hazza/resourcespace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

first commit

Browse Source
This commit is contained in:
Hendra Go
2025-07-18 16:20:14 +07:00
commit 98af45c018
16382 changed files with 3148096 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
plugins/simplesaml/lib/modules/core/docs/authproc_attributeadd.md Normal file
View File

@@ -0,0 +1,48 @@
`core:AttributeAdd`
===================
Filter that adds attributes to the user.
If the attribute already exists, the values added will be merged into a multi-valued attribute.
If you instead want to replace the existing attribute, you may add the `%replace` option.
Examples
--------
Add a single-valued attributes:
'authproc' => [
50 => [
'class' => 'core:AttributeAdd',
'source' => ['myidp'],
],
],
Add a multi-valued attribute:
'authproc' => [
50 => [
'class' => 'core:AttributeAdd',
'groups' => ['users', 'members'],
],
],
Add multiple attributes:
'authproc' => [
50 => [
'class' => 'core:AttributeAdd',
'eduPersonPrimaryAffiliation' => 'student',
'eduPersonAffiliation' => ['student', 'employee', 'members'],
],
],
Replace an existing attributes:
'authproc' => [
50 => [
'class' => 'core:AttributeAdd',
'%replace',
'uid' => ['guest'],
],
],

138
plugins/simplesaml/lib/modules/core/docs/authproc_attributealter.md Normal file
View File

@@ -0,0 +1,138 @@
`core:AttributeAlter`
=====================
This filter can be used to substitute and replace different parts of the attribute values based on regular expressions.
It can also be used to create new attributes based on existing values, or even to remove blacklisted values from
attributes.
Parameters
----------
`class`
: This is the name of the filter.
It must be `core:AttributeAlter`.
`subject` (required)
: The attribute in which the search is performed.
The filter will stop quietly if the attribute specified here is empty or not found.
`pattern` (required)
: The pattern to look for inside the subject. Supports full Perl Compatible Regular Expressions (PCRE).
`replacement`
: The value used to replace the match. Back references are not supported.
This parameter is *required*, except when using the `%replace` or `%remove` options. If `%replace` is used and
`replacement` is not set, then the match is used as a replacement.
`target`
: The attribute where the replaced value will be placed.
This parameter is *optional*, and if not set, `subject` is used as `target`.
`%replace`
: Indicates that the whole value of the attribute should be replaced if there is a match,
instead of just the match. If there's no match, the value will not be changed. This parameter is *optional*.
`%remove`
: Indicates that the whole value of the attribute should be removed completely if there is a match.
If no other values exist, the attribute will be removed completely.
This parameter is *optional*.
`%merge`
: Indicates whether the altered values must be merged with the target attribute values. The default
behaviour is to overwrite the target attribute completely.
This parameter is *optional*.
Examples
--------
Change the domain on the `mail` attribute (when both the new and old domain are known):
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'mail',
'pattern' => '/olddomain.com/',
'replacement' => 'newdomain.com',
],
Change the domain on the `mail` attribute (when new domain is known):
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'mail',
'pattern' => '/(?:[A-Za-z0-9-]+\.)+[A-Za-z]{2,6}$/',
'replacement' => 'newdomain.com',
],
Set the eduPersonPrimaryAffiliation based on users' distinguishedName:
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'dn',
'pattern' => '/OU=Staff/',
'replacement' => 'staff',
'target' => 'eduPersonPrimaryAffiliation',
],
Normalize the eduPersonPrimaryAffiliation:
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'eduPersonPrimaryAffiliation',
'pattern' => '/Student in school/',
'replacement' => 'student',
'%replace',
],
Get the domain of the emailaddress and put it in a separate attribute:
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'mail',
'pattern' => '/(?:[A-Za-z0-9-]+\.)+[A-Za-z]{2,6}$/',
'target' => 'domain',
'%replace',
],
Defaulting an attribute to one value (add it with the default before altering)
unless another attribute meets a condition:
10 => [
'class' => 'core:AttributeAdd',
'myAttribute' => 'default-value'
],
11 => [
'class' => 'core:AttributeAlter',
'subject' => 'entitlement',
'pattern' => '/faculty/',
'target' => 'myAttribute',
'%replace',
],
Remove internal, private values from eduPersonEntitlement:
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'eduPersonEntitlement',
'pattern' => '/ldap-admin/',
'%remove',
],
Set a value to be blank (which will be sent as an empty string):
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'cn',
'pattern' => '/No name/',
'replacement' => '',
'%replace',
],
Set a value to be NULL (which will be sent as a NULL value):
10 => [
'class' => 'core:AttributeAlter',
'subject' => 'telephone',
'pattern' => '/NULL/',
'replacement' => null,
'%replace',
],

