From 48d1eadd58214132d0d7ed89dbfce345b53550b6 Mon Sep 17 00:00:00 2001
From: Martin <martin.vanes@surf.nl>
Date: Tue, 29 Jun 2021 15:13:12 +0200
Subject: [PATCH] WIP
---
config/logins.json | 264 ++++++++++++++++++++++++++++
metadata/saml20-idp-hosted.php | 12 ++
modules/customauth/www/authpage.php | 2 +
3 files changed, 278 insertions(+)
create mode 100644 config/logins.json
diff --git a/config/logins.json b/config/logins.json
new file mode 100644
index 0000000..4101c35
--- /dev/null
+++ b/config/logins.json
@@ -0,0 +1,264 @@
+{
+ "account1" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in the 'displayname' attribute",
+ "display": "Account One (R&S)",
+ "eduPersonPrincipalName" : "account1@idp.example.org",
+ "displayName" : "Account One",
+ "mail" : "account1@idp.example.org"
+ },
+ "account2" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in both a 'displayname' attribute as well as seperate 'surname' and 'givenname' attributes",
+ "display": "Account Two (R&S)",
+ "eduPersonPrincipalName" : "account2@idp.example.org",
+ "displayName" : "Account Two",
+ "givenName" : "Account",
+ "sn" : "Two",
+ "mail" : "account2@idp.example.org"
+ },
+ "account3" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes. In addition the users affiliations are provided in the 'eduPersonScopedAffiliation' attribute",
+ "display": "Account Three (R&S)",
+ "eduPersonPrincipalName" : "account3@idp.example.org",
+ "givenName" : "Account",
+ "sn" : "Three",
+ "mail" : "account3@idp.example.org",
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "student@idp.example.org"]
+ },
+ "account4" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point",
+ "display": "Account Four (R&S)",
+ "eduPersonPrincipalName" : "account4@idp.example.org",
+ "eduPersonTargetedID" : "bd09168cf0c2e675b2def0ade6f50b7d4bb4aae",
+ "givenName" : "Account4",
+ "sn" : "Four",
+ "mail" : "account4@idp.example.org",
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "employee@idp.example.org", "faculty@idp.example.org"]
+ },
+ "account5" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in the displayname attribute. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point",
+ "display": "Account Five (R&S)",
+ "eduPersonPrincipalName" : "account5@idp.example.org",
+ "eduPersonTargetedId" : "account5@idp.example.org",
+ "displayName" : "Account Five",
+ "mail" : "account5@idp.example.org"
+ },
+ "account6" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point",
+ "display": "Account Six (R&S)",
+ "eduPersonPrincipalName" : "account6@idp.example.org",
+ "eduPersonTargetedId" : "account6@idp.example.org",
+ "givenName" : "Account6",
+ "sn" : "Six",
+ "mail" : "account6@idp.example.org"
+ },
+ "account7" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided in the displayname attribute. Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point. In addition the users affiliations are provided in the 'eduPersonScopedAffiliation' attribute",
+ "display": "Account Seven (R&S)",
+ "eduPersonPrincipalName" : "account7@idp.example.org",
+ "eduPersonTargetedId" : "account7@idp.example.org",
+ "displayName" : "Account Seven",
+ "mail" : "account7@idp.example.org",
+ "eduPersonScopedAffiliation" : ["employee@idp.example.org", "staff@idp.example.org", "member@idp.example.org", "student@idp.example.org"]
+ },
+ "account8" : {
+ "type" : "Research and Scholarship",
+ "explanation": "This profile provides a R&S compatible attribute bundle with the name of the user name being provided as seperate 'surname' and 'givenname' attributes.Please note the usage of both 'eduPersonPrincipalName' as well as 'eduPersonTargetedID' which suggest the 'eduPersonPrincipalName' may not be a stable identifier, but may be reassigned at some point. In addition the users affiliations are provided in the 'eduPersonScopedAffiliation' attribute",
+ "display": "Account Eight (R&S)",
+ "eduPersonPrincipalName" : "account8@idp.example.org",
+ "eduPersonTargetedId" : "account8@idp.example.org",
+ "givenName" : "Account8",
+ "sn" : "Eight",
+ "mail" : "account8@idp.example.org",
+ "eduPersonScopedAffiliation" : ["employee@idp.example.org", "staff@idp.example.org", "member@idp.example.org", "student@idp.example.org"]
+ },
+ "account9" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - multi-valued mail attribute",
