diff --git a/config/logins.json b/config/logins.json
new file mode 100644
index 0000000000000000000000000000000000000000..4101c35d3b6b8908e0eeb73c27b006394baa2f93
--- /dev/null
+++ b/config/logins.json
@@ -0,0 +1,264 @@
+{
+ "account1" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in the 'displayname' attribute",
+ "display": "Account One (R&S)",
+ "eduPersonPrincipalName" : "account1@idp.example.org",
+ "displayName" : "Account One",
+ "mail" : "account1@idp.example.org"
+ },
+ "account2" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in both a 'displayname' attribute as well as seperate 'surname' and 'givenname' attributes",
+ "display": "Account Two (R&S)",
+ "eduPersonPrincipalName" : "account2@idp.example.org",
+ "displayName" : "Account Two",
+ "givenName" : "Account",
+ "sn" : "Two",
+ "mail" : "account2@idp.example.org"
+ },
+ "account3" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes. In addition the users affiliations are provided in the 'eduPersonScopedAffiliation' attribute",
+ "display": "Account Three (R&S)",
+ "eduPersonPrincipalName" : "account3@idp.example.org",
+ "givenName" : "Account",
+ "sn" : "Three",
+ "mail" : "account3@idp.example.org",
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "student@idp.example.org"]
+ },
+ "account4" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point",
+ "display": "Account Four (R&S)",
+ "eduPersonPrincipalName" : "account4@idp.example.org",
+ "eduPersonTargetedID" : "bd09168cf0c2e675b2def0ade6f50b7d4bb4aae",
+ "givenName" : "Account4",
+ "sn" : "Four",
+ "mail" : "account4@idp.example.org",
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "employee@idp.example.org", "faculty@idp.example.org"]
+ },
+ "account5" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in the displayname attribute. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point",
+ "display": "Account Five (R&S)",
+ "eduPersonPrincipalName" : "account5@idp.example.org",
+ "eduPersonTargetedId" : "account5@idp.example.org",
+ "displayName" : "Account Five",
+ "mail" : "account5@idp.example.org"
+ },
+ "account6" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point",
+ "display": "Account Six (R&S)",
+ "eduPersonPrincipalName" : "account6@idp.example.org",
+ "eduPersonTargetedId" : "account6@idp.example.org",
+ "givenName" : "Account6",
+ "sn" : "Six",
+ "mail" : "account6@idp.example.org"
+ },
+ "account7" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in the displayname attribute. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point. In addition the users affiliations are provided in the 'eduPersonScopedAffiliation' attribute",
+ "display": "Account Seven (R&S)",
+ "eduPersonPrincipalName" : "account7@idp.example.org",
+ "eduPersonTargetedId" : "account7@idp.example.org",
+ "displayName" : "Account Seven",
+ "mail" : "account7@idp.example.org",
+ "eduPersonScopedAffiliation" : ["employee@idp.example.org", "staff@idp.example.org", "member@idp.example.org", "student@idp.example.org"]
+ },
+ "account8" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes.Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point. In addition the users affiliations are provided in the 'eduPersonScopedAffiliation' attribute",
+ "display": "Account Eight (R&S)",
+ "eduPersonPrincipalName" : "account8@idp.example.org",
+ "eduPersonTargetedId" : "account8@idp.example.org",
+ "givenName" : "Account8",
+ "sn" : "Eight",
+ "mail" : "account8@idp.example.org",
+ "eduPersonScopedAffiliation" : ["employee@idp.example.org", "staff@idp.example.org", "member@idp.example.org", "student@idp.example.org"]
+ },
+ "account9" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - multi-valued mail attribute",
+ "display": "Jordan R. Belfort",
+ "uid" : ["belfort"],
+ "schacHomeOrganization" : "harvard-example.edu",
+ "eduPersonPrincipalName" : "belfort@harvard-example.edu",
+ "cn" : "Jordan Ross Belfort",
+ "givenName" : "Jordan",
+ "sn" : "Belfort",
+ "displayName" : "Jordan R. Belfort",
+ "mail" : ["Jordan.Belfort@harvard-example.edu", "jordan@harvard-example.edu"],
+ "eduPersonAffiliation" : ["employee", "faculty", "member"],
