mimaen / simplesamlphp-module-hubandspoke
SimpleSAMLphp utilities for Hub & Spoke federations
Installs: 1 828
Dependents: 1
Suggesters: 0
Security: 0
Stars: 0
Watchers: 2
Forks: 2
Type:simplesamlphp-module
Requires
This package is not auto-updated.
Last update: 2025-01-16 01:28:26 UTC
README
#Hub & Spoke utilities for SimpleSAMLphp
##TargetedID
A flexible way for generate one or more values for the eduPersonTargetedId attribute.
hubandspoke:TargetedID is an Authentication Processing Filter for SimpleSAMLphp, based on core:TargetedID by Olav Morken, UNINETT AS.
This filter generates one or more values for the eduPersonTargetedID attribute, using:
- an attribute identifying the authenticated user
- (optionally) a value identifying the SP requesting authentication
- (optionally) a value identifying the IdP
- (optionally) a fixed random value for salting the result
- a hash algorithm
Configuration allows:
- set alternative attributes (in order of preference) to identify the user
- set alternative attributes (in order of preference) to identify the target
- set alternative attributes (in order of preference) to identify the IdP
- transform the target identifier
- filter SP and/or users (send a value only for matching entities)
Read the docs to see all the options.
###Configuration samples
- eduPersonTargetedId with one unique standard value:
'authproc' => array( 50 => 'hubandspoke:TargetedID', ),
sha256(userID + '@@' + targetID + '@@' + sourceID)
- eduPersonTargetedId obfuscated with a salt:
'authproc' => array( 50 => array( 'class' => 'hubandspoke:TargetedID', 'salt' => 'randomString', ), ),
sha256(salt + '@@' + userID + '@@' + targetID + '@@' + sourceID + '@@' + salt)
- eduPersonTargetedId with a different formula:
'authproc' => array( 50 => array( 'class' => 'hubandspoke:TargetedID', 'userID' => 'Attributes/mail', 'fields' => array('salt', 'userID', 'targetID'), 'salt' => 'randomString', ), ),
sha256(salt + '@@' + mail + '@@' + targetID)
- eduPersonTargetedId with two values:
'authproc' => array( 50 => array( 'class' => 'hubandspoke:TargetedID', 'salt' => 'randomString', 'values' => array( 'new' => array( 'fieldSeparator' => '//', ), 'old' => array( 'hashFunction' => 'md5', 'fields' => array('userID'), ), ), ), ),
sha256(salt + '//' + userID + '//' + targetID + '//' + sourceID + '//' + salt)
md5(userID)
- eduPersonTargetedId with two values prefixed:
- one of them only for a specific SP (http://*.example.com)
- the other one for all SP, but considering the same SP all URL https://*.blogs.example.com (same eduPersonTargetedId)
'authproc' => array( 50 => array( 'class' => 'hubandspoke:TargetedID', 'salt' => 'randomString', 'values' => array( 'new' => array( 'prefix' => '{new}', 'targetTransform' => array( '#^(https?://)[^./]+\.(blogs\.example\.com)(/|$).*$#' => '$1$2/', ), ), 'old' => array( 'prefix' => '{old}', 'hashFunction' => 'md5', 'userID' => array('Attributes/mail', 'UserID'), 'fields' => 'userID', 'ifTarget' => '#^https?://([^./]+\.)*example\.com(/|$)#', ), ), ), ),
'{new}' + sha256(salt + '@@' + userID + '@@' + targetID* + '@@' + sourceID + '@@' + salt)
'{old}' + md5(userID) only for *.example.com