Hub & Spoke utilities for SimpleSAMLphp

TargetedID

A flexible way for generate one or more values for the eduPersonTargetedId attribute., _(*1)

hubandspoke:TargetedID is an Authentication Processing Filter for SimpleSAMLphp, based on core:TargetedID by Olav Morken, UNINETT AS., _(*2)

This filter generates one or more values for the eduPersonTargetedID attribute, using:, _(*3)

an attribute identifying the authenticated user
(optionally) a value identifying the SP requesting authentication
(optionally) a value identifying the IdP
(optionally) a fixed random value for salting the result
a hash algorithm

Configuration allows:, _(*4)

set alternative attributes (in order of preference) to identify the user
set alternative attributes (in order of preference) to identify the target
set alternative attributes (in order of preference) to identify the IdP
transform the target identifier
filter SP and/or users (send a value only for matching entities)

Read the docs to see all the options., _(*5)

Configuration samples

eduPersonTargetedId with one unique standard value:

    'authproc' => array(
        50 => 'hubandspoke:TargetedID',
    ),

sha256(userID + '@@' + targetID + '@@' + sourceID)

eduPersonTargetedId obfuscated with a salt:

    'authproc' => array(
        50 => array(
            'class' => 'hubandspoke:TargetedID',
            'salt'  => 'randomString',
        ),
    ),

sha256(salt + '@@' + userID + '@@' + targetID + '@@' + sourceID + '@@' + salt)

eduPersonTargetedId with a different formula:

    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'userID' => 'Attributes/mail',
            'fields' => array('salt', 'userID', 'targetID'),
            'salt'   => 'randomString',
        ),
    ),

sha256(salt + '@@' + mail + '@@' + targetID)

eduPersonTargetedId with two values:

    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'salt'   => 'randomString',
            'values' => array(
                'new' => array(
                    'fieldSeparator' => '//',
                ),
                'old' => array(
                    'hashFunction' => 'md5',
                    'fields'       => array('userID'),
                ),
            ),
        ),
    ),

sha256(salt + '//' + userID + '//' + targetID + '//' + sourceID + '//' + salt)
md5(userID)

eduPersonTargetedId with two values prefixed:
- one of them only for a specific SP (http://*.example.com)
- the other one for all SP, but considering the same SP all URL https://*.blogs.example.com (same eduPersonTargetedId)

    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'salt'   => 'randomString',
            'values' => array(
                'new' => array(
                    'prefix'          => '{new}',
                    'targetTransform' => array(
                        '#^(https?://)[^./]+\.(blogs\.example\.com)(/|$).*$#' => '$1$2/',
                    ),
                ),
                'old' => array(
                    'prefix'       => '{old}',
                    'hashFunction' => 'md5',
                    'userID'       => array('Attributes/mail', 'UserID'),
                    'fields'       => 'userID',
                    'ifTarget'     => '#^https?://([^./]+\.)*example\.com(/|$)#',
                ),
            ),
        ),
    ),

'{new}' + sha256(salt + '@@' + userID + '@@' + targetID* + '@@' + sourceID + '@@' + salt)
'{old}' + md5(userID)                         only for *.example.com

13/04 2016

dev-master

9999999-dev

SimpleSAMLphp utilities for Hub & Spoke federations

Sources Download

LGPL-2.1

The Requires

simplesamlphp/composer-module-installer ~1.0

by Miguel Macías Enguídanos

saml simplesamlphp idp sp hub-and-spoke edupersontargetedid

simplesamlphp-module simplesamlphp-module-hubandspoke