search

simplesamlphp / simplesamlphp-module-oidc

A SimpleSAMLphp module for OIDC OP support.
Other
45 stars 22 forks source link

Attribute mapping and logging #217

Closed luandalmazo closed 3 months ago

luandalmazo commented 5 months ago

Hey!

I have two questions:

  1. Is attribute mapping done automatically? I just configured the module, but I can't retrieve all available attributes. It gives the following error: "Attribute useridattr does not exist in claims. Available attributes are: urn:oid:1.3.6.1.4.1.5923.1.1.1.7, urn:oid:1.3.6.1.4.1.5923.1.1.1.6, urn:oid:2.16.840.1.113730.3.1.241, urn:oid:2.5.4.3, urn:oid:2.5.4.4, urn:oid:2.5.4.42, urn:oid:0.9.2342.19200300.100.1.3, urn:oid:1.3.6.1.4.1.5923.1.1.1.10"

Part of my module configuration file: ModuleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', //'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',

// The default translation table from SAML attributes to OIDC claims. ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [ // 'sub' => [ //'attribute-defined-in-useridattr', // 'uid', // added // 'eduPersonPrincipalName', // 'eduPersonTargetedID', // 'eduPersonUniqueId', // 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', //'urn:oid:2.5.4.3',

// ], // Remove default translation //'name' => [ // 'name' => [ 'type' => 'string', 'attributes' => ['urn:oid:2.5.4.3']] //],

],

Do you have any suggestions on how I can retrieve all these attributes?

  1. How can I view a log from the module? Is there a way to do that?
cicnavi commented 5 months ago

As per error, it seems that something is not right with your configuration related to identifier attribute (useridattr), although you note that you have actually configured it. I think you should double check this.

As you can see in the description for config options, you are provided with default attribute translation. However, you will probably want to provide your own configuration related to that. I think you misconfigured it / left it commented out.

The module writes log using SimpleSAMLphp (SSP) logger, so any SSP logging configuration / location also applies to it.

luandalmazo commented 5 months ago

Thank you for your response! So, when I configure the user identified as below, the application works (I'm using the OIDC playground to test the complete flow):

ModuleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',

However, the attributes still aren't being delivered. Also, in this test, I used a specific translation and a specific sub defined:

  ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [
            'sub' => [
                urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
             ],

        'email' => ['mail','urn:oid:0.9.2342.19200300.100.1.3'],
    ],

The log doesn't gives me an error, only this message:

Filter config for https://IDP-FQDN/idp/shibboleth->https://OP-MODULE-INSTANCE/: array ( 0 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'priority' => 90, 'precondition' => 'return true;', 'langattr' => 'preferredLanguage', )),)

Do you think there is a problem with the default translation built-in SSP?

Thanks in advance!

cicnavi commented 5 months ago

Not sure if this will solve it for you, but did you notice that you are missing a quote?

          urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
luandalmazo commented 5 months ago

Oh, yes! Actually in my code the quote exists, it just disappeared when i paste that part of the code

cicnavi commented 5 months ago

Hm, ok. I don't believe that there is a problem with default translation table. I think you only have to configure it properly.

cicnavi commented 3 months ago

Any news on this?

luandalmazo commented 3 months ago

Hello, sorry for the delay.

In general, I focused on configuring the authsources from the beginning. I also changed the protocol that the application was using; previously, it was set to auth2, and in the most recent test, I switched it to OpenID (my application will communicate with a SimpleSAMLphp RP). The module is working correctly!