Returning attributes from different data source
315 views
Skip to first unread message
Rafael Hinojosa
Nov 6, 2013, 9:38:12 AM11/6/13
to simple...@googlegroups.com
Hi,
I managed to get 2 instances of SimpleSAMLphp installed & talking to each other.
My IDP is configured to authenticate against a RADIUS server. The SP is successfully talking to the IDP.
I'd like to return some attributes that aren't provided by RADIUS. At the moment, they aren't recorded anywhere. The specific attributes that I need are the following.
|
Attribute |
Format |
|
NAMEID_EMAIL_ADDRESS |
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
|
NAMEID_X509_SUBJECT_NAME |
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
|
NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME |
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName |
|
NAMEID_KERBEROS |
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos |
|
NAMEID_ENTITY |
urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
|
NAMEID_TRANSIENT |
urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
|
NAMEID_PERSISTENT |
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
I've tried placing them in an authproc block in the metadata entry for my SP.
'authproc' => array(
61 => array(
'class' => 'saml:TransientNameID',
),
62 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'eduPersonPrincipalName',
),
63 => array(
'class' => 'saml:AttributeNameID',
'attribute' => 'mail',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
),
I've also tried defining them as simple Entity Attributes in the SP metadata entry to no avail.
Do i have to make these changes in both my saml20-idp-remote.php file on my SP & my saml20-sp-remote.php on the IDP?
Should it suffice to only have to make these entries in the saml20-sp-remote.php on the IDP?
How can I verify that the attributes are being returned upon login via the SP?
Thanks,
--Raf
Tom Scavo
Nov 6, 2013, 9:48:32 AM11/6/13
to simpleSAMLphp
On Wed, Nov 6, 2013 at 9:38 AM, Rafael Hinojosa <rah322...@gmail.com> wrote:
>
> The specific attributes that I need are the following.
Those aren't attributes, they are name identifiers. Typically only one
>
> The specific attributes that I need are the following.
is asserted by the IdP, in the <saml:Subject> element.
> I've also tried defining them as simple Entity Attributes in the SP metadata entry to no avail.
Tom
Rafael Hinojosa
Nov 6, 2013, 1:59:26 PM11/6/13
to simple...@googlegroups.com
Ah,
I think I follow... I believe I'm sending the following in my metadata.
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
I also figured out how to add static attributes w/ the following in the file saml20-sp-remote.php on my IDP.
'authproc' => array(
// Add STATIC Attributes here...
60 => array(
'class' => 'core:AttributeAdd',
'groups' => array('users', 'members'),
'domain' => array('DREXEL'),
),
Is there a way to add attributes gathered from a different data source, say a DB?
Thanks,
--Raf
Brook Schofield
Nov 6, 2013, 2:34:06 PM11/6/13
to simple...@googlegroups.com
I'd recommend AttributeCollector from CONFIA http://confia.aupa.info/
https://rnd.feide.no/2010/07/26/attribute_collector_implementation_from_spain/
https://forja.rediris.es/svn/confia/attributecollector/
you can download via SVN at:
svn checkout https://forja.rediris.es/svn/confia/attributecollector/trunk/attributecollector
-Brook
https://rnd.feide.no/2010/07/26/attribute_collector_implementation_from_spain/
https://forja.rediris.es/svn/confia/attributecollector/
you can download via SVN at:
svn checkout https://forja.rediris.es/svn/confia/attributecollector/trunk/attributecollector
-Brook
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
--
===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488 Fax +31 20 530 4499 Mob +31 65 155 3991
www.terena.org
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488 Fax +31 20 530 4499 Mob +31 65 155 3991
www.terena.org
Rafael Hinojosa
Nov 14, 2013, 4:15:11 PM11/14/13
to simple...@googlegroups.com
Thanks,
I've managed to get the AttributeCollector module & I think I have it to the point where its not longer tossing any errors.
I've configured the following in my authproc statement on the saml20-sp-remote.php config file of my IDP.
$metadata[test_SP] = array (
...
