This module ensures that scoped attributes (such as eduPersonPrincipalName) have the right scopes defined in the entity metadata.
It removes values
attributesWithScope
below) but are not;Additionally, it is also capable to handle 'scope attributes' such as schacHomeOrganization that should be equivalent to shibmd:Scope
element in the metadata.
shibmd:Scope
are not supported.You can install the module with composer:
composer require niif/simplesamlphp-module-attributescope
config/config.php
authproc.sp = array(
...
// 49 => array('class' => 'core:AttributeMap', 'oid2name'),
// Verify scoped attributes with the metadata:
50 => array(
'class' => 'attributescope:FilterAttributes',
// Default attributes with scope attributes.
// 'attributesWithScope' => array('eduPersonPrincipalName', 'eduPersonScopedAffiliation'),
// Default scopeAttribute
// 'scopeAttributes' => array('schacHomeOrganization'),
),
attributesWithScope
an array of attributes that should be scoped and should match the scope from the metadataattributesWithScopeSuffix
an array of attributes that have the scope as a suffix. For example, user@department.example.com
and department.example.com
are both suffixed with example.com
. Useful when an SP is reliant on mail
attribute to identify users and
the IdP users various subdomains for mail.scopeAttributes
an array of attributes that should exactly match the scope from the metadataignoreCheckForEntities
an array of IdP entity IDs to skip scope checking for. Useful when an IdP is a SAML proxy and is trusted to assert any scope.ignoreCase
ignore the case of the scoped attribute. The new 'Subject Identifier Attributes' profile stipulates that comparison should be case insensitive. Default is false, for backwards compatability../vendor/phpunit/phpunit/phpunit