25
plugins/simplesaml/lib/modules/core/docs/authproc_attributecopy.md Normal file
View File

@@ -0,0 +1,25 @@
`core:AttributeCopy`
====================
Filter that copies attributes.
Examples
--------
Copy a single attribute (user's `uid` will be copied to the user's `username`):
'authproc' => [
50 => [
'class' => 'core:AttributeCopy',
'uid' => 'username',
],
],
Copy a single attribute to more than one attribute (user's `uid` will be copied to the user's `username` and to `urn:mace:dir:attribute-def:uid`)
'authproc' => [
50 => [
'class' => 'core:AttributeCopy',
'uid' => ['username', 'urn:mace:dir:attribute-def:uid'],
],
],

137
plugins/simplesaml/lib/modules/core/docs/authproc_attributelimit.md Normal file
View File

@@ -0,0 +1,137 @@
`core:AttributeLimit`
=====================
A filter that limits the attributes (and their values) sent to a service provider.
If the configuration is empty, the filter will use the attributes configured in the `attributes` option in the SP
metadata. The configuration is a list of attributes that should be allowed. In case you want to limit an attribute to
release some specific values, make the name of the attribute the key of the array, and its value an array with all the
different values allowed for it.
Examples
--------
Here you will find a few examples on how to use this simple module:
Limit to the `cn` and `mail` attribute:
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'cn', 'mail'
],
],
Allow `eduPersonTargetedID` and `eduPersonAffiliation` by default, but allow the metadata to override the limitation.
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'default' => true,
'eduPersonTargetedID', 'eduPersonAffiliation',
],
],
Only allow specific values for an attribute.
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'eduPersonEntitlement' => ['urn:mace:surf.nl:surfdrive:quota:100']
],
],
Only allow specific values for an attribute ignoring case.
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'eduPersonEntitlement' => [
'ignoreCase' => true,
'URN:mace:surf.nl:SURFDRIVE:quota:100'
]
],
],
Only allow attributes that match a regex pattern
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'/^eduPerson' => [ 'nameIsRegex' => true ]
],
],
Only allow specific values for an attribute that match a regex pattern
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'eduPersonEntitlement' => [
'regex' => true,
'/^urn:mace:surf/',
'/^urn:x-IGNORE_Case/i',
]
],
],
Don't allow any attributes by default, but allow the metadata to override it.
'authproc' => [
50 => [
'class' => 'core:AttributeLimit',
'default' => true,
],
],
In order to just use the list of attributes defined in the metadata for each service provider, configure the module
like this:
'authproc' => [
50 => 'core:AttributeLimit',
],
Then, add the allowed attributes to each service provider metadata, in the `attributes` option (for exact matches) or `attributesRegex` (for regular expression matches):
$metadata['https://saml2sp.example.org'] = [
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
...
'attributes' => ['cn', ... ],
'attributesRegex' => [ '/^mail$/', ... ],
...
];
Now, let's look to a couple of examples on how to filter out attribute values. First, allow only the entitlements known
to be used by a service provider (among other attributes):
$metadata['https://saml2sp.example.org'] = [
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
...
'attributes' => [
'uid',
'mail',
'eduPersonEntitlement' => [
'urn:mace:example.org:admin',
'urn:mace:example.org:user',
],
],
...
];
Now, an example on how to normalize the affiliations sent from an identity provider, to make sure that no custom
values ever reach the service providers. Bear in mind that this configuration can be overridden by metadata:
'authproc' => [
50 => 'core:AttributeLimit',
'default' => true,
'eduPersonAffiliation' => [
'student',
'staff',
'member',
'faculty',
'employee',
'affiliate',
],
],