+ "eduPersonScopedAffiliation" : ["employee@harvard-example.edu", "faculty@harvard-example.edu", "member@harvard-example.edu"],
+ "eduPersonEntitlement" : "urn:mace:dir:entitlement:common-lib-terms-example",
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account10" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - No member affiliation ind eduPersonAffiliation",
+ "display": "Steve Wynn",
+ "uid" : ["wynn"],
+ "schacHomeOrganization" : "harvard-example.edu",
+ "eduPersonPrincipalName" : "wynn@harvard-example.edu",
+ "cn" : "Steve Alen Wynn",
+ "givenName" : "Steve",
+ "sn" : "Wynn",
+ "displayName" : "Steve Wynn",
+ "mail" : ["S.Wynn@harvard-example.edu", "Steve.Wynn@example-casino.com", "steve.Wynn@las.vegas.com"],
+ "eduPersonAffiliation" : ["employee", "faculty"],
+ "eduPersonScopedAffiliation" : ["employee@harvard-example.edu", "faculty@harvard-example.edu", "member@harvard-example.edu"],
+ "eduPersonEntitlement" : "urn:mace:dir:entitlement:common-lib-terms-example",
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account11" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Incorrect domain scope for Home organisation",
+ "display": "Isaac Newton",
+ "uid" : ["isaac"],
+ "schacHomeOrganization" : "university-example.org",
+ "eduPersonPrincipalName" : "isaac@university-example.edu",
+ "cn" : "Sir Isaac Newton",
+ "givenName" : "Isaac",
+ "sn" : "Newton",
+ "displayName" : "Isaac Newton",
+ "mail" : ["isaacnewton@university-example.org", "newton@university-example.org"],
+ "eduPersonScopedAffiliation" : ["employee@huniversity-example.org", "faculty@university-example.org", "member@university-example.org"],
+ "eduPersonEntitlement" : "urn:mace:dir:entitlement:common-lib-terms-example",
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account12" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Invalid email address, note that ePPN is NOT an email adress, so having multiple @ signs is allowed",
+ "display": "Oscar Burton",
+ "uid" : ["oburton"],
+ "schacHomeOrganization" : "university-example.org",
+ "eduPersonPrincipalName" : "o@burton@university-example.org",
+ "cn" : "Oscar Burton",
+ "givenName" : "Oscar",
+ "sn" : "Burton",
+ "displayName" : "Oscar Burton",
+ "mail" : "o@burton@university-example.edu",
+ "eduPersonAffiliation" : ["employee", "member", "staff"],
+ "eduPersonScopedAffiliation" : ["employee@huniversity-example.org", "staff@university-example.org", "member@university-example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+
+ "account13" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Invalid ePPN",
+ "display": "Oscar Burton",
+ "uid" : ["oburton"],
+ "schacHomeOrganization" : "university-example.org",
+ "eduPersonPrincipalName" : "oburton@university-example.edu",
+ "cn" : "Oscar Burton",
+ "givenName" : "Oscar",
+ "sn" : "Burton",
+ "displayName" : "Oscar Burton",
+ "mail" : "OscarBurton@university-example.org",
+ "eduPersonAffiliation" : ["employee", "member", "staff"],
+ "eduPersonScopedAffiliation" : ["employee@huniversity-example.org", "staff@university-example.org", "member@university-example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+
+ "account14" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Member only",
+ "display": "Student One",
+ "uid" : ["student1"],
+ "schacHomeOrganization" : "idp.example.org",
+ "eduPersonPrincipalName" : "student1@idp.example.org",
+ "cn" : "Student One",
+ "givenName" : "Student",
+ "sn" : "One",
+ "displayName" : "Student One",
+ "mail" : "student1@idp.example.org",
+ "eduPersonAffiliation" : ["member"],
+ "eduPersonScopedAffiliation" : ["member@idp.example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account15" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Non human-friendly ePPN",
+ "display": "Student Two",
+ "uid" : ["FyHah7$J"],
+ "schacHomeOrganization" : "idp.example.org",
+ "eduPersonPrincipalName" : "FyHah7$J@idp.example.org",
+ "cn" : "Student Two",
+ "givenName" : "Student",
+ "sn" : "Two",
+ "displayName" : "Student Two",
+ "mail" : "s1869831907@example.org",
+ "eduPersonAffiliation" : ["student", "member"],
