Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
TIDO-508 Add extracted test SAML Attributes to proxy (#4)
@dmartinez
dmartinez committed Sep 23, 2024
1 parent c7212de commit 71bd534
Showing 5 changed files with 38 additions and 51 deletions.
16 changes: 12 additions & 4 deletions README.md
View file
@@ -47,14 +47,22 @@ Now, there are two ways to do testing:
`user1pass` for the password.

4. After logging in, you should see a PHP information page. Under the
"Headers" heading, yous should see the following, letting you know you successsfully authenticated using the proxy:
"Headers" heading, you should see the following information, letting you know you successsfully authenticated using the proxy:

| Header | Value |
|--------------------|--------------------------------|
| Referer | "http://idp.example.edu:8080/" |
| X-Forwarded-Host | "sptest.example.edu" |
| Referer | "http://idp.example.edu:8080/" |
| X-Forwarded-Host | "sptest.example.edu" |

5. When finished, shut down the services from `docker compose.yml`:
5. You should also see on the PHP information page the following Headers and Values, letting you know you successsfully extracted the specified attributes from the SAML assertion in the response:

| Header | Value |
|--------------------------|------------------------|
| Shib-Proxy-displayName | "User One" |
| Shib-Proxy-eppn | "user1@example.edu" |
| Shib-Proxy-mail | "user1@example.edu" |

6. When finished, shut down the services from `docker compose.yml`:
```
docker compose down
```
10 changes: 6 additions & 4 deletions container_files/httpd/proxy.conf
View file
@@ -6,15 +6,17 @@ PassEnv FRONT_HTTPS_PORT
# Configure behavior for all proxied requests
<Proxy "*">
# Prevent these headers from being set by the client
RequestHeader unset X-Forwarded-Groups
RequestHeader unset X-Forwarded-User
RequestHeader unset Shib-Proxy-displayName
RequestHeader unset Shib-Proxy-eppn
RequestHeader unset Shib-Proxy-mail

# Provide headers to help the back-end application construct URLs correctly
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "%{FRONT_HTTPS_PORT}e"

# Set auth headers if corresponding environment variables have been set
# by the Shibboleth SP
RequestHeader set "X-Forwarded-Groups" "%{isMemberOf}e" env=isMemberOf
RequestHeader set "X-Forwarded-User" "%{eppn}e" env=eppn
RequestHeader set "Shib-Proxy-displayName" "%{displayName}e" env=displayName
RequestHeader set "Shib-Proxy-eppn" "%{eppn}e" env=eppn
RequestHeader set "Shib-Proxy-mail" "%{mail}e" env=mail
</Proxy>
4 changes: 4 additions & 0 deletions docker-compose.yml
View file
@@ -31,6 +31,7 @@ services:
test: ["CMD", "curl", "-f", "--insecure", "http://localhost:8080/simplesaml/module.php/core/frontpage_welcome.php"]
volumes:
- "./tests/containers/idp/users.php:/var/www/simplesamlphp/config/authsources.php"
- "./tests/containers/idp/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php"

proxy:
build:
@@ -123,6 +124,9 @@ services:
SAML_IDP_METADATA: |
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://idp.example.edu:8080/simplesaml/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<shibmd:Scope xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" regexp="false">example.edu</shibmd:Scope>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
12 changes: 12 additions & 0 deletions tests/containers/idp/saml20-sp-remote.php
View file
@@ -0,0 +1,12 @@
<?php
/**
* SAML 2.0 remote SP metadata for SimpleSAMLphp.
*
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
*/

$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
);
47 changes: 4 additions & 43 deletions tests/containers/idp/users.php
View file
@@ -11,54 +11,15 @@
'uid' => array('1'),
'first_name' => 'User',
'last_name' => 'One',
'email' => 'user_1@example.com',
'urn:oid:0.9.2342.19200300.100.1.3' => 'user_1@example.edu',
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'user_1@example.edu',
'urn:oid:2.16.840.1.113730.3.1.241' => 'User One',
),
'user2:user2pass' => array(
'uid' => array('2'),
'first_name' => 'User',
'last_name' => 'Two',
'email' => 'user_2@example.com',
),
'user3:user3pass' => array(
'uid' => array('3'),
'first_name' => 'User',
'last_name' => 'Three',
'email' => 'user_3@example.com',
),
'user4:user4pass' => array(
'uid' => array('4'),
'name' => 'User Four',
'email' => 'user_4@example.com',
),
'unauthorizeduser:unauthorizedpass' => [
'uid' => ['unauthorized.user@id.example.org'],
'name' => 'Unauthorized User',
'email' => 'unauthorized@example.org',
'groups' => [],
],
'authorizeduser:authorizedpass' => [
'uid' => ['authorized.user@id.example.org'],
'name' => 'Authorized User',
'email' => 'authorized@example.org',
'groups' => ['users'],
],
'externaluser:externalpass' => [
'uid' => ['external.user@id.example.org'],
'name' => 'External User',
'email' => 'external@example.org',
'mail' => 'external@example.org',
'groups' => ['external'],
],
'adminuser:adminpass' => [
'uid' => ['admin.user@id.example.org'],
'name' => 'Admin User',
'email' => 'adminuser@example.org',
'groups' => ['admins'],
],
'auditoruser:auditorpass' => [
'uid' => ['auditor.user@id.example.org'],
'name' => 'Auditor User',
'email' => 'auditor@example.org',
'groups' => ['auditors'],
],
),
);

0 comments on commit 71bd534

Please sign in to comment.