57
plugins/simplesaml/lib/modules/core/docs/authproc_attributemap.md Normal file
View File

@@ -0,0 +1,57 @@
`core:AttributeMap`
===================
Filter to change attribute names.
This filter can either contain the name of a map file or a set of name => value pairs describing the transformation.
If configuration references a map file, the file must be located in the `attributemap/` directory in the root of
SimpleSAMLphp's installation. Attribute map files located in the `attributemap/` directory in the root of a module can
also be used by specifying the file with the `module:file` syntax.
It can also create multiple attributes from a single attribute by specifying multiple target attributes as an array.
Examples
--------
Attribute maps embedded as parameters:
'authproc' => [
50 => [
'class' => 'core:AttributeMap',
'mail' => 'email',
'uid' => 'user'
'cn' => ['name', 'displayName'],
],
],
Attribute map in separate file:
'authproc' => [
50 => [
'class' => 'core:AttributeMap',
'name2oid',
],
],
This filter will use the map file from `simplesamlphp/attributemap/name2oid.php`.
Attribute map in a file contained in a module:
'authproc' => [
50 => [
'class' => 'core:AttributeMap',
'module:src2dst'
],
],
This filter will use the map file from `simplesamlphp/modules/module/attributemap/src2dst.php`.
Duplicate attributes based on a map file:
'authproc' => [
50 => [
'class' => 'core:AttributeMap',
'name2urn', 'name2oid',
'%duplicate',
],
],

86
plugins/simplesaml/lib/modules/core/docs/authproc_attributevaluemap.md Normal file
View File

@@ -0,0 +1,86 @@
# `core:AttributeValueMap`
Filter that creates a target attribute based on one or more value(s) in source attribute.
Besides the mapping of source values to target values, the filter has the following options:
* `%replace` can be used to replace all existing values in target with new ones (any existing values will be lost)
* `%keep` can be used to keep the source attribute, otherwise it will be removed.
**Examples**:
## Add student affiliation based on LDAP groupmembership
Will add eduPersonAffiliation containing value `student` if the `memberOf` attribute contains
either `cn=student,o=some,o=organization,dc=org` or `cn=student,o=other,o=organization,dc=org`.
The `memberOf` attribute will be removed (use `%keep`, to keep it) and existing values in
`eduPersonAffiliation` will be merged (use `%replace` to replace them).
'authproc' => [
50 => [
'class' => 'core:AttributeValueMap',
'sourceattribute' => 'memberOf',
'targetattribute' => 'eduPersonAffiliation',
'values' => [
'student' => [
'cn=student,o=some,o=organization,dc=org',
'cn=student,o=other,o=organization,dc=org',
],
],
],
],
## Multiple assignments
Add `student`, `employee` and `both` affiliation based on LDAP groupmembership in the `memberOf` attribute.
'authproc' => [
50 => [
'class' => 'core:AttributeValueMap',
'sourceattribute' => 'memberOf',
'targetattribute' => 'eduPersonAffiliation',
'values' => [
'student' => [
'cn=student,o=some,o=organization,dc=org',
'cn=student,o=other,o=organization,dc=org',
],
'employee' => [
'cn=employees,o=some,o=organization,dc=org',
'cn=employee,o=other,o=organization,dc=org',
'cn=workers,o=any,o=organization,dc=org',
],
'both' => [
'cn=student,o=some,o=organization,dc=org',
'cn=student,o=other,o=organization,dc=org',
'cn=employees,o=some,o=organization,dc=org',
'cn=employee,o=other,o=organization,dc=org',
'cn=workers,o=any,o=organization,dc=org',
],
],
],
],
## Replace and Keep
Replace any existing `affiliation` attribute values and keep the `groups` attribute.
'authproc' => [
50 => [
'class' => 'core:AttributeValueMap',
'sourceattribute' => 'groups',
'targetattribute' => 'affiliation',
'%replace',
'%keep',
'values' => [
'student' => [
'cn=student,o=some,o=organization,dc=org',
'cn=student,o=other,o=organization,dc=org',
],
'employee' => [
'cn=employees,o=some,o=organization,dc=org',
'cn=employee,o=other,o=organization,dc=org',
'cn=workers,o=any,o=organization,dc=org',
],
],
],
],

