SAML V2.0 Metadata Extension for Entity Attributes
598 views
Skip to first unread message
Tim Ace
Apr 6, 2012, 4:30:02 PM4/6/12
to simpleSAMLphp
I've generated a patch that allows the saml2/idp/metadata.php to
output arbitrary attribute data as part of the metadata feed though
use of the SAML V2.0 Metadata Extension for Entity Attributes
specification (http://docs.oasis-open.org/security/saml/Post2.0/sstc-
metadata-attr-cs-01.pdf).
The way the patch operates is that it looks for a key named
"entityattributes" within the metadata. This key needs to be an
associative array of data. If present, it adds an "EntityAttributes"
to Extensions that contains a saml:Attribute and saml:AttributeValue
element for each key / value pair.
For example in saml20-idp-hosted:
'https://www.example.com/saml/saml2/idp/metadata.php' => array(
'name' => array('en' => 'Test Attributes'),
'host' => 'www.example.com',
'certificate' => 'integrations.synacor.com.crt',
'privatekey' => 'integrations.synacor.com.key',
'entityid' => 'https://www.example.com/saml/saml2/idp/
metadata.php',
'entityattributes' => array(
'simplesaml' => 'iscool',
'foo' => 'bar',
),
),
When accessing https://www.example.com/saml/saml2/idp/metadata.php
will generate:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/
metadata.php">
<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="simplesaml">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">iscool</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="foo">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
...
The patch to do this is relatively small/simple and I'd like to
contribute it back to the community. However, I'm first requesting a
review of the key name that I used in the metadata to define the
attributes. Currently I used "entityattributes" to follow the naming
convention already used for other keys. Is this sufficient or would
another key name be appropriate?
-Tim
Identity Management Architect
Synacor, Inc.
output arbitrary attribute data as part of the metadata feed though
use of the SAML V2.0 Metadata Extension for Entity Attributes
specification (http://docs.oasis-open.org/security/saml/Post2.0/sstc-
metadata-attr-cs-01.pdf).
The way the patch operates is that it looks for a key named
"entityattributes" within the metadata. This key needs to be an
associative array of data. If present, it adds an "EntityAttributes"
to Extensions that contains a saml:Attribute and saml:AttributeValue
element for each key / value pair.
For example in saml20-idp-hosted:
'https://www.example.com/saml/saml2/idp/metadata.php' => array(
'name' => array('en' => 'Test Attributes'),
'host' => 'www.example.com',
'certificate' => 'integrations.synacor.com.crt',
'privatekey' => 'integrations.synacor.com.key',
'entityid' => 'https://www.example.com/saml/saml2/idp/
metadata.php',
'entityattributes' => array(
'simplesaml' => 'iscool',
'foo' => 'bar',
),
),
When accessing https://www.example.com/saml/saml2/idp/metadata.php
will generate:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/
metadata.php">
<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="simplesaml">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">iscool</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="foo">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
...
The patch to do this is relatively small/simple and I'd like to
contribute it back to the community. However, I'm first requesting a
review of the key name that I used in the metadata to define the
attributes. Currently I used "entityattributes" to follow the naming
convention already used for other keys. Is this sufficient or would
another key name be appropriate?
-Tim
Identity Management Architect
Synacor, Inc.
Tim Ace
Apr 6, 2012, 4:52:12 PM4/6/12
to simpleSAMLphp
I realized there was an error shortly after posting this. The
"mdattr:EntityAttributes" block should be a part of the "Extensions"
block of the md:EntityDescriptor and not the md:IDPSSODescriptor.
Consequently if I fix that and have SimpleSAML re-ingest the generated
XML, I see that I should have named the key "EntityAttributes" so that
generated metadata it is consisted with ingested metadata.
-Tim
On Apr 6, 4:30 pm, Tim Ace <ecam...@gmail.com> wrote:
> I've generated a patch that allows the saml2/idp/metadata.php to
> output arbitrary attribute data as part of the metadata feed though
> use of the SAML V2.0 Metadata Extension for Entity Attributes
> specification (http://docs.oasis-open.org/security/saml/Post2.0/sstc-
> metadata-attr-cs-01.pdf).
