Filter scoped attributes based on metadata
17 views
Skip to first unread message
Kristof Bajnok
Nov 13, 2015, 8:35:14 AM11/13/15
to SimpleSAMLphp
Hi,
in case you want to verify scoped attributes at the SP by using
shibmd:Scope metadata element, you may have a look at:
https://github.com/NIIF/simplesamlphp-module-attributescope
Actually I remembered wrong that the predecessor of this code had ever
been properly published. Thanks for Peter Schober for pointing this out.
Credits to the eduID.hu team:
* Adam Lantos (for writing the fundamentals back in 2010)
* Tamas Frank
* Gyula Szabo
Any feedback is welcome.
Kristof
in case you want to verify scoped attributes at the SP by using
shibmd:Scope metadata element, you may have a look at:
https://github.com/NIIF/simplesamlphp-module-attributescope
Actually I remembered wrong that the predecessor of this code had ever
been properly published. Thanks for Peter Schober for pointing this out.
Credits to the eduID.hu team:
* Adam Lantos (for writing the fundamentals back in 2010)
* Tamas Frank
* Gyula Szabo
Any feedback is welcome.
Kristof
Jaime Perez Crespo
Nov 13, 2015, 9:01:41 AM11/13/15
to simple...@googlegroups.com
Hi Kristof,
Thanks for pointing this out!
May a list it in SimpleSAMLphp’s homepage?
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
May a list it in SimpleSAMLphp’s homepage?
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Peter Schober
Nov 13, 2015, 9:05:34 AM11/13/15
to SimpleSAMLphp
* Kristof Bajnok <baj...@niif.hu> [2015-11-13 14:35]:
Getting that into SSP proper (and maybe even shipping it enabled by
default!) would be great. Then at least going forward SAML SPs
recieving eduPerson attributes could easily protect themselfs from
incorrectly/fraudulently scoped attributes.
The default values for the 'attributesWithScope' array can be picked
from the eduPerson spec, http://macedir.org/specs/eduperson/#Scope
I.e., array('eduPersonPrincipalName', 'eduPersonPrincipalNamePrior',
'eduPersonScopedAffiliation', 'eduPersonUniqueId')
Note that oid2name.php (and name2oid and others) are still missing
entries for 'eduPersonPrincipalNamePrior' and 'eduPersonUniqueId'.
(Many of the maps have other issues as well, I'm just pointing these
out here since the attributesWithScope'array wouldn't work unless
entries in the oid2name attribute map for those attributes existed.)
The README.md and/or project description could maybe use a link to
SimpleSAMLphp somewhere (though it's clear from the repo name) but
if we're aiming at inclusion within SSP proper then that's all
irrelevant. ;)
-peter
> in case you want to verify scoped attributes at the SP by using
> shibmd:Scope metadata element, you may have a look at:
>
> https://github.com/NIIF/simplesamlphp-module-attributescope
Thanks, Kristof (and folks at NIIF), that's great!
> shibmd:Scope metadata element, you may have a look at:
>
> https://github.com/NIIF/simplesamlphp-module-attributescope
Getting that into SSP proper (and maybe even shipping it enabled by
default!) would be great. Then at least going forward SAML SPs
recieving eduPerson attributes could easily protect themselfs from
incorrectly/fraudulently scoped attributes.
The default values for the 'attributesWithScope' array can be picked
from the eduPerson spec, http://macedir.org/specs/eduperson/#Scope
I.e., array('eduPersonPrincipalName', 'eduPersonPrincipalNamePrior',
'eduPersonScopedAffiliation', 'eduPersonUniqueId')
Note that oid2name.php (and name2oid and others) are still missing
entries for 'eduPersonPrincipalNamePrior' and 'eduPersonUniqueId'.
(Many of the maps have other issues as well, I'm just pointing these
out here since the attributesWithScope'array wouldn't work unless
entries in the oid2name attribute map for those attributes existed.)
