search

SAML-Toolkits / php-saml

Simple SAML toolkit for PHP
MIT License
1.21k stars 462 forks source link

Proper attributeConsumingService usage? #552

Closed nbyloff closed 1 year ago

nbyloff commented 1 year ago

I have authentication setup with my company Azure AD, however I cannot tell AD to return user data in the 'FriendlyName' format. All attribute keys look like this:

# this method  returns an empty array
$userData = $auth->getAttributesWithFriendlyName();
#so I have to call this method to get the raw data with URLs listed below as attribute keys
$userData = $auth->getAttributes();

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

attributeConsumingService is used in my XML to give AD instructions on how to return user data, correct? If so I am obviously using it incorrectly. How do I alter the settings config object below to tell AD to stop returning the full URLs as keys and just give me, emailaddress, givenname and surname as the keys? I am struggling to find something that outlines this for me. 

'attributeConsumingService' => [
          'serviceName' => 'Company SSO',
          'serviceDescription' => 'SSO authentication for use with Company web applications',
          'requestedAttributes' => [
            [
              'nameFormat' => Constants::ATTRNAME_FORMAT_URI,
              'isRequired' => true,
              'name' => 'emailaddress',
              'friendlyName' => 'Email'
            ],
            [
              'nameFormat' => Constants::ATTRNAME_FORMAT_URI,
              'isRequired' => true,
              'name' => 'givenname',
              'friendlyName' => 'FirstName'
            ],
            [
              'nameFormat' => Constants::ATTRNAME_FORMAT_URI,
              'isRequired' => true,
              'name' => 'surname',
              'friendlyName' => 'LastName'
            ],
          ]
        ],
pitbulk commented 1 year ago

You need to configure Azure AD properly.

The attributeConsumingService is used to specify what atributes are expected by the Service Provider and how to name them, but as you don't setup Azure based on the SP metadata, and instead, you need to configure Azure AD manually and specify the attributes that gonna be released and its names, what you define on attributeConsumingService is not used at all.