>
> The way the patch operates is that it looks for a key named
> "entityattributes" within the metadata. This key needs to be an
> associative array of data. If present, it adds an "EntityAttributes"
> to Extensions that contains a saml:Attribute and saml:AttributeValue
> element for each key / value pair.
>
> For example in saml20-idp-hosted:
>
> 'https://www.example.com/saml/saml2/idp/metadata.php'=> array(
> 'name' => array('en' => 'Test Attributes'),
> 'host' => 'www.example.com',
> 'certificate' => 'integrations.synacor.com.crt',
> 'privatekey' => 'integrations.synacor.com.key',
> 'entityid' => 'https://www.example.com/saml/saml2/idp/
> metadata.php',
> 'entityattributes' => array(
> 'simplesaml' => 'iscool',
> 'foo' => 'bar',
> ),
> ),
>
> When accessinghttps://www.example.com/saml/saml2/idp/metadata.php
"mdattr:EntityAttributes" block should be a part of the "Extensions"
block of the md:EntityDescriptor and not the md:IDPSSODescriptor.
Consequently if I fix that and have SimpleSAML re-ingest the generated
XML, I see that I should have named the key "EntityAttributes" so that
generated metadata it is consisted with ingested metadata.
-Tim
On Apr 6, 4:30 pm, Tim Ace <ecam...@gmail.com> wrote:
> I've generated a patch that allows the saml2/idp/metadata.php to
> output arbitrary attribute data as part of the metadata feed though
> use of the SAML V2.0 Metadata Extension for Entity Attributes
> specification (http://docs.oasis-open.org/security/saml/Post2.0/sstc-
> metadata-attr-cs-01.pdf).
>
> The way the patch operates is that it looks for a key named
> "entityattributes" within the metadata. This key needs to be an
> associative array of data. If present, it adds an "EntityAttributes"
> to Extensions that contains a saml:Attribute and saml:AttributeValue
> element for each key / value pair.
>
> For example in saml20-idp-hosted:
>
> 'https://www.example.com/saml/saml2/idp/metadata.php'=> array(
> 'name' => array('en' => 'Test Attributes'),
> 'host' => 'www.example.com',
> 'certificate' => 'integrations.synacor.com.crt',
> 'privatekey' => 'integrations.synacor.com.key',
> 'entityid' => 'https://www.example.com/saml/saml2/idp/
> metadata.php',
> 'entityattributes' => array(
> 'simplesaml' => 'iscool',
> 'foo' => 'bar',
> ),
> ),
>
> will generate:
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
>
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
Tom Scavo
Apr 6, 2012, 6:03:32 PM4/6/12
to simple...@googlegroups.com
On Fri, Apr 6, 2012 at 4:52 PM, Tim Ace <eca...@gmail.com> wrote:
> I realized there was an error shortly after posting this. The
> "mdattr:EntityAttributes" block should be a part of the "Extensions"
> block of the md:EntityDescriptor and not the md:IDPSSODescriptor.
> I realized there was an error shortly after posting this. The
> "mdattr:EntityAttributes" block should be a part of the "Extensions"
> block of the md:EntityDescriptor and not the md:IDPSSODescriptor.
Good catch. Two additional comments: first, the saml:Attribute
elements need NameFormat XML attributes in addition to Name, and
second, multi-valued entity attributes are a must.
Other than that, good work! :-)
Tom
Tim Ace
Apr 7, 2012, 7:15:38 PM4/7/12
to simpleSAMLphp
I'll fix those items and get a final path ready. Thank you for the
input!
On Apr 6, 6:03 pm, Tom Scavo <trsc...@gmail.com> wrote:
input!