49
plugins/simplesaml/lib/modules/core/docs/authproc_cardinality.md Normal file
View File

@@ -0,0 +1,49 @@
`core:Cardinality`
==================
Ensure the number of attribute values is within the specified multiplicity.
This filter should contain a set of attribute name => rule pairs describing the multiplicity rules for an attribute.
The special parameter `%ignoreEntities` can be used to give an array of entity IDs that should be ignored for testing, etc purposes.
A separate [`core:CardinalitySingle`](./core:authproc_cardinalitysingle) authproc filter provides additional functionality for the special case where attributes are single valued.
Specifying Rules
----------------
Multiplicity rules are specified as an associative array containing one or more of the following parameters:
`min`
: The minimum number of values (participation) this attribute should have. Defaults to `zero`.
`max`
: The maximum number of values (cardinality) this attribute should have. Defaults to no upper bound.
`warn`
: Log a warning rather than generating an error. Defaults to `false`.
For convenience, minimum and maximum values can also be specified using a shorthand list notation.
Examples
--------
Require at least one `givenName`, no more than two email addresses, and between two and four values for `eduPersonScopedAffiliation`.
'authproc' => [
50 => [
'class' => 'core:Cardinality',
'givenName' => ['min' => 1],
'mail' => ['max' => 2],
'eduPersonScopedAffiliation' => ['min' => 2, 'max' => 4],
],
],
Use the shorthand notation for min, max:
'authproc' => [
50 => [
'class' => 'core:Cardinality',
'mail' => [0, 2],
],
],

88
plugins/simplesaml/lib/modules/core/docs/authproc_cardinalitysingle.md Normal file
View File

@@ -0,0 +1,88 @@
`core:CardinalitySingle`
========================
Ensure the correct cardinality of single-valued attributes. This filter is a special case
of the more generic [`core:Cardinality`](./core:authproc_cardinality) filter that allows for optional corrective measures
when multi-valued attributes are received where single-valued ones are expected.
Parameters
----------
This filter implements a number of optional parameters:
`singleValued`
: array of attribute names that *must* be single-valued, or a 403 error is generated.
`firstValue`
: array of attribute names where only the first value of a multi-valued assertion should be returned.
`flatten`
: array of attribute names where a multi-valued assertion is flattened into a single delimited string.
`flattenWith`
: the delimiter for `flatten`. Defaults to ";".
`ignoreEntities`
: array of entity IDs that should be ignored for testing, etc purposes.
When the same attribute name appears in multiple stanzas, they are processed in the order above.
Examples
--------
Abort with an error if any attribute defined as single-valued in the eduPerson or SCHAC schemas exists and has more than one value:
'authproc' => [
50 => [
'class' => 'core:CardinalitySingle',
'singleValued' => [
/* from eduPerson (internet2-mace-dir-eduperson-201602) */
'eduPersonOrgDN', 'eduPersonPrimaryAffiliation', 'eduPersonPrimaryOrgUnitDN',
'eduPersonPrincipalName', 'eduPersonUniqueId',
/* from inetOrgPerson (RFC2798), referenced by internet2-mace-dir-eduperson-201602 */
'displayName', 'preferredLanguage',
/* from SCHAC-IAD Version 1.3.0 */
'schacMotherTongue', 'schacGender', 'schacDateOfBirth', 'schacPlaceOfBirth',
'schacPersonalTitle', 'schacHomeOrganization', 'schacHomeOrganizationType',
'schacExpiryDate',
],
],
],
Abort if multiple values are received for `eduPersonPrincipalName`, but take the first value for `eduPersonPrimaryAffiliation`:
'authproc' => [
50 => [
'class' => 'core:CardinalitySingle',
'singleValued' => ['eduPersonPrincipalName'],
'firstValue' => ['eduPersonPrimaryAffiliation'],
],
],
],
Construct `eduPersonPrimaryAffiliation` using the first value in `eduPersonAffiliation`:
'authproc' => [
50 => [
'class' => 'core:AttributeCopy',
'eduPersonAffiliation' => 'eduPersonPrimaryAffiliation',
],
51 => [
'class' => 'core:CardinalitySingle',
'firstValue' => ['eduPersonPrimaryAffiliation'],
],
],
Construct a single, comma-separated value version of `eduPersonAffiliation`:
'authproc' => [
50 => [
'class' => 'core:AttributeCopy',
'eduPersonAffiliation' => 'eduPersonAffiliationWithCommas',
],
51 => [
'class' => 'core:CardinalitySingle',
'flatten' => ['eduPersonAffiliationWithCommas'],
'flattenWith' => ',',
],
],