'authproc' = array(
50 => array(
'existing' => 'replace','class' => 'attributecollector:AttributeCollector','uidfield' => '$attributes["eduPersonPrincipalName"]','collector' => array(
'class' => 'attributecollector:SQLCollector','dsn' => 'mysql:host=localhost;dbname=test_DB','username' => 'DB_user','password' => 'user_passwd','query' => 'SELECT * from users where uid=:uidfield','get_all_query' => 'SELECT * from users where uid=:uidfield',
),
),
),
...
);
My first issues is that I'm not seeing any log entry in my mysql query log, which indicates no query is being performed. MySQL support is enabled, however I have yet to fully test it from a simple testdb.php script to query the DB from apache.
My second question will depend on making sure I'm able to perform the query, but the questions is how will returned values get assigned to attributes? Will they show up as the attribute name "collector" or will I need to specify some other addAttribute filter? Hrm, in which case should I try to reference the collector within an addAttribute class filter? I can easily give that a shot.
I've enabled debug logging in simpleSAMLphp, however I'm not seeing any db query errors or anything that specific.
Auth from the SP to the IDP is working & I've got other authproc arrays working. However I'm not seeing anything returned from the collector...
<saml:AttributeStatement>
<saml:Attribute Name="eduPersonPrincipalName"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>
<saml:AttributeValue xsi:type="xs:string">userid</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="domain"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>
<saml:AttributeValue xsi:type="xs:string">DOMAIN</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="emailAddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>
<saml:AttributeValue xsi:type="xs:string">use...@hostname.net</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>Any clue on where I should begin looking?
TIA,
--Raf
Brook Schofield
Nov 14, 2013, 6:16:27 PM11/14/13
to simple...@googlegroups.com
There is an example-sql authsource in config/authsources.php I'd try getting that working and ensure that you can really talk to your database.
When you return to attributecollector, I think you want 'uidfield' => 'eduPersonPrincipalName' as you want the attribute which contains the value you want to search on - not have the value substitute directly which will then be an empty attribute.
When you return to attributecollector, I think you want 'uidfield' => 'eduPersonPrincipalName' as you want the attribute which contains the value you want to search on - not have the value substitute directly which will then be an empty attribute.
The returned attributes/values from attributecollector will be named after their database column. So if your users table has accountNumber, firstname, lastname, phone, emailAddr - then they will be the attribute names. Clearly you don't want this so either rename them in SQL (SELECT firstname as givenName, lastname as sn, emailAddr as mail FROM users ... ) or use the AttributeMap authproc to rename your attributes.
Is this authproc actually being fired? If other authprocs are - then move this next to one of those.
-Brook
Rafael Hinojosa
Nov 14, 2013, 6:47:49 PM11/14/13
to simple...@googlegroups.com
Thanks for your response Brook,
What I'm trying to do is add additional attributes from a different database. So, do authentication against RADIUS & then use the returned value of 'eduPersonPrincipalName' to search a DB & assign additional attributes based on the DB search results.
When you return to attributecollector, I think you want 'uidfield' => 'eduPersonPrincipalName' as you want the attribute which contains the value you want to search on - not have the value substitute directly which will then be an empty attribute.
Ah, you're right. Thanks! Setting 'uidfield' => 'eduPersonPrincipalName' resolved the issue. It now performs 2 queries because of my added PHP code, I'll mess around w/ it some more as time allows.
I think I've managed to resolve the situation by using a core:PHP class filter & performing my DB query in it. The requirements for this thing aren't changing too much, however they did today & this code is what I came up w/ to satisfy them.
70 => array(
'class' => 'core:PHP',
'code' => '
if (empty($attributes["eduPersonPrincipalName"])) {
throw new Exception("Missing uid attribute.");
}
$uid = $attributes["eduPersonPrincipalName"][0];
$email = $uid . "@domain.com";
$attributes["emailAddress"] = array($email);
mysql_connect("localhost","DB_user","user_passwd") or die(mysql_error());
mysql_select_db("test_DB") or die(mysql_error());
$query = mysql_query("SELECT * FROM users WHERE uid = \'$uid\'");
$row = mysql_fetch_row($query);
if (!$row) {
$attributes["In Housing"] = array("0");
} else {
$attributes["Full Name"] = array($row[1]);
$attributes["In Housing"] = array("1");
}
',
),
The above seems to work as I want it to, however I now have to look at the RADIUS config to see if I can return Full Name & Email Address values for their given attributes & not have to compile them in the script.