On Apr 6, 6:03 pm, Tom Scavo <trsc...@gmail.com> wrote:
Tim Ace
Apr 9, 2012, 11:30:33 AM4/9/12
to simpleSAMLphp
I patched it now so that it supports both NameFormat and multi-valued
entity attributes. The key naming is all completely based upon the
code already committed in lib/SimpleSAML/Metadata/SAMLParser.php. In
saml20-idp-hosted you add a key named "EntityAttributes". This is an
associative array containing the Attribute name as the key and an
array of corresponding AttributeValue items for that Attribute. ex:
'https://www.example.com/saml/saml2/idp/metadata.php' => array(
'name' => array('en' => 'Test Attributes'),
'host' => 'www.example.com',
'EntityAttributes' => array(
'simplesaml' => array('is', 'really', 'cool'),
'foo' => array('bar'),
),
),
This will generate Attributes with a NameFormat or
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/
metadata.php">
2.0:attrname-format:uri">
2.0:attrname-format:uri">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
...
In order to generate attributes with a different NameFormat, the key
name for the Attribute will need to be prefaced with the alternate
NameFormat enclose within curly braces:
{nameFormat}attributeName
ex.
'https://www.example.com/saml/saml2/idp/metadata.php' => array(
'name' => array('en' => 'Test Attributes'),
'host' => 'www.example.com',
'EntityAttributes' => array(
'{urn:foo}simplesaml' => array('is', 'really',
'cool'),
'{urn:foo}foo' => array('bar'),
),
),
...will produce...
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/
metadata.php">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
Again, this directly follows the conventions and naming already
present in lib/SimpleSAML/Metadata/SAMLParser.php, so you can
literally take the generated output and feed it back into
SimpleSAMLphp and get the same result as what you started with:
$metaXML = file_get_contents('http://www.example.com/saml/saml2/idp/
metadata.php');
$a = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($metaXML);
foreach ($a as $k => $v) {
print_r($v->getMetadata20IdP());
}
My patch is included below. I will email directly to whomever would
like a patch file attachement.
Index: www/saml2/idp/metadata.php
===================================================================
--- www/saml2/idp/metadata.php (revision 3064)
+++ www/saml2/idp/metadata.php (working copy)
@@ -105,6 +105,10 @@
$metaArray['scope'] = $idpmeta->getArray('scope');
}
+ if ($idpmeta->hasValue('EntityAttributes')) {
+ $metaArray['EntityAttributes'] = $idpmeta-
>getArray('EntityAttributes');
+ }
+
$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' .
var_export($metaArray, TRUE) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
Index: lib/SimpleSAML/Metadata/SAMLBuilder.php
===================================================================
--- lib/SimpleSAML/Metadata/SAMLBuilder.php (revision 3064)
+++ lib/SimpleSAML/Metadata/SAMLBuilder.php (working copy)
@@ -118,6 +118,29 @@
$e->Extensions[] = $s;
}
}
+
+ if ($metadata->hasValue('EntityAttributes')) {
+ $ea = new SAML2_XML_mdattr_EntityAttributes();
+ foreach ($metadata->getArray('EntityAttributes') as $attributeName
=> $attributeValues) {
+ $a = new SAML2_XML_saml_Attribute();
+ $a->Name = $attributeName;
+ $a->NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-
format:uri';
+
+ // Attribute names that is not URI is prefixed as this:
'{nameformat}name'
+ if (preg_match('/^\{(.*?)\}(.*)$/', $attributeName, $matches)) {
+ $a->Name = $matches[2];
+ $nameFormat = $matches[1];
+ if ($nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
+ $a->NameFormat = $nameFormat;
+ }
+ }
+ foreach ($attributeValues as $attributeValue) {
+ $a->AttributeValue[] = new
SAML2_XML_saml_AttributeValue($attributeValue);
+ }
+ $ea->children[] = $a;
+ }
+ $this->entityDescriptor->Extensions[] = $ea;
+ }
}
entity attributes. The key naming is all completely based upon the
code already committed in lib/SimpleSAML/Metadata/SAMLParser.php. In
saml20-idp-hosted you add a key named "EntityAttributes". This is an
associative array containing the Attribute name as the key and an
array of corresponding AttributeValue items for that Attribute. ex:
'https://www.example.com/saml/saml2/idp/metadata.php' => array(
'name' => array('en' => 'Test Attributes'),
'host' => 'www.example.com',
'simplesaml' => array('is', 'really', 'cool'),
'foo' => array('bar'),
),
),
This will generate Attributes with a NameFormat or
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/
metadata.php">
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="simplesaml" NameFormat="urn:oasis:names:tc:SAML:
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">is</saml:AttributeValue>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">really</saml:AttributeValue>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">cool</saml:AttributeValue>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
</saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="foo" NameFormat="urn:oasis:names:tc:SAML:
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
...
