diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..36c0c249afd222a5a68ab19e3f2614ef8503aca5
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,36 @@
+composer.json
+composer.lock
+CONTRIBUTING.md
+COPYING
+LICENSE
+package-lock.json
+package.json
+README.org
+SECURITY.md
+TESTING.md
+webpack.config.js
+attributemap/
+bin/
+cert/
+config-templates/
+config/
+dictionaries/
+docs/
+extra/
+lib/
+locales/
+log/
+metadata-templates/
+metadata/
+modules/
+phpcs.xml
+phpunit.xml
+routing/
+schemas/
+src/
+templates/
+tests/
+vendor/
+www/
+
+
diff --git a/config/attributes.json b/config/attributes.json
index 0525ebf7aa43f5fc75e7e57b6a8adaa54485af48..bc6f4b97d41e6f39b5ba0d4073d29f1295ac65c5 100644
--- a/config/attributes.json
+++ b/config/attributes.json
@@ -1,14 +1,17 @@
{
- "uid": "The 'UID' is an identifier associated with the user. It may be the users login name. It may be multi-valued.<br/>Examples: 's9709015', 'admin', and 'Administrator'.",
- "schacHomeOrganization": "A person's home organization using the domain name of the organization.<br/>Example: 'universityofharderwijk.nl'.",
- "cn": "The 'cn' ('commonName') attribute contains names of an person. Each name is one value of this multi-valued attribute. It is typically the person's full name.<br/>Example: 'Carl' 'von Linné'.",
- "givenName": "The 'givenName' attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.<br/>Example: 'Carl'",
- "sn": "Surname or family name. This attribute contains name strings for the family names of a person. Each string is one value of this multi-valued attribute. If the surname contains hypens, each component of the name may also be stored seperately. Example: 'von Linné'",
- "displayName": "The preferred name(s) that should appear when when displaying entries for this person.<br/>Example: 'Carolus Linnaeus'",
- "mail": "The internet email addresses for this user, may be multi-valued.<br/>Example: c.vonlinne@universityofharderwijk.nl'",
- "eduPersonAffiliation": "Specifies the person's relationship(s) to the institution in broad categories. Only permissable values are: faculty, student, staff, alum, member, affiliate, employee, library-walk-in.<br/>Example: 'member', 'faculty'",
- "eduPersonScopedAffiliation": "Specifies the person's affiliation within a particular security domain in broad categories. The values consist of a left and right component separated by an '@' sign, The left component is one of the values from the eduPersonAffiliation controlled vocabulary.This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName. The 'scope' portion MUST be the administrative domain to which the affiliation applies.<br/>Example: 'member@@universityofharderwijk.nl', 'faculty@@universityofharderwijk.nl'",
- "eduPersonEntitlement": "A URI (either URN or URL) that indicates a set of roles or rights to specific resources.<br/>Example: 'urn:mace:washington.edu:confocalMicroscope' 'http://xstor.com/contracts/HEd123'",
- "isMemberOf": "The values of isMemberOf are identifiers for groups to which the containing person belongs.<br/>Example: 'https://toolbox.switch.ch/sig-mobile-wg', 'Stanford:faculty:emeritus', 'admin'",
- "eduPersonPrincipalName": "A scoped identifier for a person. It is represented in the form 'user@scope' where 'user' is a name-based identifier for the person and where the 'scope' portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Note this idenitfier might be reassigend over time. Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. Possibilities of changes and reassignments make this identifier unsuitable for many purposes. As a result, eduPersonPrincipalName is NOT RECOMMENDED for use by applications that provide separation between low-level identification and more presentation-oriented data such as name and email address. Common identity protocols provide for a standardized and more stable identifier for such applications, and these protocol-specific identifiers should be used whenever possible; where using a protocol-specific identifier is not possible, the eduPersonUniqueId attribute may be an appropriate neutral form. Syntactically, ePPN looks like an email address but is not intended to be a person’s published email address, or to be used as an email address. Consumers must not assume this is a valid email address for the individual. <br/>Examples: 'niels@surf.nl', 's4928467@student.universityofharderwijk.nl'"
+ "uid": "The 'UID' is an identifier associated with the user. It may be the users login name. It may be multi-valued.\\n\\nExamples: 's9709015', 'admin', and 'Administrator'.",
+ "schacHomeOrganization": "A person's home organization using the domain name of the organization.\\n\\nExample: 'universityofharderwijk.nl'.",
+ "cn": "The 'cn' ('commonName') attribute contains names of an person. Each name is one value of this multi-valued attribute. It is typically the person's full name.\\n\\nExample: 'Carl' 'von Linné'.",
+ "givenName": "The 'givenName' attribute contains name strings that are the part of a person's name that is not their surname. Each string is one value of this multi-valued attribute.\\n\\nExample: 'Carl'",
+ "sn": "Surname or family name. This attribute contains name strings for the family names of a person. Each string is one value of this multi-valued attribute. If the surname contains hypens, each component of the name may also be stored seperately.\\n\\nExample: 'von Linné'",
+ "displayName": "The preferred name(s) that should appear when when displaying entries for this person.\\n\\nExample: 'Carolus Linnaeus'",
