Open vidiecan opened 9 years ago
vidiecan
commented
9 years ago Action points: a) proof of concept; b) ask e.g., Mikael L. about the privacy/protection issues; c) implement the SessionHook page as simply as possible so everyone (even non programmers) can understand it; d) talk to other inter federation SPs about deployment.
kosarko
commented
9 years ago a) proof of concept;
with the sessionHook and AssertionExports it's possible to acquire IDP's entityID, and the attribute names (before any mapping or filtering). Sending these elsewhere to some statistics engine should be straight forward
<html>
...
<body>
...
37 <?php
38 $seen_names = array();
39 $assertion_count = 0;
40 $assertion_count_name = "Shib-Assertion-Count";
41 $assertion_count_name_upper = str_replace('-','_',strtoupper("http_".$assertion_count_name));
42
43 if(getenv($assertion_count_name)){
44 $assertion_count = (int)getenv($assertion_count_name);
45 }else if(getenv($assertion_count_name_upper)){
46 $assertion_count = (int)getenv($assertion_count_name_upper);
47 }
48 $assertion_link_attr_name = "Shib-Assertion-";
49 $assertion_link_attr_name_upper = str_replace('-','_',strtoupper("http_". "Shib-Assertion-"));
50 //echo "<li>assertion_count " . $assertion_count;
51 for($i=$assertion_count; $i > 0; $i--){
52 //why would there be more than one assertion?
53 $n = 0;
54 if($i<10){
55 $n = $n . $i;
56 } else{
57 $n = $i;
58 }
59 $assertion_link = "";
60 if(getenv($assertion_link_attr_name . $n)){
61 $assertion_link = getenv($assertion_link_attr_name . $n);
62 }else if(getenv($assertion_link_attr_name_upper . $n)){
63 $assertion_link = getenv($assertion_link_attr_name_upper . $n);
64 }
65 //echo "<li>assertion_link " . $assertion_link;
66 if(!empty($assertion_link)){
67 $assertion_link = str_replace("https://" . getenv("SERVER_NAME") ,"https://localhost",$assertion_link);
68 $xml = simplexml_load_file($assertion_link);
69 $idp = (string)$xml->xpath('//*[local-name()="Issuer"]')[0];
70 echo "<h2>" . $idp . "</h2>";
71 foreach($xml->xpath('//*[local-name()="Attribute"]/@Name') as $name){
72 array_push($seen_names, (string)$name);
73 }
74 }
75 }
76 var_dump($seen_names);
77 ?>
78 <p><a id="return_link" href="<?php echo $_GET['return'] ?>">return</a>
79 <script type="text/javascript">
80 window.setTimeout(document.getElementById("return_link").click(), 3000);
81 </script>
82 </body>
83 </html>
Test a simple sessionhook web page which would gather information about attributes
The aim is to have a unified and simple way of gathering attribute release statistics. Note: the problem can still be in the mapping/checking inside shibboleth before the session is even created...