In order to generate attributes with a different NameFormat, the key
name for the Attribute will need to be prefaced with the alternate
NameFormat enclose within curly braces:
{nameFormat}attributeName
ex.
'https://www.example.com/saml/saml2/idp/metadata.php' => array(
'name' => array('en' => 'Test Attributes'),
'host' => 'www.example.com',
'{urn:foo}simplesaml' => array('is', 'really',
'cool'),
'{urn:foo}foo' => array('bar'),
),
),
...will produce...
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/
2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/
metadata.php">
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="simplesaml" NameFormat="urn:foo">
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">is</saml:AttributeValue>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">really</saml:AttributeValue>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">cool</saml:AttributeValue>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
</saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion" Name="foo" NameFormat="urn:foo">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
Again, this directly follows the conventions and naming already
present in lib/SimpleSAML/Metadata/SAMLParser.php, so you can
literally take the generated output and feed it back into
SimpleSAMLphp and get the same result as what you started with:
$metaXML = file_get_contents('http://www.example.com/saml/saml2/idp/
metadata.php');
$a = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($metaXML);
foreach ($a as $k => $v) {
print_r($v->getMetadata20IdP());
}
My patch is included below. I will email directly to whomever would
like a patch file attachement.
Index: www/saml2/idp/metadata.php
===================================================================
--- www/saml2/idp/metadata.php (revision 3064)
+++ www/saml2/idp/metadata.php (working copy)
@@ -105,6 +105,10 @@
$metaArray['scope'] = $idpmeta->getArray('scope');
}
+ if ($idpmeta->hasValue('EntityAttributes')) {
+ $metaArray['EntityAttributes'] = $idpmeta-
>getArray('EntityAttributes');
+ }
+
$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' .
var_export($metaArray, TRUE) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
Index: lib/SimpleSAML/Metadata/SAMLBuilder.php
===================================================================
--- lib/SimpleSAML/Metadata/SAMLBuilder.php (revision 3064)
+++ lib/SimpleSAML/Metadata/SAMLBuilder.php (working copy)
@@ -118,6 +118,29 @@
$e->Extensions[] = $s;
}
}
+
+ if ($metadata->hasValue('EntityAttributes')) {
+ $ea = new SAML2_XML_mdattr_EntityAttributes();
+ foreach ($metadata->getArray('EntityAttributes') as $attributeName
=> $attributeValues) {
+ $a = new SAML2_XML_saml_Attribute();
+ $a->Name = $attributeName;
+ $a->NameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-
format:uri';
+
+ // Attribute names that is not URI is prefixed as this:
'{nameformat}name'
+ if (preg_match('/^\{(.*?)\}(.*)$/', $attributeName, $matches)) {
+ $a->Name = $matches[2];
+ $nameFormat = $matches[1];
+ if ($nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
+ $a->NameFormat = $nameFormat;
+ }
+ }
+ foreach ($attributeValues as $attributeValue) {
+ $a->AttributeValue[] = new
SAML2_XML_saml_AttributeValue($attributeValue);
+ }
+ $ea->children[] = $a;
+ }
+ $this->entityDescriptor->Extensions[] = $ea;
+ }
}
Tom Scavo
Apr 9, 2012, 7:15:02 PM4/9/12
to simple...@googlegroups.com
Awesome! You just resolved issue 278:
http://code.google.com/p/simplesamlphp/issues/detail?id=278
This is very timely since we've started using entity attributes in the
InCommon Federation in a big way. I know some people who will be able
to use this.
Thanks,
Tom
> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/-URkGAwqX3QJ.