The README.md and/or project description could maybe use a link to
SimpleSAMLphp somewhere (though it's clear from the repo name) but
if we're aiming at inclusion within SSP proper then that's all
irrelevant. ;)
-peter
Kristof Bajnok
Nov 13, 2015, 9:24:47 AM11/13/15
to simple...@googlegroups.com
On 2015-11-13 15:01, Jaime Perez Crespo wrote:
> Hi Kristof,
>
>> On 13 Nov 2015, at 14:35 PM, Kristof Bajnok <baj...@niif.hu> wrote:
>> Hi,
>>
>> in case you want to verify scoped attributes at the SP by using
>> shibmd:Scope metadata element, you may have a look at:
>>
>> https://github.com/NIIF/simplesamlphp-module-attributescope
>>
>> Actually I remembered wrong that the predecessor of this code had ever
>> been properly published. Thanks for Peter Schober for pointing this out.
>>
>> Credits to the eduID.hu team:
>> * Adam Lantos (for writing the fundamentals back in 2010)
>> * Tamas Frank
>> * Gyula Szabo
>>
>> Any feedback is welcome.
>
> Thanks for pointing this out!
>
> May a list it in SimpleSAMLphp’s homepage?
Thanks, go ahead.
> Hi Kristof,
>
>> On 13 Nov 2015, at 14:35 PM, Kristof Bajnok <baj...@niif.hu> wrote:
>> Hi,
>>
>> in case you want to verify scoped attributes at the SP by using
>> shibmd:Scope metadata element, you may have a look at:
>>
>> https://github.com/NIIF/simplesamlphp-module-attributescope
>>
>> Actually I remembered wrong that the predecessor of this code had ever
>> been properly published. Thanks for Peter Schober for pointing this out.
>>
>> Credits to the eduID.hu team:
>> * Adam Lantos (for writing the fundamentals back in 2010)
>> * Tamas Frank
>> * Gyula Szabo
>>
>> Any feedback is welcome.
>
> Thanks for pointing this out!
>
> May a list it in SimpleSAMLphp’s homepage?
Some external testing would make me more reassured, so please report if
anything is missing.
Kristof
Jaime Perez Crespo
Nov 18, 2015, 5:24:53 AM11/18/15
to simple...@googlegroups.com
Hi!
I’ve just added the module to the list:
https://github.com/NIIF/simplesamlphp-module-attributescope
Many thanks again for this contribution!
By the way, while I was adding it I was wondering if this shouldn’t be something done by default in SSP. Maybe include it in the ‘core’ module and add it by default in the configuration templates?
I’ve just added the module to the list:
https://github.com/NIIF/simplesamlphp-module-attributescope
Many thanks again for this contribution!
By the way, while I was adding it I was wondering if this shouldn’t be something done by default in SSP. Maybe include it in the ‘core’ module and add it by default in the configuration templates?
Peter Schober
Nov 18, 2015, 7:33:28 AM11/18/15
to simple...@googlegroups.com
* Jaime Perez Crespo <jaime...@uninett.no> [2015-11-18 11:24]:
* Peter Schober <peter....@univie.ac.at> [2015-11-13 15:05]:
> By the way, while I was adding it I was wondering if this shouldn’t
> be something done by default in SSP. Maybe include it in the ‘core’
> module and add it by default in the configuration templates?
Definitively. Which is why/what I wrote earlier in this thread:
> be something done by default in SSP. Maybe include it in the ‘core’
> module and add it by default in the configuration templates?
* Peter Schober <peter....@univie.ac.at> [2015-11-13 15:05]:
> Getting that into SSP proper (and maybe even shipping it enabled by
> default!) would be great. Then at least going forward SAML SPs
> recieving eduPerson attributes could easily protect themselfs from
> incorrectly/fraudulently scoped attributes.
-peter
> default!) would be great. Then at least going forward SAML SPs
> recieving eduPerson attributes could easily protect themselfs from
> incorrectly/fraudulently scoped attributes.
Reply all
Reply to author
Forward
0 new messages