This module ensures that scoped attributes (such as eduPersonPrincipalName) have the right scopes defined in the entity metadata.
It removes values
- that should be scoped (see
attributesWithScope
below) but are not; - whose scope does not match shibmd:Scope element in the metadata.
Additionally, it is also capable to handle 'scope attributes' such as schacHomeOrganization that should be equivalent to shibmd:Scope
element in the metadata.
- Regular expressions in
shibmd:Scope
are not supported. - It is recommended to run this filter after oid2name. Please note that attribute names in the module configuration are case sensitive and must match the names in attributemaps.
- 'scope Attributes' must be singled valued, otherwise they are removed.
- Specifying an attribute in multiple configuration options is likely a user configuration issue. A value will only pass if it conforms to the validation rule for each configured option.
You can install the module with composer:
composer require niif/simplesamlphp-module-attributescope
config/config.php
authproc.sp = array(
...
// 49 => array('class' => 'core:AttributeMap', 'oid2name'),
// Verify scoped attributes with the metadata:
50 => array(
'class' => 'attributescope:FilterAttributes',
// Default attributes with scope attributes.
// 'attributesWithScope' => array('eduPersonPrincipalName', 'eduPersonScopedAffiliation'),
// Default scopeAttribute
// 'scopeAttributes' => array('schacHomeOrganization'),
),
attributesWithScope
an array of attributes that should be scoped and should match the scope from the metadataattributesWithScopeSuffix
an array of attributes that have the scope as a suffix. For example,[email protected]
anddepartment.example.com
are both suffixed withexample.com
. Useful when an SP is reliant onmail
attribute to identify users and the IdP users various subdomains for mail.scopeAttributes
an array of attributes that should exactly match the scope from the metadataignoreCheckForEntities
an array of IdP entity IDs to skip scope checking for. Useful when an IdP is a SAML proxy and is trusted to assert any scope.ignoreCase
ignore the case of the scoped attribute. The new 'Subject Identifier Attributes' profile stipulates that comparison should be case insensitive. Default is false, for backwards compatability.
./vendor/phpunit/phpunit/phpunit