+ "display": "Jordan R. Belfort",
+ "uid" : ["belfort"],
+ "schacHomeOrganization" : "harvard-example.edu",
+ "eduPersonPrincipalName" : "belfort@harvard-example.edu",
+ "cn" : "Jordan Ross Belfort",
+ "givenName" : "Jordan",
+ "sn" : "Belfort",
+ "displayName" : "Jordan R. Belfort",
+ "mail" : ["Jordan.Belfort@harvard-example.edu", "jordan@harvard-example.edu"],
+ "eduPersonAffiliation" : ["employee", "faculty", "member"],
+ "eduPersonScopedAffiliation" : ["employee@harvard-example.edu", "faculty@harvard-example.edu", "member@harvard-example.edu"],
+ "eduPersonEntitlement" : "urn:mace:dir:entitlement:common-lib-terms-example",
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account10" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - No member affiliation ind eduPersonAffiliation",
+ "display": "Steve Wynn",
+ "uid" : ["wynn"],
+ "schacHomeOrganization" : "harvard-example.edu",
+ "eduPersonPrincipalName" : "wynn@harvard-example.edu",
+ "cn" : "Steve Alen Wynn",
+ "givenName" : "Steve",
+ "sn" : "Wynn",
+ "displayName" : "Steve Wynn",
+ "mail" : ["S.Wynn@harvard-example.edu", "Steve.Wynn@example-casino.com", "steve.Wynn@las.vegas.com"],
+ "eduPersonAffiliation" : ["employee", "faculty"],
+ "eduPersonScopedAffiliation" : ["employee@harvard-example.edu", "faculty@harvard-example.edu", "member@harvard-example.edu"],
+ "eduPersonEntitlement" : "urn:mace:dir:entitlement:common-lib-terms-example",
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account11" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Incorrect domain scope for Home organisation",
+ "display": "Isaac Newton",
+ "uid" : ["isaac"],
+ "schacHomeOrganization" : "university-example.org",
+ "eduPersonPrincipalName" : "isaac@university-example.edu",
+ "cn" : "Sir Isaac Newton",
+ "givenName" : "Isaac",
+ "sn" : "Newton",
+ "displayName" : "Isaac Newton",
+ "mail" : ["isaacnewton@university-example.org", "newton@university-example.org"],
+ "eduPersonScopedAffiliation" : ["employee@huniversity-example.org", "faculty@university-example.org", "member@university-example.org"],
+ "eduPersonEntitlement" : "urn:mace:dir:entitlement:common-lib-terms-example",
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account12" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Invalid email address, note that ePPN is NOT an email adress, so having multiple @ signs is allowed",
+ "display": "Oscar Burton",
+ "uid" : ["oburton"],
+ "schacHomeOrganization" : "university-example.org",
+ "eduPersonPrincipalName" : "o@burton@university-example.org",
+ "cn" : "Oscar Burton",
+ "givenName" : "Oscar",
+ "sn" : "Burton",
+ "displayName" : "Oscar Burton",
+ "mail" : "o@burton@university-example.edu",
+ "eduPersonAffiliation" : ["employee", "member", "staff"],
+ "eduPersonScopedAffiliation" : ["employee@huniversity-example.org", "staff@university-example.org", "member@university-example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+
+ "account13" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Invalid ePPN",
+ "display": "Oscar Burton",
+ "uid" : ["oburton"],
+ "schacHomeOrganization" : "university-example.org",
+ "eduPersonPrincipalName" : "oburton@university-example.edu",
+ "cn" : "Oscar Burton",
+ "givenName" : "Oscar",
+ "sn" : "Burton",
+ "displayName" : "Oscar Burton",
+ "mail" : "OscarBurton@university-example.org",
+ "eduPersonAffiliation" : ["employee", "member", "staff"],
+ "eduPersonScopedAffiliation" : ["employee@huniversity-example.org", "staff@university-example.org", "member@university-example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+
+ "account14" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Member only",
+ "display": "Student One",
+ "uid" : ["student1"],
+ "schacHomeOrganization" : "idp.example.org",
+ "eduPersonPrincipalName" : "student1@idp.example.org",
+ "cn" : "Student One",
+ "givenName" : "Student",
+ "sn" : "One",
+ "displayName" : "Student One",
+ "mail" : "student1@idp.example.org",
+ "eduPersonAffiliation" : ["member"],
+ "eduPersonScopedAffiliation" : ["member@idp.example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account15" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Non human-friendly ePPN",
+ "display": "Student Two",
+ "uid" : ["FyHah7$J"],
