问题
I have successfully configured simpleSAMLphp so that it authenticates via the Test Shib IDP (https://www.testshib.org/).
Test Shib returns the following attributes:
- urn:oid:0.9.2342.19200300.100.1.1
- urn:oid:1.3.6.1.4.1.5923.1.1.1.1
- urn:oid:1.3.6.1.4.1.5923.1.1.1.6
- urn:oid:2.5.4.4
- urn:oid:1.3.6.1.4.1.5923.1.1.1.9
- urn:oid:2.5.4.42
- urn:oid:1.3.6.1.4.1.5923.1.1.1.7
- urn:oid:2.5.4.3
- urn:oid:1.3.6.1.4.1.5923.1.1.1.10
- urn:oid:2.5.4.20
I would like to map these attributes to friendly names. Can anyone give me some pointers as to how to do that?
The default-sp example in authsources.php has the following:
/*
* The attributes parameter must contain an array of desired attributes by the SP.
* The attributes can be expressed as an array of names or as an associative array
* in the form of 'friendlyName' => 'name'.
* The metadata will then be created as follows:
* <md:RequestedAttribute FriendlyName="friendlyName" Name="name" />
*/
/*'attributes' => array(
'attrname' => 'urn:oid:x.x.x.x',
),*/
But setting
'attributes' => array('myTestValue' => 'urn:oid:0.9.2342.19200300.100.1.1'),
has no effect.
Any help will be very gratefully received!
回答1:
Assuming SimpleSAMLPHP 1.6 and higher, you can simply use the build in oid2name attributemap to do the mapping for you.
'authproc' => array(
50 => array(
'class' => 'core:AttributeMap',
'oid2name',
),
),
To add to Luke's answer, you can simply add an authproc filter in the following places:
- Globally in config.php
- On the SP: Specific for only the SP in authsources.php
- On the SP: Specific for only one remote IdP in saml20-idp-remote or shib13-idp-remote
- On the IdP: Specific for only one hosted IdP in saml20-idp-hosted or shib13-idp-hosted
- On the IdP: Specific for only one remote SP in saml20-sp-remote or shib13-sp-remote
Taken from https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
You can see additional AttributeMaps such as oid2urn and oid2feide in the source found here:
https://github.com/simplesamlphp/simplesamlphp/tree/master/attributemap
回答2:
According to https://simplesamlphp.org/docs/stable/simplesamlphp-authproc, the correct way to manipulate attributes is via the "authproc" functionality.
In my case, I added the following the configuration array for https://idp.testshib.org/idp/shibboleth in config/saml20-idp-remote.php:
'authproc' => array(
50 => array(
'class' => 'core:AttributeCopy',
'urn:oid:0.9.2342.19200300.100.1.1' => 'uid',
),
),
The documentation suggests that this configuration array can be added in the following places:
- Globally in config.php
- On the SP: Specific for only the SP in authsources.php
- On the SP: Specific for only one remote IdP in saml20-idp-remote or shib13-idp-remote
- On the IdP: Specific for only one hosted IdP in saml20-idp-hosted or shib13-idp-hosted
- On the IdP: Specific for only one remote SP in saml20-sp-remote or shib13-sp-remote
Please note that you may need to clear any sessions (close and reopen your browser) for the changes to work.
Top tip for future reference - always read the most current version of the documentation!
来源:https://stackoverflow.com/questions/35224143/how-do-i-map-attributes-returned-by-an-idp-to-friendly-names-insimplesamlphp