+ "mail": "The internet email addresses for this user, may be multi-valued.\\n\\nExample: c.vonlinne@universityofharderwijk.nl'",
+ "eduPersonAffiliation": "Specifies the person's relationship(s) to the institution in broad categories. Only permissable values are: faculty, student, staff, alum, member, affiliate, employee, library-walk-in.\\n\\nExample: 'member', 'faculty'",
+ "eduPersonScopedAffiliation": "Specifies the person's affiliation within a particular security domain in broad categories. The values consist of a left and right component separated by an '@' sign, The left component is one of the values from the eduPersonAffiliation controlled vocabulary.This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName. The 'scope' portion MUST be the administrative domain to which the affiliation applies.\\n\\nExample: 'member@@universityofharderwijk.nl', 'faculty@@universityofharderwijk.nl'",
+ "eduPersonEntitlement": "A URI (either URN or URL) that indicates a set of roles or rights to specific resources.\\n\\nExample: 'urn:mace:washington.edu:confocalMicroscope' 'http://xstor.com/contracts/HEd123'",
+ "isMemberOf": "The values of isMemberOf are identifiers for groups to which the containing person belongs.\\n\\nExample: 'https://toolbox.switch.ch/sig-mobile-wg', 'Stanford:faculty:emeritus', 'admin'",
+ "eduPersonPrincipalName": "A scoped identifier for a person. It is represented in the form 'user@scope' where 'user' is a name-based identifier for the person and where the 'scope' portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Note this idenitfier might be reassigend over time. Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. Possibilities of changes and reassignments make this identifier unsuitable for many purposes. As a result, eduPersonPrincipalName is NOT RECOMMENDED for use by applications that provide separation between low-level identification and more presentation-oriented data such as name and email address. Common identity protocols provide for a standardized and more stable identifier for such applications, and these protocol-specific identifiers should be used whenever possible; where using a protocol-specific identifier is not possible, the eduPersonUniqueId attribute may be an appropriate neutral form. Syntactically, ePPN looks like an email address but is not intended to be a person’s published email address, or to be used as an email address. Consumers must not assume this is a valid email address for the individual.i\\n\\nExamples: 'niels@surf.nl', 's4928467@student.universityofharderwijk.nl'",
+ "eduPersonTargetedID": "TODO",
+ "homePhone": "TODO",
+ "eduPersonOrcid": "TODO"
}
diff --git a/config/logins.json b/config/logins.json
index 3321b36923619312ffc1524784e84284cd35df37..8328f11d24f2894eabbec1f39b4ca26fb0a857a0 100644
--- a/config/logins.json
+++ b/config/logins.json
@@ -8,6 +8,8 @@
"uid": [
"jstiglitz"
],
+ "pairwise-id": "jstiglitz",
+ "subject-id": "jstiglitz",
"eduPersonTargetedID": "bd0916qef0c2e675b2def4ahe6w50b7d4bb4aae",
"schacHomeOrganization": "harvard-example.edu",
"eduPersonPrincipalName": "stiglitz@harvard-example.edu",
diff --git a/metadata/saml20-idp-hosted.php b/metadata/saml20-idp-hosted.php
index a2a373ef7b6f821e7d897879d88d3d7878e20cea..0b2afb2b72484f6728dfac24a395f55fdd31c87e 100644
--- a/metadata/saml20-idp-hosted.php
+++ b/metadata/saml20-idp-hosted.php
@@ -94,14 +94,27 @@ $metadata['__DYNAMIC:1__'] = [
'identifyingAttribute' => 'eduPersonTargetedId',
'nameId' => TRUE,
],
- 8 => [
+ 8 => [
+ 'class' => 'subjectidattrs:PairwiseID',
+ 'identifyingAttribute' => 'pairwise-id',
+ 'scopeAttribute' => 'scope',
+ ],
+ 9 => [
+ 'class' => 'subjectidattrs:SubjectID',
+ 'identifyingAttribute' => 'subject-id',
+ 'scopeAttribute' => 'scope',
+ ],
+ 15 => [
'class' => 'core:PHP',
'code' => '
unset($attributes["eduPersonTargetedId"]);
+ unset($attributes["pairwise-id"]);
+ unset($attributes["subject-id"]);
+ unset($attributes["scope"]);
',
- ],
+ ],
// Convert LDAP names to urn.
- 10 => [
+ 20 => [
'class' => 'core:AttributeMap',
'name2oid'
],
diff --git a/modules/customauth/www/authpage.php b/modules/customauth/www/authpage.php
index e73f543d162105bc49fe4315867166c853d8e96c..d81d71f5bf43d382ef0e3b87e1779ae7c27a79a3 100644
--- a/modules/customauth/www/authpage.php
+++ b/modules/customauth/www/authpage.php
@@ -37,7 +37,10 @@ if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
// our list of users.
$raw_users = json_decode(file_get_contents('/opt/simplesamlphp/config/logins.json'), true);
-$attributes = json_decode(file_get_contents('/opt/simplesamlphp/config/attributes.json'), true);
+$attr_raw = json_decode(file_get_contents('/opt/simplesamlphp/config/attributes.json'), true);
+foreach($attr_raw as $attribute => $value) {
+ $attributes[$attribute] = htmlentities($value, ENT_QUOTES);
+}
$users = [];
$explanations = [];
@@ -65,6 +68,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$attributes = @$_POST['keys'] or [];
+ // Fix subject scope
+ $scope = "dummy.org";
+ if (isset($attributes['schacHomeOrganization'])) {
+ $scope = $attributes['schacHomeOrganization'];
+ } elseif (isset($attributes['eduPersonScopedAffiliation'])) {
+ $scope = explode("@", explode(",", $attributes['eduPersonScopedAffiliation'])[0])[1];
+ } elseif (isset($attributes['eduPersonPrincipalName'])) {
+ $scope = explode("@", $attributes['eduPersonPrincipalName'])[1];
+ }
+ $attributes['scope'] = $scope;
+ //SimpleSAML\Logger::warning("Attributes: " . print_r($attributes, true));
+
foreach ($attributes as $key => $value) {
$_SESSION['attributes'][$key] = $value;
}