Authproc filters in IdP's authsources?

157 views
Skip to first unread message

J Morais

unread,
Jun 16, 2017, 8:34:18 AM6/16/17
to SimpleSAMLphp
I have an IdP with LDAP sources and non-LDAP sources.

For the LDAP sources I'm getting an attribute "sAMAccountName" after authentication. I'd like to take that attribute and fetch additional details from a separate database, which would be stored in other attributes.

I was expecting to do this with authproc filters, but for some reason IdPs can't have authsource-specific filters.

I can use config.php or the metadata file (there is only one IdP, so both apply to everything), but I'm afraid this sort of thing would open the possibility of non-LDAP sources bypassing their proper authorization flow by returning sAMAccountName. Is there another, better way to do this?

J Morais

unread,
Jun 19, 2017, 10:17:35 AM6/19/17
to SimpleSAMLphp
Ok, even with the insecure implementation (just gobbling up sAMAccountName if present) I can't get this to work.

It would appear that the IdP is not including the new attributes in the SAMLResponse that it posts to the SP's login service.

1. I add the new attributes to the map of attributes using an authproc, for example:

    public function process(&$request) {
        ...
        $request['Attributes']["id_user"] = 1234;
    }

2. I made a login request and examined it using Firefox's developer tools. The generated SAML has the attribute, but no value for it:

        <saml:AttributeStatement>
            <saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">myusername</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="id_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
        </saml:AttributeStatement>

3. SimpleSAML does not handle this with good grace:

Warning: Invalid argument supplied for foreach() in (...)/simplesamlphp/modules/saml/lib/IdP/SAML2.php on line 695

Am I missing something?

J Morais

unread,
Jun 19, 2017, 10:26:31 AM6/19/17
to SimpleSAMLphp
Oh, I guess the attribute must always contain a list of values. That wasn't clear to me.
Reply all
Reply to author
Forward
0 new messages