Attribute urn:oid mapping question

444 views
Skip to first unread message

Ivo Jansch

unread,
Oct 24, 2010, 4:22:02 AM10/24/10
to simpleSAMLphp
Hi,

I've done the following:

- set up simplesamlphp as an IdP following the instructions in the
documentation.
- configure an example-userpass authsource for testing purposes
- set up simplesamlphp as an SP following the instructions in the
documentation
- I can successfully authenticate

Great so far. Now I've started to integrate the SP into my
applications. What I'm noticing is that what is defined as 'uid' in
the example source, comes out as 'urn:oid:0.9.2342.19200300.100.1.1'
when on the SP side I call $as->getAttributes();

Of course I can modify my applications to read this urn, or I could
include attributemapper.php and translate them; the thing is however
is that most plugins (such as Feide's simplesamlphp-authentication
plugin for WordPress) assume that it's uid, not the urn. To avoid
having to modify all those plugins, is there a way to either not have
it use urn:oid:* attribute names, or is there a way so that whatever
goes in on the IDP side comes out the same on the SP side?

Greetings,
Ivo

Tom Scavo

unread,
Oct 24, 2010, 11:14:10 AM10/24/10
to simple...@googlegroups.com
On Sun, Oct 24, 2010 at 3:22 AM, Ivo Jansch <i...@egeniq.com> wrote:
>
> What I'm noticing is that what is defined as 'uid' in
> the example source, comes out as 'urn:oid:0.9.2342.19200300.100.1.1'
> when on the SP side I call $as->getAttributes();

This is as it should be, I think.

> Of course I can modify my applications to read this urn, or I could
> include attributemapper.php and translate them; the thing is however
> is that most plugins (such as Feide's simplesamlphp-authentication
> plugin for WordPress) assume that it's uid, not the urn. To avoid
> having to modify all those plugins, is there a way to either not have
> it use urn:oid:* attribute names, or is there a way so that whatever
> goes in on the IDP side comes out the same on the SP side?

Of course you own the IdP and the SP here, so you can do anything you
want :-) but "fixing" this at your IdP will render your SP
incompatible with the majority of the SAML IdPs in the world today.
You know that old saying: "pay me now, or pay me later."

Tom

Olav Morken

unread,
Oct 25, 2010, 3:04:25 AM10/25/10
to simple...@googlegroups.com
On Sun, Oct 24, 2010 at 01:22:02 -0700, Ivo Jansch wrote:
> Hi,
>
> I've done the following:
>
> - set up simplesamlphp as an IdP following the instructions in the
> documentation.
> - configure an example-userpass authsource for testing purposes
> - set up simplesamlphp as an SP following the instructions in the
> documentation
> - I can successfully authenticate
>
> Great so far. Now I've started to integrate the SP into my
> applications. What I'm noticing is that what is defined as 'uid' in
> the example source, comes out as 'urn:oid:0.9.2342.19200300.100.1.1'
> when on the SP side I call $as->getAttributes();
>
> Of course I can modify my applications to read this urn, or I could
> include attributemapper.php and translate them; the thing is however
> is that most plugins (such as Feide's simplesamlphp-authentication
> plugin for WordPress)

Credit for the WordPress plugin should go to its author, David
O’Callaghan. It was not created by Feide.

> assume that it's uid, not the urn. To avoid
> having to modify all those plugins, is there a way to either not have
> it use urn:oid:* attribute names, or is there a way so that whatever
> goes in on the IDP side comes out the same on the SP side?

I'm unsure about what you refer to with attributemapper.php, but is
there a reason why you cannot add the AttributeMap authproc filter[1]
in your SP configuration to convert the oids back to names?

E.g., in authsources.php:

'default-sp' => array(
[...],
'authproc' => array(
50 => array(
'class' => 'core:AttributeMap',
'oid2name',
),
),
),


[1] http://simplesamlphp.org/docs/1.6/core:authproc_attributemap

Regards,
Olav Morken
UNINETT / Feide

Ivo Jansch

unread,
Oct 25, 2010, 3:10:46 AM10/25/10
to simple...@googlegroups.com
Hi,

On Oct 25, 2010, at 9:04 AM, Olav Morken wrote:

Of course I can modify my applications to read this urn, or I could
include attributemapper.php and translate them; the thing is however
is that most plugins (such as Feide's simplesamlphp-authentication
plugin for WordPress)

Credit for the WordPress plugin should go to its author, David
O’Callaghan. It was not created by Feide.

Correct, my mistake.


I'm unsure about what you refer to with attributemapper.php, but is
there a reason why you cannot add the AttributeMap authproc filter[1]
in your SP configuration to convert the oids back to names?

E.g., in authsources.php:

   'default-sp' => array(
       [...],
       'authproc' => array(
           50 => array(
               'class' => 'core:AttributeMap',
               'oid2name',
           ),
       ),
   ),


No there isn't, in the meantime I found out about this functionality; (my first fix was to call the attributemapper manually). Just was confused this wasn't the default in the config; (following the IDP/SP tutorials I ended up with asymmetric behaviour as I was putting uid in on the IDP side and getting urn:oid out on the SP side. But indeed with the filter this is now fixed.

Greetings,
Ivo

--
Ivo Jansch
Egeniq
CEO / Co-founder

Reply all
Reply to author
Forward
0 new messages