mimaen/simplesamlphp-module-hubandspoke

SimpleSAMLphp utilities for Hub & Spoke federations

Installs: 1 828

Dependents: 1

Suggesters: 0

Security: 0

Stars: 0

Watchers: 2

Forks: 2

Type:simplesamlphp-module

dev-master 2016-04-13 14:11 UTC

This package is not auto-updated.

Last update: 2024-11-21 00:53:20 UTC


README

#Hub & Spoke utilities for SimpleSAMLphp

##TargetedID

A flexible way for generate one or more values for the eduPersonTargetedId attribute.

hubandspoke:TargetedID is an Authentication Processing Filter for SimpleSAMLphp, based on core:TargetedID by Olav Morken, UNINETT AS.

This filter generates one or more values for the eduPersonTargetedID attribute, using:

  • an attribute identifying the authenticated user
  • (optionally) a value identifying the SP requesting authentication
  • (optionally) a value identifying the IdP
  • (optionally) a fixed random value for salting the result
  • a hash algorithm

Configuration allows:

  • set alternative attributes (in order of preference) to identify the user
  • set alternative attributes (in order of preference) to identify the target
  • set alternative attributes (in order of preference) to identify the IdP
  • transform the target identifier
  • filter SP and/or users (send a value only for matching entities)

Read the docs to see all the options.

###Configuration samples

  • eduPersonTargetedId with one unique standard value:
    'authproc' => array(
        50 => 'hubandspoke:TargetedID',
    ),
sha256(userID + '@@' + targetID + '@@' + sourceID)
  • eduPersonTargetedId obfuscated with a salt:
    'authproc' => array(
        50 => array(
            'class' => 'hubandspoke:TargetedID',
            'salt'  => 'randomString',
        ),
    ),
sha256(salt + '@@' + userID + '@@' + targetID + '@@' + sourceID + '@@' + salt)
  • eduPersonTargetedId with a different formula:
    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'userID' => 'Attributes/mail',
            'fields' => array('salt', 'userID', 'targetID'),
            'salt'   => 'randomString',
        ),
    ),
sha256(salt + '@@' + mail + '@@' + targetID)
  • eduPersonTargetedId with two values:
    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'salt'   => 'randomString',
            'values' => array(
                'new' => array(
                    'fieldSeparator' => '//',
                ),
                'old' => array(
                    'hashFunction' => 'md5',
                    'fields'       => array('userID'),
                ),
            ),
        ),
    ),
sha256(salt + '//' + userID + '//' + targetID + '//' + sourceID + '//' + salt)
md5(userID)
  • eduPersonTargetedId with two values prefixed:
    • one of them only for a specific SP (http://*.example.com)
    • the other one for all SP, but considering the same SP all URL https://*.blogs.example.com (same eduPersonTargetedId)
    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'salt'   => 'randomString',
            'values' => array(
                'new' => array(
                    'prefix'          => '{new}',
                    'targetTransform' => array(
                        '#^(https?://)[^./]+\.(blogs\.example\.com)(/|$).*$#' => '$1$2/',
                    ),
                ),
                'old' => array(
                    'prefix'       => '{old}',
                    'hashFunction' => 'md5',
                    'userID'       => array('Attributes/mail', 'UserID'),
                    'fields'       => 'userID',
                    'ifTarget'     => '#^https?://([^./]+\.)*example\.com(/|$)#',
                ),
            ),
        ),
    ),
'{new}' + sha256(salt + '@@' + userID + '@@' + targetID* + '@@' + sourceID + '@@' + salt)
'{old}' + md5(userID) 						  only for *.example.com