Mandatory attributes for SP
23 views
Skip to first unread message
Leon Stringer
Jul 17, 2014, 5:54:11 AM7/17/14
to simple...@googlegroups.com
Hi,
I'm configuring an SP and want to ensure authenticated users have certain attributes (givenName, sn, mail) and reject any that don't.
I'm assuming that if I set "attributes.required" for my SP then users that don't have these would be turned away.
For test purposes I've got simpleSAMLphp as SP and IdP.
On my SP in config/authsources.php I've got:
'my-test-sp' => array(
⋮
'attributes.required' => array(
'mail',
),
'name' => array('en' => 'Test Service'),
'attributes' => array(
'mail',
),
⋮
),
I then copy the metadata from module.php/saml/sp/metadata.php/my-test-sp?output=xhtml into metadata/saml20-sp-remote.php on my IdP and try to log into the SP using the "Test configured authentication sources" test page (module.php/core/authenticate.php). The login is successful and I get no entries listed under "Your attributes", whereas I'm expecting the user to be rejected.
Surely it's quite common to want to have a mandatory set of user attributes for a service, is setting "attributes.required" the correct approach?
If this is correct what am I doing wrong? I've noticed that if I remove "attributes.required" from the SP then in the generated XML metadata the isRequired="true" attribute is removed but the simpleSAMLphp flat file format metadata doesn't change, is this a bug?
Thanks in advance for any help,
Leon
I'm configuring an SP and want to ensure authenticated users have certain attributes (givenName, sn, mail) and reject any that don't.
I'm assuming that if I set "attributes.required" for my SP then users that don't have these would be turned away.
For test purposes I've got simpleSAMLphp as SP and IdP.
On my SP in config/authsources.php I've got:
'my-test-sp' => array(
⋮
'attributes.required' => array(
'mail',
),
'name' => array('en' => 'Test Service'),
'attributes' => array(
'mail',
),
⋮
),
I then copy the metadata from module.php/saml/sp/metadata.php/my-test-sp?output=xhtml into metadata/saml20-sp-remote.php on my IdP and try to log into the SP using the "Test configured authentication sources" test page (module.php/core/authenticate.php). The login is successful and I get no entries listed under "Your attributes", whereas I'm expecting the user to be rejected.
Surely it's quite common to want to have a mandatory set of user attributes for a service, is setting "attributes.required" the correct approach?
If this is correct what am I doing wrong? I've noticed that if I remove "attributes.required" from the SP then in the generated XML metadata the isRequired="true" attribute is removed but the simpleSAMLphp flat file format metadata doesn't change, is this a bug?
Thanks in advance for any help,
Leon
Peter Schober
Jul 17, 2014, 6:16:46 AM7/17/14
to simple...@googlegroups.com
* Leon Stringer <leon.stringer%ntlwor...@gtempaccount.com> [2014-07-17 11:54]:
attributes.required
If you have attributes added you can here specify which should be
marked as required. The attributes should still be present in attributes.
That should probably say "should be marked as required in the
generated SAML metadata describung this SAML SP" (i.e., setting
isRequired="true" on the referenced attributes).
So this is about signalling to the IDP what attributes the SP needs in
order to work. The IDP is free to ignore that and send you something
else, or nothing. That's a fact of distributed systems / federation.
What you're talking about is authorization and enforcing of specific
attributes in your application. Refer to the SSP SP API docs on how to
do that, https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
(e.g. call requireAuth() or login(), then getAttributes() and perform
any checks yourself in PHP code based on the attributes present.)
-peter
> I'm assuming that if I set "attributes.required" for my SP then users that
> don't have these would be turned away.
No, the documentation is not really clear about its use, though.
> don't have these would be turned away.
attributes.required
If you have attributes added you can here specify which should be
marked as required. The attributes should still be present in attributes.
That should probably say "should be marked as required in the
generated SAML metadata describung this SAML SP" (i.e., setting
isRequired="true" on the referenced attributes).
So this is about signalling to the IDP what attributes the SP needs in
order to work. The IDP is free to ignore that and send you something
else, or nothing. That's a fact of distributed systems / federation.
What you're talking about is authorization and enforcing of specific
attributes in your application. Refer to the SSP SP API docs on how to
do that, https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
(e.g. call requireAuth() or login(), then getAttributes() and perform
any checks yourself in PHP code based on the attributes present.)
-peter
Leon Stringer
Jul 17, 2014, 7:13:22 AM7/17/14
to simple...@googlegroups.com, peter....@univie.ac.at
On Thursday, 17 July 2014 11:16:46 UTC+1, Peter Schober wrote:
* Leon Stringer <leon.stringer...@gtempaccount.com> [2014-07-17 11:54]:
> I'm assuming that if I set "attributes.required" for my SP then users that
> don't have these would be turned away.
No, the documentation is not really clear about its use, though.
What you're talking about is authorization and enforcing of specific
attributes in your application. Refer to the SSP SP API docs on how to
do that, https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
(e.g. call requireAuth() or login(), then getAttributes() and perform
any checks yourself in PHP code based on the attributes present.)
-peter
Thanks for your reply, I was going nowhere then!
I'll look into the API calls and my application.
Thanks again,
Leon
Reply all
Reply to author
Forward
0 new messages