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "student@idp.example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account16" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Blank attribute values",
+ "display": "Student Three",
+ "uid" : ["student3"],
+ "schacHomeOrganization" : "idp.example.org",
+ "eduPersonPrincipalName" : "student3@idp.example.org",
+ "cn" : "",
+ "givenName" : "",
+ "sn" : "Three",
+ "displayName" : "Student Three",
+ "mail" : "student3@idp.example.org",
+ "eduPersonAffiliation" : ["member", "student"],
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "student@idp.example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account17" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Inconsistant user name",
+ "display": "Godfried Viggo",
+ "uid" : ["viggo7"],
+ "schacHomeOrganization" : "unidenmark-example.dk",
+ "eduPersonPrincipalName" : "viggo7@unidenmark-example.dk",
+ "cn" : "Christian Godfried Viggo Lind",
+ "givenName" : "Godfried",
+ "sn" : "Viggo",
+ "displayName" : "Godfried Viggo",
+ "mail" : "Godfried.Viggo@unidenmark-example.dk",
+ "eduPersonAffiliation" : "student",
+ "eduPersonScopedAffiliation" : ["student@unidenmark-example.dk"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account18" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - non-ASCII UTF-8 common name ",
+ "display": "Daisuke Takahashi",
+ "uid" : ["U3342109"],
+ "schacHomeOrganization" : "exchange-example.edu",
+ "eduPersonPrincipalName" : "U3342109@exchange-example.edu",
+ "cn" : "Daisuke Takahashi, 髙橋 大輔",
+ "givenName" : "Daisuke",
+ "sn" : "Takahashi",
+ "displayName" : "Daisuke Takahashi",
+ "mail" : "U3342109@exchange-example.edu",
+ "eduPersonAffiliation" : ["member", "student"],
+ "eduPersonScopedAffiliation" : ["member@exchange-example.edu", "student@exchange-example.edu"],
+ "isMemberOf" : ["urn:collab:org:exchange-university.org", "urn:collab:org:home-university.org"]
+ },
+
+ "account19" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Diacritical marks",
+ "display": "Martin N. Jørgensen",
+ "uid" : ["student14"],
+ "schacHomeOrganization" : "stockholmuni-example.se",
+ "eduPersonPrincipalName" : "student14@stockholmuni-example.se",
+ "cn" : "Martin Nikolaus Jørgensen",
+ "givenName" : "Martin",
+ "sn" : "Jørgensen",
+ "displayName" : "Martin N. Jørgensen",
+ "mail" : "jorgensen07@stockholmuni-example.se",
+ "eduPersonAffiliation" : ["member", "student"],
+ "eduPersonScopedAffiliation" : ["member@stockholmuni-example.se", "student@stockholmuni-example.se"],
+ "isMemberOf" : "urn:collab:org:sunet-example.se"
+ }
+
+}
+
diff --git a/metadata/saml20-idp-hosted.php b/metadata/saml20-idp-hosted.php
index fa724699dd7acff52827e19815063ebf6fbc215e..a2a373ef7b6f821e7d897879d88d3d7878e20cea 100644
--- a/metadata/saml20-idp-hosted.php
+++ b/metadata/saml20-idp-hosted.php
@@ -22,6 +22,16 @@ $vserver = $_SERVER['SERVER_NAME'];
$vparts = explode('.', $vserver);
$vhost = $vparts[0];
+$raw_users = json_decode(file_get_contents('/opt/simplesamlphp/config/logins.json'), true);
+$domains = [];
+if (is_array($raw_users)) {
+ foreach($raw_users as $user => $values) {
+ $sho = @$values['schacHomeOrganization'];
+ if ($sho) $domains[] = $sho;
+ }
+}
+$domains = array_unique($domains);
+
$metadata['__DYNAMIC:1__'] = [
/*
* The hostname of the server (VHOST) that will use this SAML entity.
@@ -62,6 +72,8 @@ $metadata['__DYNAMIC:1__'] = [
],
],
+ 'scope' => $domains,
+
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'server.key',
'certificate' => 'server.crt',
diff --git a/modules/customauth/www/authpage.php b/modules/customauth/www/authpage.php
index 09f045f5ba569b64694c3eb1824c1f07d62c59af..7ec652eb102b4d22ccda6f8967e8eb864202ab20 100644
--- a/modules/customauth/www/authpage.php
+++ b/modules/customauth/www/authpage.php
@@ -45,8 +45,10 @@ $displays = [];
foreach ($raw_users as $user => $values) {
$explanations[$user] = $values['explanation'];
$displays[$user] = $values['display'];
+ $type[$user] = $values['type'];
unset($values['explanation']);
unset($values['display']);
+ unset($values['type']);
$users[$user] = $values;
}