94 lines
3.2 KiB
Plaintext
94 lines
3.2 KiB
Plaintext
`core:AttributeLimit`
|
|
=====================
|
|
|
|
A filter that limits the attributes (and their values) sent to a service provider.
|
|
|
|
If the configuration is empty, the filter will use the attributes configured in the `attributes` option in the SP
|
|
metadata. The configuration is a list of attributes that should be allowed. In case you want to limit an attribute to
|
|
release some specific values, make the name of the attribute the key of the array, and its value an array with all the
|
|
different values allowed for it.
|
|
|
|
Examples
|
|
--------
|
|
|
|
Here you will find a few examples on how to use this simple module:
|
|
|
|
Limit to the `cn` and `mail` attribute:
|
|
|
|
'authproc' => array(
|
|
50 => array(
|
|
'class' => 'core:AttributeLimit',
|
|
'cn', 'mail'
|
|
),
|
|
),
|
|
|
|
Allow `eduPersonTargetedID` and `eduPersonAffiliation` by default, but allow the metadata to override the limitation.
|
|
|
|
'authproc' => array(
|
|
50 => array(
|
|
'class' => 'core:AttributeLimit',
|
|
'default' => TRUE,
|
|
'eduPersonTargetedID', 'eduPersonAffiliation',
|
|
),
|
|
),
|
|
|
|
Don't allow any attributes by default, but allow the metadata to override it.
|
|
|
|
'authproc' => array(
|
|
50 => array(
|
|
'class' => 'core:AttributeLimit',
|
|
'default' => TRUE,
|
|
),
|
|
),
|
|
|
|
In order to just use the list of attributes defined in the metadata for each service provider, configure the module
|
|
like this:
|
|
|
|
'authproc' => array(
|
|
50 => 'core:AttributeLimit',
|
|
),
|
|
|
|
Then, add the allowed attributes to each service provider metadata, in the `attributes` option:
|
|
|
|
$metadata['https://saml2sp.example.org'] = array(
|
|
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
|
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
|
...
|
|
'attributes' => array('cn', 'mail'),
|
|
...
|
|
);
|
|
|
|
Now, let's look to a couple of examples on how to filter out attribute values. First, allow only the entitlements known
|
|
to be used by a service provider (among other attributes):
|
|
|
|
$metadata['https://saml2sp.example.org'] = array(
|
|
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
|
|
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
|
|
...
|
|
'attributes' => array(
|
|
'uid',
|
|
'mail',
|
|
'eduPersonEntitlement' => array(
|
|
'urn:mace:example.org:admin',
|
|
'urn:mace:example.org:user',
|
|
),
|
|
),
|
|
...
|
|
);
|
|
|
|
Now, an example on how to normalize the affiliations sent from an identity provider, to make sure that no custom
|
|
values ever reach the service providers. Bear in mind that this configuration can be overridden by metadata:
|
|
|
|
'authproc' => array(
|
|
50 => 'core:AttributeLimit',
|
|
'default' => TRUE,
|
|
'eduPersonAffiliation' => array(
|
|
'student',
|
|
'staff',
|
|
'member',
|
|
'faculty',
|
|
'employee',
|
|
'affiliate',
|
|
),
|
|
),
|