49
plugins/simplesaml/lib/modules/core/docs/authproc_generategroups.md Normal file
View File

@@ -0,0 +1,49 @@
`core:GenerateGroups`
=====================
This filter creates a `group` attribute based on the contents of the other attributes of the user.
By default this filter will generate groups from the following set of attributes:
* `eduPersonAffiliation`
* `eduPersonOrgUnitDN`
* `eduPersonEntitlement`
This can be overridden by specifying the names of the attributes in the configuration.
It will attempt to determine a realm the user belongs to based on the `eduPersonPrincipalName`
attribute, if it is present.
The groups this filter generates are on the form `<attribute name>-<attributevalue>` and `<attributename>-<realm>-<attributevalue>`.
For example, if the user has the following attributes:
* `eduPersonPrincipalName`: `user@example.org`
* `eduPersonAffiliation`: `student`, `member`
The following groups will be created:
* `eduPersonAffiliation-student`
* `eduPersonAffiliation-member`
* `eduPersonAffiliation-example.org-student`
* `eduPersonAffiliation-example.org-member`
Examples
--------
Default attributes:
'authproc' => [
50 => [
'class' => 'core:GenerateGroups',
],
],
Custom attributes:
'authproc' => [
50 => [
'class' => 'core:GenerateGroups',
'someAttribute',
'someOtherAttribute',
],
],

41
plugins/simplesaml/lib/modules/core/docs/authproc_languageadaptor.md Normal file
View File

@@ -0,0 +1,41 @@
`core:LanguageAdaptor`
======================
SimpleSAMLphp has built in language support, and stores the preferred language in a cookie.
Identity systems also often has a specific attribute that indicates what language is understood by the user.
MACE defines an attribute with preferred language: `preferredLanguage`.
[Read more about the preferredLanguage attribute defined by MACE](https://tools.ietf.org/html/rfc2798#section-2.7).
The LanguageAdaptor brings these two concepts together.
If executed early at the IdP it will check if the `preferredLanguage` attribute is among the user's attributes, and if it is, SimpleSAMLphp will use that language in the user interface.
**Note:** the login page itself is too early to be influenced by the user attributes, because the IdP does not know any user attributes before the user logs in.
In contrast, the consent module will be presented in the correct language based on the user attribute.
The LanguageAdaptor also works the other way around.
If the user does not have the `preferredLanguage` attribute, the user interface for the user will be set to the default for the installation.
If this language is not correct for the user, the user may click to switch language on the login page (or any other UI page in SimpleSAMLphp).
SimpleSAMLphp then stores the preferred language in a cookie.
Now, the LanguageAdaptor will read the preferred language from the cookie and add a user attribute with the preferred language, that is sent to the service provider.
The name of the attribute can be changed from the default by adding the `attributename` option.
Examples
--------
Default attribute (`preferredLanguage`):
'authproc' => [
50 => [
'class' => 'core:LanguageAdaptor',
],
],
Custom attribute:
'authproc' => [
50 => [
'class' => 'core:LanguageAdaptor',
'attributename' => 'lang',
],
],

57
plugins/simplesaml/lib/modules/core/docs/authproc_php.md Normal file
View File

