Skip to content

NIIF/simplesamlphp-module-attributescope

Repository files navigation

Attributescope filter module

Build Status

This module ensures that scoped attributes (such as eduPersonPrincipalName) have the right scopes defined in the entity metadata.

It removes values

  • that should be scoped (see attributesWithScope below) but are not;
  • whose scope does not match shibmd:Scope element in the metadata.

Additionally, it is also capable to handle 'scope attributes' such as schacHomeOrganization that should be equivalent to shibmd:Scope element in the metadata.

Notes and limitations

  • Regular expressions in shibmd:Scope are not supported.
  • It is recommended to run this filter after oid2name. Please note that attribute names in the module configuration are case sensitive and must match the names in attributemaps.
  • 'scope Attributes' must be singled valued, otherwise they are removed.
  • Specifying an attribute in multiple configuration options is likely a user configuration issue. A value will only pass if it conforms to the validation rule for each configured option.

Installing the module

You can install the module with composer:

composer require niif/simplesamlphp-module-attributescope

Example configuration

config/config.php

   authproc.sp = array(
       ...
        // 49 => array('class' => 'core:AttributeMap', 'oid2name'),
        // Verify scoped attributes with the metadata:
        50 => array(
            'class' => 'attributescope:FilterAttributes',
            // Default attributes with scope attributes.
            // 'attributesWithScope' => array('eduPersonPrincipalName', 'eduPersonScopedAffiliation'),
            // Default scopeAttribute
            // 'scopeAttributes' => array('schacHomeOrganization'),
       ),

Configurations Options

  • attributesWithScope an array of attributes that should be scoped and should match the scope from the metadata
  • attributesWithScopeSuffix an array of attributes that have the scope as a suffix. For example, [email protected] and department.example.com are both suffixed with example.com. Useful when an SP is reliant on mail attribute to identify users and the IdP users various subdomains for mail.
  • scopeAttributes an array of attributes that should exactly match the scope from the metadata
  • ignoreCheckForEntities an array of IdP entity IDs to skip scope checking for. Useful when an IdP is a SAML proxy and is trusted to assert any scope.
  • ignoreCase ignore the case of the scoped attribute. The new 'Subject Identifier Attributes' profile stipulates that comparison should be case insensitive. Default is false, for backwards compatability.

Development

Runing tests

./vendor/phpunit/phpunit/phpunit 

About

Filter to remove attribute values which are not properly scoped.

Resources

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages