadata overrides the option in the IdP-hosted metadata. +: (This option was previously named `AttributeNameFormat`.) + `ForceAuthn` : Set this `TRUE` to force the user to reauthenticate when the IdP receives authentication requests from this SP. The default is diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php index a714a7ec2..d470e9805 100644 --- a/metadata-templates/saml20-idp-hosted.php +++ b/metadata-templates/saml20-idp-hosted.php @@ -25,7 +25,7 @@ $metadata['__DYNAMIC:1__'] = array( /* Uncomment the following to use the uri NameFormat on attributes. */ /* - 'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), diff --git a/modules/authX509/docs/authX509.txt b/modules/authX509/docs/authX509.txt index 91f21e36d..4992e617f 100644 --- a/modules/authX509/docs/authX509.txt +++ b/modules/authX509/docs/authX509.txt @@ -100,7 +100,7 @@ can hack your metadata/saml20-idp-hosted.php file that way: 'authority' => 'login', 'userid.attribute' => 'uid', 'logouttype' => 'iframe', - 'AttributeNameFormat' => + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', ) diff --git a/modules/core/docs/authproc_targetedid.txt b/modules/core/docs/authproc_targetedid.txt index 72a482599..f6cea7da7 100644 --- a/modules/core/docs/authproc_targetedid.txt +++ b/modules/core/docs/authproc_targetedid.txt @@ -56,7 +56,7 @@ Internet2 compatible `eduPersontargetedID`: 'name2oid', ), ), - 'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'attributeencodings' => array( 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw', /* eduPersonTargetedID with oid NameFormat. */ ), diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php index 0b64d0c5c..a7d04b384 100644 --- a/modules/saml/lib/IdP/SAML2.php +++ b/modules/saml/lib/IdP/SAML2.php @@ -621,6 +621,40 @@ class sspmod_saml_IdP_SAML2 { } + /** + * Determine which NameFormat we should use for attributes. + * + * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. + * @param SimpleSAML_Configuration $spMetadata The metadata of the SP. + * @return string The NameFormat. + */ + private static function getAttributeNameFormat(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata) { + + /* Try SP metadata first. */ + $attributeNameFormat = $spMetadata->getString('attributes.NameFormat', NULL); + if ($attributeNameFormat !== NULL) { + return $attributeNameFormat; + } + $attributeNameFormat = $spMetadata->getString('AttributeNameFormat', NULL); + if ($attributeNameFormat !== NULL) { + return $attributeNameFormat; + } + + /* Look in IdP metadata. */ + $attributeNameFormat = $idpMetadata->getString('attributes.NameFormat', NULL); + if ($attributeNameFormat !== NULL) { + return $attributeNameFormat; + } + $attributeNameFormat = $idpMetadata->getString('AttributeNameFormat', NULL); + if ($attributeNameFormat !== NULL) { + return $attributeNameFormat; + } + + /* Default. */ + return 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'; + } + + /** * Build an assertion based on information in the metadata. * @@ -687,11 +721,7 @@ class sspmod_saml_IdP_SAML2 { /* Add attributes. */ if ($spMetadata->getBoolean('simplesaml.attributes', TRUE)) { - $attributeNameFormat = $spMetadata->getString('AttributeNameFormat', NULL); - if ($attributeNameFormat === NULL) { - $attributeNameFormat = $idpMetadata->getString('AttributeNameFormat', - 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'); - } + $attributeNameFormat = self::getAttributeNameFormat($idpMetadata, $spMetadata); $a->setAttributeNameFormat($attributeNameFormat); $attributes = self::encodeAttributes($idpMetadata, $spMetadata, $state['Attributes']); $a->setAttributes($attributes); -- GitLab