Support different levels of authentication

[Fred Trotter]

This is as much a question regarding what SAML is capable of as
anything else. Because of the great help found on these forums I have
been able to get my IDP working in the way I want to.

My IDP actually has several different mechanisms in place to determine
whether a person is who they say they are; (assurance).

I would like to be able to pass these "levels of assurance" back to
the service providers.

Ideally I would like to be able to pass a message like:

I am sure that jsmith is John Smith because of
Verification Method A
Verification Method B
Verification Method C

or

I am sure that jdoe is John Doe because of
Verification Method B

I could live with something like
John Smith is verified to level 5
John Doe is verified to level 3

Can someone point me towards information about how to do this with
SAML generally, and advice about how to do it with SimpleSAML
specifically?

-FT

[Lasse Birnbaum Jensen]

You could just pass it back as an attribute. Aka eduPersonAssurance

https://spaces.internet2.edu/display/macedir/Draft+-+eduPersonAssurance

/Lasse

[Fred Trotter]

Ok now I have a SimpleSAML question...

What is a good source file for how to set arbitrary extra attributes?

-FT

On Dec 24 2008, 2:23 am, Lasse Birnbaum Jensen <la...@sdu.dk> wrote:
> You could just pass it back as an attribute. Aka eduPersonAssurance
>
> https://spaces.internet2.edu/display/macedir/Draft+-+eduPersonAssurance
>
> /Lasse
>

[Lasse Birnbaum Jensen]

Use the attributefilter mechanism

Med venlig hilsen

Lasse Birnbaum Jensen
Netværksadministrator, IT-service

Tlf. 6550 2873
Mobil 6011 2873
Fax 6550 2860
Email la...@sdu.dk
Web http://intern.sdu.dk/enheder/it-service/ansatte/lbj-2881/
Adr. Campusvej 55, 5230 Odense M

SYDDANSK UNIVERSITET
_______________________________________________________________
Campusvej 55 * 5230 * Odense M * Tlf. 6550 1000 * www.sdu.dk


> -----Oprindelig meddelelse-----
> Fra: simple...@googlegroups.com
> [mailto:simple...@googlegroups.com] På vegne af Fred Trotter
> Sendt: 7. januar 2009 03:28
> Til: simpleSAMLphp
> Emne: Re: Support different levels of authentication

[Fred Trotter]

Ok. I have no idea what that means, "simplesamlphp attributefilter
mechanism" returns nothing from Google.
Perhaps a link to documentation or into code?

I am willing to read code, but the structure of the code is more than
a little inscrutable. Plus I can see that a critical file in the
process gives errors. SSOService.php, but since I cannot figure out
how to turn off the redirect before it goes back to the sp, I have no
idea what the errors are. Perhaps the next stage is to try the process
with lynx, which will let me control the redirect.


I will document my continued efforts in the hopes that someone can
explain a little more clearly.

In my authentication module I build attributes like this:

$attributes = array(
'username' => $qls->user_info
['username'],
'name' => $qls->user_info['username'],
'email' => $qls->user_info['email']
);


then later.....

$session->setAttributes($attributes);

Ok.. that sounds promising "setAttributes" sounds lovely.

But then I go over to my sp (also simplesaml) and try the following,
in my authentication.php file, which is successfully getting past the
following if statement...

if (!isset($session) || !$session->isValid('saml2') ) {

So it should be working. When I try this...


$attributes = $session->getAttributes();

echo "<br> Attributes <br>";

foreach($attributes as $key => $value){

echo "$key = $value <br>";

}

I get nothing. zip nada.

Why does the session not include information about the attributes. Do
I need to set something to actually retain attributes?
I do not even get username... which would be pretty useful...

What do I need to do to get attributes to persist on the sp side?

-FT

[Andreas Åkre Solberg]

On 9. jan.2009, at 07:17, Fred Trotter wrote:

> Plus I can see that a critical file in the
> process gives errors. SSOService.php, but since I cannot figure out
> how to turn off the redirect before it goes back to the sp, I have no
> idea what the errors are. Perhaps the next stage is to try the process
> with lynx, which will let me control the redirect.

Here are some tips:

1) If you want to trace PHP errors, run 'tail -f' on the apache error
log. A standard configuration of PHP will print all errors there.
2) The $attributes array that you pass to setAttributes MUST include
multi-valued attributes. (An array of arrays). A simple way to
approach that is modifying your code:
'username' => array($qls->user_info),
'email' => array($qls->user_info['email'])
etc.
3) In config.php, set 'debug' => TRUE. Doing this will make
simpleSAMLphp show you a debug page in SSOService just before the SAML
message is sent back to the SP. Why is this a good idea? You can look
into the SAML message and see if there is any attributes, then you
know whether your problems is on the SP or on the IdP side.

I hope this helps, let us know how it goes.

kind regards
Andreas.

--
Andreas Åkre Solberg
=andreas
http://rnd.feide.no

[Fred Trotter]

Andreas... you are a beautiful man. Do not let anyone tell you
otherwise!!

Thanks!

On Jan 13, 1:13 am, Andreas Åkre Solberg <andreas.solb...@uninett.no>
wrote: