How do I map attributes returned by an IDP to friendly names inSimpleSAMLphp?

Question

I have successfully configured simpleSAMLphp so that it authenticates via the Test Shib IDP (https://www.testshib.org/).

Test Shib returns the following attributes:

urn:oid:0.9.2342.19200300.100.1.1
urn:oid:1.3.6.1.4.1.5923.1.1.1.1
urn:oid:1.3.6.1.4.1.5923.1.1.1.6
urn:oid:2.5.4.4
urn:oid:1.3.6.1.4.1.5923.1.1.1.9
urn:oid:2.5.4.42
urn:oid:1.3.6.1.4.1.5923.1.1.1.7
urn:oid:2.5.4.3
urn:oid:1.3.6.1.4.1.5923.1.1.1.10
urn:oid:2.5.4.20

I would like to map these attributes to friendly names. Can anyone give me some pointers as to how to do that?

The default-sp example in authsources.php has the following:

/*
 * The attributes parameter must contain an array of desired attributes by the SP.
 * The attributes can be expressed as an array of names or as an associative array
 * in the form of 'friendlyName' => 'name'.
 * The metadata will then be created as follows:
 * <md:RequestedAttribute FriendlyName="friendlyName" Name="name" />
 */
 /*'attributes' => array(
   'attrname' => 'urn:oid:x.x.x.x',
 ),*/

But setting

'attributes' => array('myTestValue' => 'urn:oid:0.9.2342.19200300.100.1.1'),

has no effect.

Any help will be very gratefully received!

score 3 · Answer 1 · answered Jun 27 '17 at 03:38

Assuming SimpleSAMLPHP 1.6 and higher, you can simply use the build in oid2name attributemap to do the mapping for you.

'authproc' => array( 50 => array( 'class' => 'core:AttributeMap', 'oid2name', ), ),

To add to Luke's answer, you can simply add an authproc filter in the following places:

Globally in config.php
On the SP: Specific for only the SP in authsources.php
On the SP: Specific for only one remote IdP in saml20-idp-remote or shib13-idp-remote
On the IdP: Specific for only one hosted IdP in saml20-idp-hosted or shib13-idp-hosted
On the IdP: Specific for only one remote SP in saml20-sp-remote or shib13-sp-remote

Taken from https://simplesamlphp.org/docs/stable/simplesamlphp-authproc

You can see additional AttributeMaps such as oid2urn and oid2feide in the source found here:

https://github.com/simplesamlphp/simplesamlphp/tree/master/attributemap

Note, not sure if it changed but it looks like the key is authproc.sp (or .idp) in the global configuration, according to the section "1.1 Filters in config.php" on that documentation page. Just in case someone else is confused when this isn't working. — Berdir, Nov 12 '18 at 16:12

score 2 · Answer 2 · answered Feb 08 '16 at 10:49

According to https://simplesamlphp.org/docs/stable/simplesamlphp-authproc, the correct way to manipulate attributes is via the "authproc" functionality.

In my case, I added the following the configuration array for https://idp.testshib.org/idp/shibboleth in config/saml20-idp-remote.php:

'authproc' => array(
    50 => array(
        'class' => 'core:AttributeCopy',
        'urn:oid:0.9.2342.19200300.100.1.1' => 'uid',
    ),
),

The documentation suggests that this configuration array can be added in the following places:

Globally in config.php
On the SP: Specific for only the SP in authsources.php
On the SP: Specific for only one remote IdP in saml20-idp-remote or shib13-idp-remote
On the IdP: Specific for only one hosted IdP in saml20-idp-hosted or shib13-idp-hosted
On the IdP: Specific for only one remote SP in saml20-sp-remote or shib13-sp-remote

Please note that you may need to clear any sessions (close and reopen your browser) for the changes to work.

Top tip for future reference - always read the most current version of the documentation!

How do you know what each of the URNs corresponds to without having access to the raw XML response? — rink.attendant.6, May 19 '16 at 13:53
Take a look at https://commons.lbl.gov/display/IDMgmt/Attribute+Definitions - that will show the mappings — Luke O'Sullivan, Jul 13 '16 at 18:15

How do I map attributes returned by an IDP to friendly names inSimpleSAMLphp?

2 Answers2

Linked