@@ -0,0 +1,57 @@
`core:PHP`
==========
This is a filter which makes it possible to run arbitrary PHP code to modify the attributes or state of an user.
Parameters
----------
`class`
: This is the name of the filter.
It must be `core:PHP`.
`code`
: The PHP code that should be run. This code will have two variables available:
* `$attributes`.
This is an associative array of attributes, and can be modified to add or remove attributes.
* `$state`.
This is an associative array of request state. It can be modified to adjust data related to the authentication
such as desired NameId, requested Attributes, authnContextRef and many more.
Examples
--------
Add the `mail` attribute based on the user's `uid` attribute:
10 => [
'class' => 'core:PHP',
'code' => '
if (empty($attributes["uid"])) {
throw new Exception("Missing uid attribute.");
}
$uid = $attributes["uid"][0];
$mail = $uid . "@example.net";
$attributes["mail"] = [$mail];
',
],
Create a random number variable:
10 => [
'class' => 'core:PHP',
'code' => '
$attributes["random"] = [
(string)rand(),
];
',
],
Force a specific NameIdFormat. Useful if an SP misbehaves and requests (or publishes) an incorrect NameId
90 => [
'class' => 'core:PHP',
'code' => '$state["saml:NameIDFormat"] = ["Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "AllowCreate" => true];'
],

49
plugins/simplesaml/lib/modules/core/docs/authproc_scopeattribute.md Normal file
View File

@@ -0,0 +1,49 @@
`core:ScopeAttribute`
=====================
A filter which combines two attributes into a scoped attribute.
That is, the value will be `something@scope`, usually to make it globally unique.
Parameters
----------
`scopeAttribute`
: The attribute that contains the scope.
: If the attribute contains a '@', we will take the scope from the part following the '@'.
Otherwise, we will use the entire value.
: If the attribute is multi-valued, we will add all the scopes to the target.
`sourceAttribute`
: The attribute that contains the values we shall add the scope to.
: This attribute can be multi-valued, in which case we will add all the values.
`targetAttribute`
: The attribute we shall add the scoped attributes to.
: If the attribute already exists, the new values will be merged into the existing attribute.
`onlyIfEmpty`
: Only replace the targetAttribute if it is empty to begin with.
: If `true`, then the targetAttribute will only be created if it didn't already contain values. Defaults to `false`.
: This is useful if, for instance, you want to create eduPersonScopedAffiliation from eduPersonAffiliation _only_ if eduPersonScopedAffiliation was not returned by the authenticaton source.
Example
-------
Add eduPersonScopedAffiliation based on eduPersonAffiliation and eduPersonPrincipalName.
10 => [
'class' => 'core:ScopeAttribute',
'scopeAttribute' => 'eduPersonPrincipalName',
'sourceAttribute' => 'eduPersonAffiliation',
'targetAttribute' => 'eduPersonScopedAffiliation',
],
With values being `eduPersonPrincipalName`: `jdoe@example.edu` and
`eduPersonAffiliation`: `faculty`, this will result in the attribute
`eduPersonScopedAffiliation` with value `faculty@example.edu`.

28
plugins/simplesaml/lib/modules/core/docs/authproc_scopefromattribute.md Normal file
View File

@@ -0,0 +1,28 @@
`core:ScopeFromAttribute`
=========================
This filter creates a new attribute based on the scope from a different attribute.
Parameters
----------
This filter has two parameters, where both parameters are mandatory.
`sourceAttribute`
: The attribute we should extract the scope from.
`targetAttribute`
: The name of the new attribute.
Example
-------
Set the `scope` attribute to the scope from the `eduPersonPrincipalName` attribute:
'authproc' => [
50 => [
'class' => 'core:ScopeFromAttribute',
'sourceAttribute' => 'eduPersonPrincipalName',
'targetAttribute' => 'scope',
],
],

54
plugins/simplesaml/lib/modules/core/docs/authproc_targetedid.md Normal file
View File