>
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
Jacob Christiansen
Apr 10, 2012, 3:25:13 AM4/10/12
to simple...@googlegroups.com
And issue 376 http://code.google.com/p/simplesamlphp/issues/detail?id=376
Looking forward for an official release containing this patch. This is much needed in JANUS (http://code.google.com/p/janus-ssp/)
Regards/Venlig Hilsen
Jacob Christiansen
System Developer
Mobil (+45) 31 31 36 31
WAYF - Where Are You From
C/O Kulturstyrelsen
H. C. Andersens Boulevard 2
DK-1553 København V
Jacob Christiansen
System Developer
Mobil (+45) 31 31 36 31
WAYF - Where Are You From
C/O Kulturstyrelsen
H. C. Andersens Boulevard 2
DK-1553 København V
Tim Ace
Apr 10, 2012, 7:28:09 PM4/10/12
to simple...@googlegroups.com
I wasn't satisfied with just adding support for http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cs-01.pdf, so I also added support for http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf.
With this configuration, the generated XML for the metadata looks like this:
The new metadata configuration items look like this:
'EntityAttributes' => array(
'urn:simplesamlphp:v1:simplesamlphp' => array('is', 'really', 'cool'),
'{urn:simplesamlphp:v1}foo' => array('bar'),
),
'UIInfo' => array(
'DisplayName' => array(
'en' => 'English name',
'es' => 'Nombre en Español',
),
'Description' => array(
'en' => 'English description',
'es' => 'Descripción en Español',
),
'InformationURL' => array(
'en' => 'http://example.com/info/en',
'es' => 'http://example.com/info/es',
),
'PrivacyStatementURL' => array(
'en' => 'http://example.com/privacy/en',
'es' => 'http://example.com/privacy/es',
),
'Keywords' => array(
'en' => array('communication', 'federated session'),
'es' => array('comunicación', 'sesión federated'),
),
'Logo' => array(
array(
'url' => 'http://example.com/logo1.png',
'height' => 200,
'width' => 400,
),
array(
'url' => 'http://example.com/logo2.png',
'height' => 201,
'width' => 401,
),
),
),
'DiscoHints' => array(
'GeolocationHint' => array('geo:47.37328,8.531126', 'geo:19.34343,12.342514'),
),
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/metadata.php">
<md:Extensions>
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:simplesamlphp:v1:simplesamlphp" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">is</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">really</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cool</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="foo" NameFormat="urn:simplesamlphp:v1">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:DisplayName xml:lang="en">English name</mdui:DisplayName>
<mdui:DisplayName xml:lang="es">Nombre en Español</mdui:DisplayName>
<mdui:Description xml:lang="en">English description</mdui:Description>
<mdui:Description xml:lang="es">Descripción en Español</mdui:Description>
<mdui:InformationURL xml:lang="en">http://example.com/info/en</mdui:InformationURL>
<mdui:InformationURL xml:lang="es">http://example.com/info/es</mdui:InformationURL>
<mdui:PrivacyStatementURL xml:lang="en">http://example.com/privacy/en</mdui:PrivacyStatementURL>
<mdui:PrivacyStatementURL xml:lang="es">http://example.com/privacy/es</mdui:PrivacyStatementURL>
<mdui:Keywords xml:lang="en">communication federated+session</mdui:Keywords>
<mdui:Keywords xml:lang="es">comunicación sesión+federated</mdui:Keywords>
<mdui:Logo width="400" height="200" xml:lang="en">http://example.com/logo1.png</mdui:Logo>
<mdui:Logo width="401" height="201">http://example.com/logo2.png</mdui:Logo>
</mdui:UIInfo>
<mdui:DiscoHints xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:IPHint>10.0.0.0/8</mdui:IPHint>
<mdui:IPHint>192.168.0.0/16</mdui:IPHint>
<mdui:DomainHint>example.com</mdui:DomainHint>
<mdui:DomainHint>www.example.com</mdui:DomainHint>
<mdui:GeolocationHint>geo:47.37328,8.531126</mdui:GeolocationHint>
<mdui:GeolocationHint>geo:19.34343,12.342514</mdui:GeolocationHint>
</mdui:DiscoHints>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
...
