Skip to content

NIIF/simplesamlphp-module-attributescope

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 4 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
lib/Auth/Process
 
 
tests
 
 
.editorconfig
 
 
.gitignore
 
 
.travis.yml
 
 
README.md
 
 
composer.json
 
 
composer.lock
 
 
default-enable
 
 
phpunit.xml
 
 
Attributescope filter module Notes and limitations Installing the module Example configuration Configurations Options Development Runing tests

README.md

Attributescope filter module

Build Status

This module ensures that scoped attributes (such as eduPersonPrincipalName) have the right scopes defined in the entity metadata.

It removes values

  • that should be scoped (see attributesWithScope below) but are not;
  • whose scope does not match shibmd:Scope element in the metadata.

Additionally, it is also capable to handle 'scope attributes' such as schacHomeOrganization that should be equivalent to shibmd:Scope element in the metadata.

Notes and limitations

  • Regular expressions in shibmd:Scope are not supported.
  • It is recommended to run this filter after oid2name. Please note that attribute names in the module configuration are case sensitive and must match the names in attributemaps.
  • 'scope Attributes' must be singled valued, otherwise they are removed.
  • Specifying an attribute in multiple configuration options is likely a user configuration issue. A value will only pass if it conforms to the validation rule for each configured option.

Installing the module

You can install the module with composer:

composer require niif/simplesamlphp-module-attributescope

Example configuration

config/config.php

   authproc.sp = array(
       ...
        // 49 => array('class' => 'core:AttributeMap', 'oid2name'),
        // Verify scoped attributes with the metadata:
        50 => array(
            'class' => 'attributescope:FilterAttributes',
            // Default attributes with scope attributes.
            // 'attributesWithScope' => array('eduPersonPrincipalName', 'eduPersonScopedAffiliation'),
            // Default scopeAttribute
            // 'scopeAttributes' => array('schacHomeOrganization'),
       ),

Configurations Options

  • attributesWithScope an array of attributes that should be scoped and should match the scope from the metadata
  • attributesWithScopeSuffix an array of attributes that have the scope as a suffix. For example, user@department.example.com and department.example.com are both suffixed with example.com. Useful when an SP is reliant on mail attribute to identify users and the IdP users various subdomains for mail.
  • scopeAttributes an array of attributes that should exactly match the scope from the metadata
  • ignoreCheckForEntities an array of IdP entity IDs to skip scope checking for. Useful when an IdP is a SAML proxy and is trusted to assert any scope.
  • ignoreCase ignore the case of the scoped attribute. The new 'Subject Identifier Attributes' profile stipulates that comparison should be case insensitive. Default is false, for backwards compatability.

Development

Runing tests

./vendor/phpunit/phpunit/phpunit

About

Filter to remove attribute values which are not properly scoped.

Resources

Readme

Stars

1 star

Watchers

7 watching

Forks

3 forks
Report repository

Releases 2

option to allow case insensitive scope Latest
Jun 28, 2018
+ 1 release

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages