Add samlp:extensions to authsources.php | SimpleSamlPHP

[andrei...@gmail.com]

What I wish to accomplish is adding the following example to Authnrequest

    <samlp:Extensions>
       <somens:TheExtensionName xmlns:somens="http://uriofextension/">
    <somens:TheExtensionName Name="AttributeName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    isRequired="true"/>
       </somens:TheExtensionName >
    </samlp:Extensions>

By using authsource.php, how am I able to accomplish that?

I've read the documentation and at https://simplesamlphp.org/docs/stable/saml:sp

Under section :

5.8 Using samlp:Extensions

    $dom = \SAML2\DOMDocumentFactory::create();
    $ce = $dom->createElementNS('http://www.example.com/XFoo', 'xfoo:test', 'Test data!');
    $ext[] = new \SAML2\XML\Chunk($ce);
   
    $auth = new \SimpleSAML\Auth\Simple('default-sp');
    $auth->login(array(
        'saml:Extensions' => $ext,
    ));

But where should this code be included? As I've added it to the authsources.php without luck, and can't figure out how to use this, consider also my lack of knowledge regarding php, so maybe i'm just messing things.

This is what I've tried in authsources.php, but this results in a blank page, when accessing the test of configures authentication sources.

I should add that Im using simplesamlphp under a docker image.

    <?php
   
    $dom = \SAML2\DOMDocumentFactory::create();
    $ce = $dom->createElementNS('http://www.example.com/XFoo', 'xfoo:test', 'Test data!');
    $ext[] = new \SAML2\XML\Chunk($ce);
   
    $config = array(
   
        'sp.name' => array(
            'saml:SP',
            'privatekey'  => '/certs/privkey.pem',
            'certificate' => '/certs/fullchain.pem',
            'entityID' => 'entityID',
            'idp' => 'idpID',
            'saml:Extensions' => $ext,
   
        ),
   
    );

[Tom Scavo]

On Wed, Mar 14, 2018 at 6:29 AM, <andrei...@gmail.com> wrote:
> What I wish to accomplish is adding the following example to Authnrequest
>
> <samlp:Extensions>
> <somens:TheExtensionName xmlns:somens="http://uriofextension/">
> <somens:TheExtensionName Name="AttributeName"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> isRequired="true"/>
> </somens:TheExtensionName >
> </samlp:Extensions>

There already is a standard (though little known) extension for
requested attributes in the AuthnRequest:

https://www.oasis-open.org/committees/document.php?document_id=61388&wg_abbrev=security

Please don't try to invent something new.

Thanks,

Tom

[andrei...@gmail.com]

Hi Tom, thanks for answering, I'm not trying to reinvent the wheel, this is how the IDP expects the attributes to be requested, I just wanted to know how to use the samlp:Extensions directly under authsources.php

I managed to accomplish it using a request directly using php, here is the code I used based on an example to connect to simplesamlphp.

<?php

//Load SimpleSAMLphp.

require_once('/var/www/simplesamlphp/lib/_autoload.php');

//Initiate a SimpleSAML_Auth_Simple object.

$as = new SimpleSAML_Auth_Simple('name-of-sp-on-ssp');

//Standard PHP lib more info at -> http://php.net/manual/en/domdocument.createelementns.phphttp://php.net/manual/en/domdocument.createelementns.php

$dom = SAML2_DOMDocumentFactory::create();

$attributes_ext = $dom->createElementNS('namespaceuri', 'fa:RequestedAttributes');

$item = $dom->createElementNS('namespaceuri', 'fa:RequestedAttribute');

$attrName = $dom->createAttribute('Name');

$attrName->value = 'nameofattribute';

$attrNameFormat = $dom->createAttribute('NameFormat');

$attrNameFormat->value = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri";

$attrRequirement = $dom->createAttribute('isRequired');

$attrRequirement->value = "true";

$item->appendChild($attrName);

$item->appendChild($attrNameFormat);

$item->appendChild($attrRequirement);

$attributes_ext->appendChild($item);

$ext[] = new SAML2_XML_Chunk($attributes_ext);

$as->login(array(

'saml:Extensions' => $ext,

));

//If the user is not authenticated, authenticate the user

$as->requireAuth();

//Get the users attributes and print them.

$attributes = $as->getAttributes();

print_r($attributes);

//Output the attributes to a file

$myFile = "/tmp/attributes.log";

$fh = fopen($myFile, 'a') or die("can't open file");

$stringData = print_r($attributes, true);

fwrite($fh, $stringData);

fclose($fh);

//Displays a Login and Logout link

$url_in = $as->getLoginURL();

$url_out = $as->getLogoutURL();

print('<br><a href="' . htmlspecialchars($url_in) . '">Login</a>');

print('<br><a href="' . htmlspecialchars($url_out) . '">Logout</a><br>');

//If using PHP sessions in SimpleSAMLphp cleanup the SimpleSAMLphp session to be able to use $_SESSION

$session = SimpleSAML_Session::getSessionFromRequest();

$session->cleanup();

//Display PHP information

phpinfo()

?>

</body>

</html>

This is related to a previous question I made, and the SP is described on the other question as well as the IDP, and was also able to make a valid request as per IDP rules.

But the question remains, as I don't want to be dependent on PHP, as I wish to integrate this as an IDP proxy on keycloak Saml IDP brokering.

How can I achieve the same, using only authsources.php ?

So far I've used the same DomElements contstruction on authsources.php, but without luck

[Peter Schober]

* andrei...@gmail.com <andrei...@gmail.com> [2018-03-14 16:09]:

> But the question remains, as I don't want to be dependent on PHP

What does that mean when SimpleSAMLphp is written in PHP?

-peter

[Andre Ilhicas Santos]

Hello Peter I mean I wish to connect with simplesaml but dont want my apps to be in php and live on the same place as simplesaml like the example provided.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/QzaONtgbhwg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.