The patch for this is attached. Any comments are appreciated.
Tim Ace
Apr 10, 2012, 7:45:05 PM4/10/12
to simple...@googlegroups.com
Slight issue with that last patch in parsing the optional xml:lang attribute of the Logos. This one is better. The UIInfo =>Logo element can have an optional language:
'lang' => 'en',
That is already reflected in the last XML I sent:
<mdui:Logo width="400" height="200" xml:lang="en">http://example.com/logo1.png</mdui:Logo>
<mdui:Logo width="401" height="201">http://example.com/logo2.png</mdui:Logo>
-Tim
Tom Scavo
Apr 10, 2012, 8:17:28 PM4/10/12
to simple...@googlegroups.com
Whoa! You are on a roll. I think you just resolved my favorite issue:
http://code.google.com/p/simplesamlphp/issues/detail?id=394
Thanks! :-)
Tom
> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/5ILVYV3d7jAJ.
Tom Scavo
Apr 10, 2012, 8:18:14 PM4/10/12
to simple...@googlegroups.com
Well, it's not an issue as long as xml:lang is optional on the Logo element.
Cheers,
Tom
> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/iWwQVpC06KgJ.
Tom Scavo
Apr 10, 2012, 8:39:04 PM4/10/12
to simple...@googlegroups.com
Okay, now we have metadata support for entity attributes and user
interface elements in SSP...thanks Tim!
interface elements in SSP...thanks Tim!
Now let's pop up a level. As a consumer of metadata, what should SSP
do with entity attributes and user interface elements? I'll just list
a few of my favorites and then let others chime in.
- User interface elements in IdP metadata are used for the discovery
and error pages at the SP
- User interface elements in SP metadata are used for the login,
consent, and error pages at the IdP
- Entity attributes in IdP metadata are used for identity assurance
qualifiers (http://wiki.oasis-open.org/security/SAML2IDAssuranceProfile)
The latter overlaps with support for AuthnContext at the SP.
Basically, the SP checks metadata to see if the IdP is authorized to
assert the qualifier in the SAML response.
Tom
Jacob Christiansen
Apr 11, 2012, 5:25:06 AM4/11/12
to simple...@googlegroups.com
You just saved me a ton of work!!! Thank you so much for doing this work.
Regards/Venlig Hilsen
Jacob Christiansen
System Developer
Mobil (+45) 31 31 36 31
WAYF - Where Are You From
C/O Kulturstyrelsen
H. C. Andersens Boulevard 2
DK-1553 København V
Jacob Christiansen
System Developer
Mobil (+45) 31 31 36 31
WAYF - Where Are You From
C/O Kulturstyrelsen
H. C. Andersens Boulevard 2
DK-1553 København V
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/5ILVYV3d7jAJ.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
<simplesaml.svn.patch>
Olav Morken
Apr 12, 2012, 7:11:38 AM4/12/12
to simple...@googlegroups.com
On Tue, Apr 10, 2012 at 16:45:05 -0700, Tim Ace wrote:
> Slight issue with that last patch in parsing the optional xml:lang
> attribute of the Logos. This one is better. The UIInfo =>Logo element can
> have an optional language:
>
> 'Logo' => array(
> array(
> 'url' => 'http://example.com/logo1.png',
> 'height' => 200,
> 'width' => 400,
> 'lang' => 'en',
> ),
> array(
> 'url' => 'http://example.com/logo2.png',
> 'height' => 201,
> 'width' => 401,
> ),
>
> That is already reflected in the last XML I sent:
>
> <mdui:Logo width="400" height="200" xml:lang="en">
> http://example.com/logo1.png</mdui:Logo>
> <mdui:Logo width="401" height="201">http://example.com/logo2.png
> </mdui:Logo>
> Slight issue with that last patch in parsing the optional xml:lang
> attribute of the Logos. This one is better. The UIInfo =>Logo element can
> have an optional language:
>
> 'Logo' => array(
> array(
> 'url' => 'http://example.com/logo1.png',
> 'height' => 200,
> 'width' => 400,
> 'lang' => 'en',
> ),
> array(
> 'url' => 'http://example.com/logo2.png',
> 'height' => 201,
> 'width' => 401,
> ),
>
> That is already reflected in the last XML I sent:
>
> <mdui:Logo width="400" height="200" xml:lang="en">
> http://example.com/logo1.png</mdui:Logo>
> <mdui:Logo width="401" height="201">http://example.com/logo2.png
> </mdui:Logo>
Thank you for working on this!
