Download the PHP package cirrusidentity/simplesamlphp-module-cirrusgeneral without Composer
On this page you can find all versions of the php package cirrusidentity/simplesamlphp-module-cirrusgeneral. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Informations about the package simplesamlphp-module-cirrusgeneral
Table of Contents generated with DocToc
- Installation
- ModifyingMetadataSource
- Strategies
- AdfsMetadataStrategy
- OverridingMetadataStrategy
- PhpMetadtaStrategy
- AttributeSplitter
- AttributeValueMapper
- CSV file format
- PromptAttributeRelease
- ConditionalSetAuthnContext
- AttributeRemove
- ObjectSidConverter
- Conditional AuthProc Insertion
- PhpConditionalAuthProcInserter
- Development
- Exploring with Docker
- Things to try
- Attribute prompt/picker
Installation
For SSP 2, use version 3 of the module
composer require cirrusidentity/simplesamlphp-module-cirrusgeneral:v3.0.0-alpha.1
For SSP 1.X use version 2 of the module
ModifyingMetadataSource
There is often a need to adjust the metadata for an entityId to fix certain values, or to add
SSP specific config items. This is difficult to achieve if metadata is loaded from a remote source.
The ModifyingMetadataSource
allows you to configure different strategies to change the metadata that is loaded.
The source delegates to other sources (like mdq or the serialize source) and then
edits the metadata before returning it.
Strategies
AdfsMetadataStrategy
Add disable_scoping
to any metadata that looks like ADFS
OverridingMetadataStrategy
Load additonal metadata from a source and combine it with the main metadata using +.
A flatfile
override strategy for saml20-sp-remote
would look in the file saml20-sp-remote-override.php
and then return the metadata as $overrideMetadata + $unalteredMetadata
which will keep
keys from the override metadata if the same key exists in the regular metadata.
PhpMetadtaStrategy
This strategy allows you to run php code snippets to adjust metadata. Your code will have 3 variables available: array $metadata, string $set, and string $entityId. $metadata will contain the current metadata for the entity and your code can make changes to this array.
If you have complex code logic you are better off creating your own strategy with unit tests.
AttributeSplitter
This AuthProc filter will split an attributes values on a delimiter and turn it into an array.
Some systems stores the multi valued attributes, such as eduPersonAffiliation
, as a comma delimited list - student,member
This filter will split that into multiple values
Usage:
AttributeValueMapper
Maps a source attribute name and value to a new attribute name and values(s) based on csv
file or
or in php config. Useful when a datasource (for groups, entitlements, etc) contains names and values that need
to be mapped to something new.
CSV file format
Each line contains a source attribute and value, and if a user has an attribute of that value
then they get the resulting destinationAttribute
populated with the destinationValue
.
Duplicates are removed
PromptAttributeRelease
If a user has a multi-valued attribute and the SP can only use/expects one value, then the PromptAttributeRelease
filter can prompt the user to pick which value should be released to the SP.
An example, an SP has different functionality depending on the eduPersonAffiliation
value. This filter
would allow user to select which of their affiliations to release.
ConditionalSetAuthnContext
This AuthProc filter allows you to assert a specific authnContextClassRef
if value in
the users state equals some expected value. For example some upstream systems may indicate
the user was required to perform MFA by setting an attribute on the user. This filter will allow
you to assert https://refeds.org/profile/mfa
if that attribute is present.
Usage:
AttributeRemove
This AuthProc filter allows you to define attributes that should always be removed. We use it with AzureAD since it always returns certain extra attributes (such as tenantId )that we want removed from the users attributes.
Usage:
ObjectSidConverter
ActiveDirectory's objectSid can be a in a binary format or as a formatted string. Sometimes you'll receive one and expect the other.
Conditional AuthProc Insertion
There are use cases where you want to run a set of authproc filters, but only if a certain condition is met when a user is
logging in. Not all authproc filters support conditional use. Subclasses of BaseConditionalAuthProcInserter
allow you to insert an arbitrary number of authproc filters at the BaseConditionalAuthProcInserter
priority during
authproc processing. This allows you to check things in the user's state prior to creating the filters.
PhpConditionalAuthProcInserter
PhpConditionalAuthProcInserter
is an example of defining a boolean expression that determines if the authproc filters
are created. Two variables are available: array $attributes
and array $state
Development
Run phpcs
to check code style
./vendor/bin/phpcs
Run phpunit
to test
./vendor/bin/phpunit
You can auto correct some findings from phpcs. It is recommended you do this after stage your changes (or maybe even commit) since there is a non-trivial chance it will just mess up your code.
./vendor/bin/phpcbf
Run psalm to find issues
./vendor/bin/psalm --no-cache
Exploring with Docker
You can explore these features with Docker.
Then log in as admin:secret
to https://cirrusgeneral.local.stack-dev.cirrusidentity.com/simplesaml/module.php/core/frontpage_welcome.php
to confirm things work.
Things to try
Attribute prompt/picker
The Idp has the PromptAttributeRelease
authproc filter enabled for the eduPersonAffiliation
attribute.
If a user has more than one value they will need to pick which value to release. See authsources.php
for the available users.
To make the IdP run it's authproc filters you need to send a login from an SP, and the sp-auth source
will do that login.
All versions of simplesamlphp-module-cirrusgeneral with dependencies
simplesamlphp/composer-module-installer Version ^1.1
simplesamlphp/simplesamlphp Version >=1.18