@@ -0,0 +1,54 @@
`core:TargetedID`
=================
This filter generates the `eduPersonTargetedID` attribute for the user.
This filter will use the contents of the attribute set by the `identifyingAttribute` option as the unique user ID.
Parameters
----------
`identifyingAttribute`
: The name of the attribute we should use for the unique user identifier.
Note: only the first value of the specified attribute is being used for the generation of the identifier.
`nameId`
: Set this option to `true` to generate the attribute as in SAML 2 NameID format.
This can be used to generate an Internet2 compatible `eduPersonTargetedID` attribute.
Optional, defaults to `false`.
Examples
--------
A custom attribute:
'authproc' => [
50 => [
'class' => 'core:TargetedID',
'identifyingAttribute' => 'eduPersonPrincipalName'
],
],
Internet2 compatible `eduPersontargetedID`:
/* In saml20-idp-hosted.php. */
$metadata['urn:x-simplesamlphp:example-idp'] = [
'host' => '__DEFAULT__',
'auth' => 'example-static',
'authproc' => [
60 => [
'class' => 'core:TargetedID',
'nameId' => true,
],
90 => [
'class' => 'core:AttributeMap',
'name2oid',
],
],
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'attributeencodings' => [
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw', /* eduPersonTargetedID with oid NameFormat. */
],
];

14
plugins/simplesaml/lib/modules/core/docs/authproc_warnshortssointerval.md Normal file
View File

@@ -0,0 +1,14 @@
`core:WarnShortSSOInterval`
===========================
Give a warning to the user when authenticating twice in a short time.
This is mainly intended to prevent redirect loops between the IdP and the SP.
Example
-------
'authproc' => [
50 => [
'class' => 'core:WarnShortSSOInterval',
],
],

90
plugins/simplesaml/lib/modules/core/docs/authsource_selector.md Normal file
View File

@@ -0,0 +1,90 @@
# Authentication source selector
The Authentication source selector is a special kind of Authentication Source
that delegates the actual authentication to a secondary Authentication Source
based on some form of policy decision.
## AbstractSourceSelector
The AbstractSourceSelector extends from `\SimpleSAML\Auth\Source` and as such
act as an Authentication Source. Any derivative classes must implement the
abstract `selectAuthSource` method. This method must return the name of the
Authentication Source to use, based on whatever logic is necessary.
## SourceIPSelector
The SourceIPSelector is an implementation of the `AbstractSourceSelector` that
uses the client IP to decide what Authentication Source is called.
It works by defining zones with corresponding IP-ranges and Authentication
Sources. The 'default' zone is optional and acts as a fallback when none
of the zones match a client's IP-address. When set to `null` a NotFound-
exception will be thrown.
An example configuration would look like this:
```php
'selector' => [
'core:SourceIPSelector',
'zones' => [
'internal' => [
'source' => 'ldap',
'subnet' => [
'10.0.0.0/8',
'2001:0DB8::/108',
],
],
'other' => [
'source' => 'radius',
'subnet' => [
'172.16.0.0/12',
'2002:1234::/108',
],
],
'default' => 'yubikey',
],
],
```
## RequestedAuthnContextSelector
The RequestedAuthnContextSelector is an implementation of the `AbstractSourceSelector` that
uses the RequestedAuthnContext to decide what Authentication Source is called.
It works by defining AuthnContexts with their corresponding Authentication
Sources. The 'default' key will be used as a default when no RequestedAuthnContext
is passed in the request.
An example configuration would look like this:
```php
'selector' => [
'core:RequestedAuthnContextSelector',
'contexts' => [
10 => [
'identifier' => 'urn:x-simplesamlphp:loa1',
'source' => 'ldap',
],
20 => [
'identifier' => 'urn:x-simplesamlphp:loa2',
'source' => 'radius',
],
'default' => [
'identifier' => 'urn:x-simplesamlphp:loa0',
'source' => 'sql',
],
],
],
```
## YourCustomSourceSelector
If you have a use-case for a custom Authentication source selector, all you
have to do is to create your own class, make it extend `AbstractSourceSelector`
and make it implement the abstract `selectAuthSource` method containing
your own logic. The method should return the name of the Authentication
source to use.