I haven't had a chance to look at the patch in detail yet, but there is
one change I'd like to see. For "simple" elements (i.e. those that are
just strings/urls or a list of language=>string), we don't usually add
separate classes. Just store them as a string (for single-valued
elements), an array of strings (for multi-valued elements) or an array
of language=>string for localized strings.
The extractLocalizedStrings(), extractStrings() and addStrings()
functions from SAML2_Utils may be useful for this.
This should reduce the amout of code needed to work with those
elements, as well as make it easier to read.
Best regards,
Olav Morken
UNINETT / Feide
Tim Ace
Apr 12, 2012, 4:23:36 PM4/12/12
to simple...@googlegroups.com
I consolidated most of the logic using extractLocalizedStrings, etc. New patch is attached.
Logo is still a separate class because it is a complex structure.
Logo is still a separate class because it is a complex structure.
Keywords is also a separate class because although it may be an array of localized strings, each string is actually a bunch of keywords. The spec requires that each Keyword term is concatenated with a single space in-between to form a single localized string in the XML. Spaces occurring within each term must be transposed to a "+" character. The use of a litteral "+" character within a term is forbidden. I felt that SimpleSAMLphp should handle all this for the developer so that it remains an array of terms in the PHP metadata. The class then converts the array of terms into a single, properly encoded, localize string for inclusion in the XML.
ex.
The developer gets to deal with an array of terms...
'Keywords' => array(
'en' => array('communication', 'federated session'),
'es' => array('comunicación', 'sesión federated'),
),
'Keywords' => array(
'en' => 'communication federated+session',
'es' => 'comunicación sesión+federated',
),
-Tim
Identity Management Architect
Synacor, Inc.
Olav Morken
Apr 13, 2012, 2:29:47 AM4/13/12
to simple...@googlegroups.com
On Thu, Apr 12, 2012 at 13:23:36 -0700, Tim Ace wrote:
> I consolidated most of the logic using extractLocalizedStrings, etc. New
> patch is attached.
>
> Logo is still a separate class because it is a complex structure.
> Keywords is also a separate class because although it may be an array of
> localized strings, each string is actually a bunch of keywords. The spec
> requires that each Keyword term is concatenated with a single space
> in-between to form a single localized string in the XML.
> Spaces occurring within each term must be transposed to a "+" character.
> The use of a litteral "+" character within a term is forbidden. I felt that
> SimpleSAMLphp should handle all this for the developer so that it remains
> an array of terms in the PHP metadata. The class then converts the array of
> terms into a single, properly encoded, localize string for inclusion in the
> XML.
> I consolidated most of the logic using extractLocalizedStrings, etc. New
> patch is attached.
>
> Logo is still a separate class because it is a complex structure.
> Keywords is also a separate class because although it may be an array of
> localized strings, each string is actually a bunch of keywords. The spec
> requires that each Keyword term is concatenated with a single space
> in-between to form a single localized string in the XML.
> Spaces occurring within each term must be transposed to a "+" character.
> The use of a litteral "+" character within a term is forbidden. I felt that
> SimpleSAMLphp should handle all this for the developer so that it remains
> an array of terms in the PHP metadata. The class then converts the array of
> terms into a single, properly encoded, localize string for inclusion in the
> XML.
I agree with both of these.
I have now looked at the patch in more detail, and noticed some more
changes I'd like to see:
- The patch should be against the latest code in subversion. This is
noticeable where you call extract(Localized)Strings, since the
parameters of these functions have been changed. (It now accepts a
localname and namespace URI, instead of an XPath expression.)