+ "schacHomeOrganization" : "idp.example.org",
+ "eduPersonPrincipalName" : "FyHah7$J@idp.example.org",
+ "cn" : "Student Two",
+ "givenName" : "Student",
+ "sn" : "Two",
+ "displayName" : "Student Two",
+ "mail" : "s1869831907@example.org",
+ "eduPersonAffiliation" : ["student", "member"],
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "student@idp.example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account16" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Blank attribute values",
+ "display": "Student Three",
+ "uid" : ["student3"],
+ "schacHomeOrganization" : "idp.example.org",
+ "eduPersonPrincipalName" : "student3@idp.example.org",
+ "cn" : "",
+ "givenName" : "",
+ "sn" : "Three",
+ "displayName" : "Student Three",
+ "mail" : "student3@idp.example.org",
+ "eduPersonAffiliation" : ["member", "student"],
+ "eduPersonScopedAffiliation" : ["member@idp.example.org", "student@idp.example.org"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account17" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Inconsistant user name",
+ "display": "Godfried Viggo",
+ "uid" : ["viggo7"],
+ "schacHomeOrganization" : "unidenmark-example.dk",
+ "eduPersonPrincipalName" : "viggo7@unidenmark-example.dk",
+ "cn" : "Christian Godfried Viggo Lind",
+ "givenName" : "Godfried",
+ "sn" : "Viggo",
+ "displayName" : "Godfried Viggo",
+ "mail" : "Godfried.Viggo@unidenmark-example.dk",
+ "eduPersonAffiliation" : "student",
+ "eduPersonScopedAffiliation" : ["student@unidenmark-example.dk"],
+ "isMemberOf" : "urn:collab:org:aarc-project.eu"
+ },
+ "account18" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - non-ASCII UTF-8 common name ",
+ "display": "Daisuke Takahashi",
+ "uid" : ["U3342109"],
+ "schacHomeOrganization" : "exchange-example.edu",
+ "eduPersonPrincipalName" : "U3342109@exchange-example.edu",
+ "cn" : "Daisuke Takahashi, 髙橋 大輔",
+ "givenName" : "Daisuke",
+ "sn" : "Takahashi",
+ "displayName" : "Daisuke Takahashi",
+ "mail" : "U3342109@exchange-example.edu",
+ "eduPersonAffiliation" : ["member", "student"],
+ "eduPersonScopedAffiliation" : ["member@exchange-example.edu", "student@exchange-example.edu"],
+ "isMemberOf" : ["urn:collab:org:exchange-university.org", "urn:collab:org:home-university.org"]
+ },
+
+ "account19" : {
+ "type": "Behaviour tests",
+ "explanation": "Test - Diacritical marks",
+ "display": "Martin N. Jørgensen",
+ "uid" : ["student14"],
+ "schacHomeOrganization" : "stockholmuni-example.se",
+ "eduPersonPrincipalName" : "student14@stockholmuni-example.se",
+ "cn" : "Martin Nikolaus Jørgensen",
+ "givenName" : "Martin",
+ "sn" : "Jørgensen",
+ "displayName" : "Martin N. Jørgensen",
+ "mail" : "jorgensen07@stockholmuni-example.se",
+ "eduPersonAffiliation" : ["member", "student"],
+ "eduPersonScopedAffiliation" : ["member@stockholmuni-example.se", "student@stockholmuni-example.se"],
+ "isMemberOf" : "urn:collab:org:sunet-example.se"
+ }
+
+}
+
diff --git a/metadata/saml20-idp-hosted.php b/metadata/saml20-idp-hosted.php
index fa72469..a2a373e 100644
--- a/metadata/saml20-idp-hosted.php
+++ b/metadata/saml20-idp-hosted.php
@@ -22,6 +22,16 @@ $vserver = $_SERVER['SERVER_NAME'];
$vparts = explode('.', $vserver);
$vhost = $vparts[0];
+$raw_users = json_decode(file_get_contents('/opt/simplesamlphp/config/logins.json'), true);
+$domains = [];
+if (is_array($raw_users)) {
+ foreach($raw_users as $user => $values) {
+ $sho = @$values['schacHomeOrganization'];
+ if ($sho) $domains[] = $sho;
+ }
+}
+$domains = array_unique($domains);
+
$metadata['__DYNAMIC:1__'] = [
/*
* The hostname of the server (VHOST) that will use this SAML entity.
@@ -62,6 +72,8 @@ $metadata['__DYNAMIC:1__'] = [
],
],
+ 'scope' => $domains,
+
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'server.key',
'certificate' => 'server.crt',
diff --git a/modules/customauth/www/authpage.php b/modules/customauth/www/authpage.php
index 09f045f..7ec652e 100644
--- a/modules/customauth/www/authpage.php
+++ b/modules/customauth/www/authpage.php
@@ -45,8 +45,10 @@ $displays = [];
foreach ($raw_users as $user => $values) {
$explanations[$user] = $values['explanation'];
$displays[$user] = $values['display'];
+ $type[$user] = $values['type'];
unset($values['explanation']);
unset($values['display']);
+ unset($values['type']);
$users[$user] = $values;
}
--
GitLab