Setting required attributes for an SP
Shawn Deggans
Can anyone tell me if this is the correct way to set required attributes for a service provider? If not, what is the best way. I’ve been hung up on this for a few days and need to get something ready for testing with my IDP by tomorrow.
// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs.
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => 'https://dev.secure.mydomain.com',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => 'https://this.is.my.id',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => NULL,
'attributes.required' => array('employeeid', 'clientid', 'dob'),
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
),
I’ve looked through the google groups, but haven’t found much that’s helping.
Thanks,
SSD
Olav Morken
If your goal is to add RequestedAttribute elements to your generated SP
metadata, you must set the 'attributes' option. You must also set the
'name'-option, since the metadata specification requires a name of the
SP to be present when specifying RequestedAttribute elements. You
should probably also set the 'attributes.NameFormat' option. Example:
'default-sp' => array(
'saml:SP',
'name' => array(
'en' => 'English ServiceName for this SP.',
'no' => 'Norsk ServiceName for denne tjenesten.',
),
'description' => array(
'en' => 'English ServiceDescription for this SP.',
'no' => 'Norsk ServiceDescription for denne tjenesten.',
),
'attributes' => array(
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', // eduPersonPrincipalName
'urn:oid:0.9.2342.19200300.100.1.3', // mail
),
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
),
However, there is no way to set the 'isRequired' attribute on the
RequestedAttribute elements. If you need to set that attribute, you
cannot use the generated metadata from simpleSAMLphp directly. Instead,
download the generated metadata from simpleSAMLphp and edit it manually.
Regards,
Olav Morken
UNINETT / Feide
Shawn Deggans
Thanks! That helped me get passed my first big hurdle in this. The attributes are now showing in my metadata. Now I guess the next question is what is the standard method for collecting the data so I can pass it to my authentication module. We're creating a custom authentication module because we're using some odd values to authenticate with. Additionally, we're likely going to configure this SP to connect with multiple IDPs and all of the IDPs will be sending different attributes. I considered writing the gathering code in the 'modules\saml\www\sp\saml2-acs.php', but if there's a better example of this sort of setup somewhere else I'd love to have a look at it.
Thanks,
Shawn
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Tom Scavo
<sdeg...@uspreventivemedicine.com> wrote:
>
> That helped me get passed my first big hurdle in this. The attributes are now showing in my metadata. Now I guess the next question is what is the standard method for collecting the data so I can pass it to my authentication module.
It doesn't work that way, I'm afraid. There is no way to request
attributes on-the-wire via the AuthnRequest. Attributes are requested
by reference, not by value.
The IdP consumes your metadata and sees that you have an
AttributeConsumingService element. Presumably it takes that into
account when resolving attributes to be asserted in the response.
> Additionally, we're likely going to configure this SP to connect with multiple IDPs and all of the IDPs will be sending different attributes.
The AttributeConsumingService element in metadata says what the SP
wants, not what the IdP sends. The IdP sends what it wants. If you
want the IdP to pay attention to what's in your metadata...well,
that's up to the IdP implementation. Some do and some don't.
It's possible to have multiple AttributeConsumingService elements in
metadata, and a way to reference one or the other in the AuthRequest,
but I don't know of a single IdP implementation that consumes multiple
such elements (let alone one).
> I considered writing the gathering code in the 'modules\saml\www\sp\saml2-acs.php', but if there's a better example of this sort of setup somewhere else I'd love to have a look at it.
I think you're looking in the wrong place. You need to talk to your
IdP and see what it supports. I'd be interested in knowing what you
find out.
Tom
Shawn Deggans
I guess it might help if I give the specifics of our implementation. We're defining the elements our IDP sends us. These are clients of ours who wish to use our application. They are authenticating with us using customer data. The IDPs are basically sending customer ids along with a few other pieces of information so that we can call up that customer record. This is a relatively closed system. One IDP might use an agreed upon client id along with the customer social security number, while another client might use a different type of id and a date of birth. These would be two different IDPs attempting to get to the same application basically guarded by the service provider. I'll need to get those attribute values so I can pass them along to the authentication/customer query module. Additionally, we might even want the setup that allows for an IDP to send us customer data. So gathering values is pretty important to the application design.
Thanks,
SSD
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Tom Scavo
Sent: Wednesday, September 14, 2011 6:35 PM
To: simple...@googlegroups.com
Subject: Re: Setting required attributes for an SP
Tom
--
Olav Morken
> Olav,
>
> Thanks! That helped me get passed my first big hurdle in this. The
> attributes are now showing in my metadata. Now I guess the next
> question is what is the standard method for collecting the data so I
> can pass it to my authentication module. We're creating a custom
> authentication module because we're using some odd values to
> authenticate with.
Are you saying that you are reimplementing the saml-module?
> Additionally, we're likely going to configure this SP to connect with
> multiple IDPs and all of the IDPs will be sending different
> attributes. I considered writing the gathering code in the
> 'modules\saml\www\sp\saml2-acs.php', but if there's a better example
> of this sort of setup somewhere else I'd love to have a look at it.
Have you considered whether your problem can be solved by using
authentication processing filters on the SP? Those filters are executed
after authentication with an IdP, and allows you to adjust the
attributes that you have received. In addition, authentication
processing filters can be configured per IdP in
metadata/saml20-idp-remote.php.
Shawn Deggans
"Have you considered whether your problem can be solved by using authentication processing filters on the SP? Those filters are executed after authentication with an IdP, and allows you to adjust the attributes that you have received. In addition, authentication processing filters can be configured per IdP in metadata/saml20-idp-remote.php."
Sounds very much like what I want to accomplish. Thanks, I'll research it in the documentation and give it a try.
Thanks,
SSD
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Olav Morken
Sent: Thursday, September 15, 2011 1:20 AM
To: simple...@googlegroups.com
Subject: Re: Setting required attributes for an SP
--