- The names of attributes in the SAML2_XML_*-classes should match the
names and upper/lowercase letters used in the specification. E.g.
"Width" in SAML2_XML_mdui_Logo should be "width".
- I'd also like to see some short documentation (preferably with
examples :) for these new structures. This should probably be a
separate document that we can link to from the locations where we add
support for metadata extensions. (I see that you have added support
for it in saml20-idp-hosted. At some point we should probably also
add support for it in the SP.)
Other than that, this patch looks good.
Tim Ace
Apr 16, 2012, 2:04:16 PM4/16/12
to simple...@googlegroups.com
Olav,
Can you make sure the patch you are referring to with "extract(Locallized)Strings" no longer accepting xpath strings is committed to SVN? The latest revision (r3067) does not have this change. I'll include that change in my patch, but I have to know what the new function prototype looks like to do that.
As for the other two items, I fixed the attribute name cases and I wrote documentation for the /docs folder using the appropriate Markdown syntax engine you guys use.
-Tim
Olav Morken
Apr 17, 2012, 1:56:13 AM4/17/12
to simple...@googlegroups.com
On Mon, Apr 16, 2012 at 11:04:16 -0700, Tim Ace wrote:
> Olav,
>
> Can you make sure the patch you are referring to with
> "extract(Locallized)Strings" no longer accepting xpath strings is committed
> to SVN? The latest revision (r3067) does not have this change. I'll include
> that change in my patch, but I have to know what the new function prototype
> looks like to do that.
> Olav,
>
> Can you make sure the patch you are referring to with
> "extract(Locallized)Strings" no longer accepting xpath strings is committed
> to SVN? The latest revision (r3067) does not have this change. I'll include
> that change in my patch, but I have to know what the new function prototype
> looks like to do that.
Are you sure that you are at the right branch? It should be committed
to trunk:
http://code.google.com/p/simplesamlphp/source/browse/trunk/lib/SAML2/Utils.php#502
Dick Visser
Apr 19, 2012, 8:09:18 AM4/19/12
to simple...@googlegroups.com
Hi all
I am trying to switch from SURFfederatie to SURFconext.
Old: https://wayf.surfnet.nl/federate/metadata/saml20
New: https://engine.surfconext.nl/authentication/proxy/idps-metadata
The SURFconext metadata only seems to contains mdui elements, and no
OrganizationDisplayName etc any more.
The metadata as processed by lib/SimpleSAML/Metadata/SAMLParser.php
doesn't contains no mdui elements.
So, is there any progress on this patch? ;-)
Dick
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
Ian Young
Apr 19, 2012, 9:49:04 AM4/19/12
to simple...@googlegroups.com
On 19 Apr 2012, at 13:09, Dick Visser wrote:
> The metadata as processed by lib/SimpleSAML/Metadata/SAMLParser.php
> doesn't contains no mdui elements.
There are probably a couple of reasons this might not be parsed as you would expect:
The mdui elements are almost all intended to appear within a mdui:UIInfo container element, which isn't being done in that new file.
More importantly, the wrong namespace is being used (urn:oasis:names:tc:SAML:2.0:metadata:ui instead of urn:oasis:names:tc:SAML:metadata:ui).
-- Ian
Tim Ace
Apr 27, 2012, 1:05:20 PM4/27/12
to simple...@googlegroups.com
Final patch was delivered to Olav.
Dick Visser
Nov 12, 2012, 4:04:49 PM11/12/12
to simple...@googlegroups.com
I'm looking for a way to add mdui elements to my SP metadata... this
code seems to be for IdP only.
Any ideas?
thanks
code seems to be for IdP only.
Any ideas?
thanks
> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/simplesamlphp/-/er6ktfCqpHYJ.
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To view this discussion on the web visit
>
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.
Tim Ace
Nov 12, 2012, 6:50:47 PM11/12/12
to simple...@googlegroups.com
Write is SP support and submit a patch or submit a feature request to the core developers. I have no need for it, so I'm not going to spend time writing and submitting a patch for it...
Reply all
Reply to author
Forward
0 new messages