AttributeLimit: bugfix + proper documentation for the new functionality.
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3353 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
d90d3061aa
commit
5eba6d7f6d
|
@ -1,15 +1,18 @@
|
||||||
`core:AttributeLimit`
|
`core:AttributeLimit`
|
||||||
=====================
|
=====================
|
||||||
|
|
||||||
Filter that limits the attributes that is sent to a user.
|
A filter that limits the attributes (and their values) sent to a service provider.
|
||||||
|
|
||||||
If the configuration is empty, the filter will use the attributes configured in the 'attributes' option in the SP metadata.
|
If the configuration is empty, the filter will use the attributes configured in the `attributes` option in the SP
|
||||||
|
metadata. The configuration is a list of attributes that should be allowed. In case you want to limit an attribute to
|
||||||
The configuration is a list of which attributes should be allowed.
|
release some specific values, make the name of the attribute the key of the array, and its value an array with all the
|
||||||
|
different values allowed for it.
|
||||||
|
|
||||||
Examples
|
Examples
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
Here you will find a few examples on how to use this simple module:
|
||||||
|
|
||||||
Limit to the `cn` and `mail` attribute:
|
Limit to the `cn` and `mail` attribute:
|
||||||
|
|
||||||
'authproc' => array(
|
'authproc' => array(
|
||||||
|
@ -19,35 +22,72 @@ Limit to the `cn` and `mail` attribute:
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
|
|
||||||
Allow `eduPersonTargetedID` and `eduPersonAffiliation` by default, but allow metadata to override.
|
Allow `eduPersonTargetedID` and `eduPersonAffiliation` by default, but allow the metadata to override the limitation.
|
||||||
|
|
||||||
'authproc' => array(
|
'authproc' => array(
|
||||||
50 => array(
|
50 => array(
|
||||||
'class' => 'core:AttributeLimit',
|
'class' => 'core:AttributeLimit',
|
||||||
'default' => TRUE,
|
'default' => TRUE,
|
||||||
'eduPersonTargetedID', 'eduPersonAffiliation',
|
'eduPersonTargetedID', 'eduPersonAffiliation',
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
|
|
||||||
Don't allow any attributes by default, but allow metadata to override.
|
Don't allow any attributes by default, but allow the metadata to override it.
|
||||||
|
|
||||||
'authproc' => array(
|
'authproc' => array(
|
||||||
50 => array(
|
50 => array(
|
||||||
'class' => 'core:AttributeLimit',
|
'class' => 'core:AttributeLimit',
|
||||||
'default' => TRUE,
|
'default' => TRUE,
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
|
|
||||||
An attribute list in metadata:
|
In order to just use the list of attributes defined in the metadata for each service provider, configure the module
|
||||||
|
like this:
|
||||||
|
|
||||||
'authproc' => array(
|
'authproc' => array(
|
||||||
50 => 'core:AttributeLimit',
|
50 => 'core:AttributeLimit',
|
||||||
),
|
),
|
||||||
|
|
||||||
And in saml20-sp-remote.php:
|
Then, add the allowed attributes to each service provider metadata, in the `attributes` option:
|
||||||
|
|
||||||
$metadata['https://saml2sp.example.org'] = array(
|
$metadata['https://saml2sp.example.org'] = array(
|
||||||
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
...
|
||||||
'attributes' => array('cn', 'mail'),
|
'attributes' => array('cn', 'mail'),
|
||||||
|
...
|
||||||
);
|
);
|
||||||
|
|
||||||
|
Now, let's look to a couple of examples on how to filter out attribute values. First, allow only the entitlements known
|
||||||
|
to be used by a service provider (among other attributes):
|
||||||
|
|
||||||
|
$metadata['https://saml2sp.example.org'] = array(
|
||||||
|
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
||||||
|
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
||||||
|
...
|
||||||
|
'attributes' => array(
|
||||||
|
'uid',
|
||||||
|
'mail',
|
||||||
|
'eduPersonEntitlement' => array(
|
||||||
|
'urn:mace:example.org:admin',
|
||||||
|
'urn:mace:example.org:user',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
...
|
||||||
|
);
|
||||||
|
|
||||||
|
Now, an example on how to normalize the affiliations sent from an identity provider, to make sure that no custom
|
||||||
|
values ever reach the service providers. Bear in mind that this configuration can be overridden by metadata:
|
||||||
|
|
||||||
|
'authproc' => array(
|
||||||
|
50 => 'core:AttributeLimit',
|
||||||
|
'default' => TRUE,
|
||||||
|
'eduPersonAffiliation' => array(
|
||||||
|
'student',
|
||||||
|
'staff',
|
||||||
|
'member',
|
||||||
|
'faculty',
|
||||||
|
'employee',
|
||||||
|
'affiliate',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
|
|
@ -110,7 +110,7 @@ class sspmod_core_Auth_Process_AttributeLimit extends SimpleSAML_Auth_Processing
|
||||||
// the attribute name is not in the array of allowed attributes
|
// the attribute name is not in the array of allowed attributes
|
||||||
if (array_key_exists($name, $allowedAttributes)) {
|
if (array_key_exists($name, $allowedAttributes)) {
|
||||||
// but it is an index of the array
|
// but it is an index of the array
|
||||||
if (!is_array($values)) {
|
if (!is_array($allowedAttributes[$name])) {
|
||||||
throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
|
throw new SimpleSAML_Error_Exception('AttributeLimit: Values for ' . var_export($name, TRUE) .
|
||||||
' must be specified in an array.');
|
' must be specified in an array.');
|
||||||
}
|
}
|
||||||
|
|
Reference in New Issue