The above will return the following is the user is found in the DB, after RADIUS Auth :
<saml:AttributeStatement>
<saml:Attribute Name="eduPersonPrincipalName"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue xsi:type="xs:string">rah322</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="emailAddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><saml:AttributeValue xsi:type="xs:string">rah...@domain.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Full Name" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue xsi:type="xs:string">Rafael Hinojosa</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="In Housing"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue xsi:type="xs:string">1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>If the user successfully authenticates but is NOT found in the DB it will return the following :
<saml:AttributeStatement>
<saml:Attribute Name="eduPersonPrincipalName"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue xsi:type="xs:string">wireless2</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="emailAddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue xsi:type="xs:string">wire...@domain.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="In Housing"
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
<saml:AttributeValue xsi:type="xs:string">0</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>Thanks again for responding & solving my issue altogether. You've been a tremendous help. Now I have to look at this crazy RADIUS box & see if I can make it return more info.
Thanks,
--Raf
Peter Schober
Nov 15, 2013, 7:20:39 AM11/15/13
to simple...@googlegroups.com
* Rafael Hinojosa <rah322...@gmail.com> [2013-11-15 00:47]:
of eduPerson-defined attributes. and noone will be able to understand
those attribtues without custom configuration or code.
(The Name is wrong for both SAML1 and SAML2 use, and the NameFormat is
nonsensical as obviously this is not an entity.)
-peter
> <saml:AttributeStatement>
> <saml:Attribute Name="eduPersonPrincipalName"
> NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> <saml:AttributeValue xsi:type="xs:string">rah322</saml:AttributeValue>
> </saml:Attribute>
Unrelated to all your problems but note that this is not a valid use
> <saml:Attribute Name="eduPersonPrincipalName"
> NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> <saml:AttributeValue xsi:type="xs:string">rah322</saml:AttributeValue>
> </saml:Attribute>
of eduPerson-defined attributes. and noone will be able to understand
those attribtues without custom configuration or code.
(The Name is wrong for both SAML1 and SAML2 use, and the NameFormat is
nonsensical as obviously this is not an entity.)
-peter
Rafael Hinojosa
Nov 15, 2013, 8:57:28 AM11/15/13
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks for the note Peter.
I've fixed what we return for eduPersonPrincipalName so that it is a domain-qualified string. As far as the name-format goes, I was only doing that for testing, but you raise a good point. I'm probably going to change it back to transient, what would you recommend setting it to?
Thanks,
--Raf
Peter Schober
Nov 15, 2013, 9:38:57 AM11/15/13
to simple...@googlegroups.com
* Rafael Hinojosa <rah322...@gmail.com> [2013-11-15 14:57]:
available attribute maps.
If you want to follow the eduPerson spec the attribute Name would be
"urn:oid:1.3.6.1.4.1.5923.1.1.1.6" (for SAML2) and the attribute
NameFormat would be "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
The spec is currently offline (due to an Internet2 web site revamp)
but you're looking for the "MACE-Dir SAML Attribute Profiles", latest
is 200804a, IIRC.
See also http://saml2int.org/profile/current#section7 which simply
mandates (MUST) URI format for all attributes.
-peter
> I've fixed what we return for eduPersonPrincipalName so that it is a
> domain-qualified string. As far as the name-format goes, I was only doing
> that for testing, but you raise a good point. I'm probably going to change
> it back to transient, what would you recommend setting it to?
You should probably leave that to SSP or send it though one of the
> domain-qualified string. As far as the name-format goes, I was only doing
> that for testing, but you raise a good point. I'm probably going to change
> it back to transient, what would you recommend setting it to?
available attribute maps.
If you want to follow the eduPerson spec the attribute Name would be
"urn:oid:1.3.6.1.4.1.5923.1.1.1.6" (for SAML2) and the attribute
NameFormat would be "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
The spec is currently offline (due to an Internet2 web site revamp)
but you're looking for the "MACE-Dir SAML Attribute Profiles", latest
is 200804a, IIRC.
See also http://saml2int.org/profile/current#section7 which simply
mandates (MUST) URI format for all attributes.
-peter
Reply all
Reply to author
Forward
0 new messages