Skip to content

New 'identifyingAttribute option for SAML Attribute NameID filter#2260

Merged
monkeyiq merged 8 commits intosimplesamlphp:masterfrom
kwessel:feature/saml-nameid-attribute-identifyingattributes
Dec 15, 2024
Merged

New 'identifyingAttribute option for SAML Attribute NameID filter#2260
monkeyiq merged 8 commits intosimplesamlphp:masterfrom
kwessel:feature/saml-nameid-attribute-identifyingattributes

Conversation

@kwessel
Copy link
Copy Markdown
Contributor

@kwessel kwessel commented Sep 25, 2024

Allow a new option in place of identifyingAttribute called identifyingAttributes. This option expects an array of attribute names. The first one in the list that's available in the attributes being released to the SP will be used. This is particularly useful in the hosted IdP configuration. One can specify multiple attribute names in order of precedence, and the IdP will release the first one from that list to the SP that's in the SP's 'attributes' array. This avoids having to define a new authproc filter for each SP that needs a different value than the single one that was previously specified using 'identifyingAttribute'.

The change still supports identifyingAttribute option which will be used instead of the new option if both are set.

@kwessel
New 'identifyingAttribute option for SAML Attribute NameID filter
10c1544 
Allow a new option in place of identifyingAttribute called
identifyingAttributes. This option expects an array of attribute
names. The first one in the list that's available in the attributes being
released to the SP will be used. This is particularly useful in the hosted
IdP configuration. One can specify multiple attribute names in order of
precedence, and the IdP will release the first one from that list to the
SP that's in the SP's 'attributes' array. This avoids having to define
a new authproc filter for each SP that needs a different value than the
single one that was previously specified using 'identifyingAttribute'.

The change still supports identifyingAttribute option which will be used
instead of the new option if both are set.
@kwessel
Copy link
Copy Markdown
Contributor Author

kwessel commented Sep 25, 2024

@tvdijen , I was getting tired of having to define an authproc filter for every SP that didn't want to use our default value for the emailaddress nameID format and decided I'd implement things the way Shibboleth does with a list of attributes. Please let me know if you have questions or concerns about this feature. And I completely understand if you don'twant to use it.

@thijskh
Copy link
Copy Markdown
Member

thijskh commented Sep 26, 2024

I like the idea, it's simple enough and I understand how it will be useful.

Maybe I'm beeing too defensive if I'd also add a check if you've set both and log a warning or even error?

There's quite some more if/looping now than before. This does in my opinion really beg for unit tests if we want to keep this maintainable, with all the possible combinations now.

@kwessel
Copy link
Copy Markdown
Contributor Author

kwessel commented Sep 26, 2024

Maybe I'm beeing too defensive if I'd also add a check if you've set both and log a warning or even error?

Done: if both are specified, an exception is now thrown. This was an excellent suggestion.

There's quite some more if/looping now than before. This does in my opinion really beg for unit tests if we want to keep this maintainable, with all the possible combinations now.

I'm not expert on writing test cases for SSP, but if you point me to something similar that's already in there, I'd be willing to try my hand at it.

@kwessel kwessel force-pushed the feature/saml-nameid-attribute-identifyingattributes branch 2 times, most recently from efd1f9a to 054c37d Compare September 26, 2024 16:24
@kwessel kwessel force-pushed the feature/saml-nameid-attribute-identifyingattributes branch from 054c37d to 5e90c6e Compare September 26, 2024 16:34
monkeyiq
monkeyiq reviewed Oct 2, 2024
View reviewed changes
@monkeyiq
Copy link
Copy Markdown
Contributor

monkeyiq commented Oct 2, 2024

As far as tests go, we might make a new class like NameIDAttributeTest with some new tests. I have put them in the bottom of that class while I was playing around... I guess a deeper test would have an SP and IdP that returns the data but these tests check for expected results at a basic level..

https://github.com/monkeyiq/simplesamlphp/blob/f3646d6e26bda6f16084172c95ce34ec656dbebf/tests/modules/saml/src/Auth/Process/NameIDAttributeTest.php#L245

I should probably clean up the attribute and format that is in the config copied from above cases as it shouldn't be needed in these.

kwessel and others added 3 commits November 9, 2024 16:03
@kwessel
identifyingAttributes clean-up per PR comments
8ca7fe5 
* Cleaned up logic for finding a value for the nameID
* Corrected bug when $value was empty at end of loop
@monkeyiq
add a test for the AttributeNameID using an array of attributes
496687e
@monkeyiq
lint
6343334
@monkeyiq
Copy link
Copy Markdown
Contributor

monkeyiq commented Dec 11, 2024

Thank you for the PR! I have added a small number of test cases to the PR today

@monkeyiq
Update AttributeNameIDTest.php
1ba8403 
These entity ids were copied from the test that I then updated which lead to much better values for test idp and sp entities. I am updating these entities here inline with the comment at simplesamlphp#2349 (review)
@monkeyiq
Update nameid.md
c6f5dfd 
Mention that these are mutex options.
@monkeyiq
Update nameid.md
0d3840a 
lint
@monkeyiq monkeyiq merged commit da02c3c into simplesamlphp:master Dec 15, 2024
monkeyiq added a commit that referenced this pull request Dec 15, 2024
@kwessel @monkeyiq
New 'identifyingAttribute option for SAML Attribute NameID filter (#2260
6b71492 
)

* New 'identifyingAttribute option for SAML Attribute NameID filter

Allow a new option in place of identifyingAttribute called
identifyingAttributes. This option expects an array of attribute
names. The first one in the list that's available in the attributes being
released to the SP will be used. This is particularly useful in the hosted
IdP configuration. One can specify multiple attribute names in order of
precedence, and the IdP will release the first one from that list to the
SP that's in the SP's 'attributes' array. This avoids having to define
a new authproc filter for each SP that needs a different value than the
single one that was previously specified using 'identifyingAttribute'.

The change still supports identifyingAttribute option which will be used
instead of the new option if both are set.

* Throw error when AttributeNameID filter has both identifyingAttribute and identifyingAttributes set

* identifyingAttributes clean-up per PR comments

* Cleaned up logic for finding a value for the nameID
* Corrected bug when $value was empty at end of loop

* add a test for the AttributeNameID using an array of attributes

* lint

* Update AttributeNameIDTest.php

These entity ids were copied from the test that I then updated which lead to much better values for test idp and sp entities. I am updating these entities here inline with the comment at #2349 (review)

* Update nameid.md

Mention that these are mutex options.

* Update nameid.md

lint

---------

Co-authored-by: Ben Martin <monkeyiq@users.sourceforge.net>
Co-authored-by: monkeyiq <monkeyiq@gmail.com>
@monkeyiq
Copy link
Copy Markdown
Contributor

monkeyiq commented Dec 15, 2024

I have also cherry picked this back to 2.4.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@monkeyiq monkeyiq monkeyiq left review comments

Assignees

No one assigned

Labels

feedback needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kwessel @thijskh @monkeyiq