1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
`core:AttributeLimit`
=====================
A filter that limits the attributes (and their values) sent to a service provider.
If the configuration is empty, the filter will use the attributes configured in the `attributes` option in the SP
metadata. The configuration is a list of attributes that should be allowed. In case you want to limit an attribute to
release some specific values, make the name of the attribute the key of the array, and its value an array with all the
different values allowed for it.
Examples
--------
Here you will find a few examples on how to use this simple module:
Limit to the `cn` and `mail` attribute:
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
'cn', 'mail'
),
),
Allow `eduPersonTargetedID` and `eduPersonAffiliation` by default, but allow the metadata to override the limitation.
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
'default' => TRUE,
'eduPersonTargetedID', 'eduPersonAffiliation',
),
),
Only allow specific values for an attribute.
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
'eduPersonEntitlement' => array('urn:x-surfnet:surf.nl:surfdrive:quota:100')
),
),
Only allow specific values for an attribute ignoring case.
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
'eduPersonEntitlement' => array(
'ignoreCase' => true,
'URN:x-surfnet:surf.nl:SURFDRIVE:quota:100'
)
),
),
Only allow specific values for an attribute that match a regex pattern
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
'eduPersonEntitlement' => array(
'regex' => true,
'/^urn:x-surfnet:surf/',
'/^urn:x-IGNORE_Case/i',
)
),
),
Don't allow any attributes by default, but allow the metadata to override it.
'authproc' => array(
50 => array(
'class' => 'core:AttributeLimit',
'default' => TRUE,
),
),
In order to just use the list of attributes defined in the metadata for each service provider, configure the module
like this:
'authproc' => array(
50 => 'core:AttributeLimit',
),
Then, add the allowed attributes to each service provider metadata, in the `attributes` option:
$metadata['https://saml2sp.example.org'] = array(
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
...
'attributes' => array('cn', 'mail'),
...
);
Now, let's look to a couple of examples on how to filter out attribute values. First, allow only the entitlements known
to be used by a service provider (among other attributes):
$metadata['https://saml2sp.example.org'] = array(
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
...
'attributes' => array(
'uid',
'mail',
'eduPersonEntitlement' => array(
'urn:mace:example.org:admin',
'urn:mace:example.org:user',
),
),
...
);
Now, an example on how to normalize the affiliations sent from an identity provider, to make sure that no custom
values ever reach the service providers. Bear in mind that this configuration can be overridden by metadata:
'authproc' => array(
50 => 'core:AttributeLimit',
'default' => TRUE,
'eduPersonAffiliation' => array(
'student',
'staff',
'member',
'faculty',
'employee',
'affiliate',
),
),
|
