diff --git a/README.md b/README.md
index c16f9e4..9356608 100644
--- a/README.md
+++ b/README.md
@@ -47,14 +47,22 @@ Now, there are two ways to do testing:
`user1pass` for the password.
4. After logging in, you should see a PHP information page. Under the
- "Headers" heading, yous should see the following, letting you know you successsfully authenticated using the proxy:
+ "Headers" heading, you should see the following information, letting you know you successsfully authenticated using the proxy:
| Header | Value |
|--------------------|--------------------------------|
- | Referer | "http://idp.example.edu:8080/" |
- | X-Forwarded-Host | "sptest.example.edu" |
+ | Referer | "http://idp.example.edu:8080/" |
+ | X-Forwarded-Host | "sptest.example.edu" |
- 5. When finished, shut down the services from `docker compose.yml`:
+ 5. You should also see on the PHP information page the following Headers and Values, letting you know you successsfully extracted the specified attributes from the SAML assertion in the response:
+
+ | Header | Value |
+ |--------------------------|------------------------|
+ | Shib-Proxy-displayName | "User One" |
+ | Shib-Proxy-eppn | "user1@example.edu" |
+ | Shib-Proxy-mail | "user1@example.edu" |
+
+ 6. When finished, shut down the services from `docker compose.yml`:
```
docker compose down
```
diff --git a/container_files/httpd/proxy.conf b/container_files/httpd/proxy.conf
index 9b2a3c9..0613307 100644
--- a/container_files/httpd/proxy.conf
+++ b/container_files/httpd/proxy.conf
@@ -6,8 +6,9 @@ PassEnv FRONT_HTTPS_PORT
# Configure behavior for all proxied requests
# Prevent these headers from being set by the client
- RequestHeader unset X-Forwarded-Groups
- RequestHeader unset X-Forwarded-User
+ RequestHeader unset Shib-Proxy-displayName
+ RequestHeader unset Shib-Proxy-eppn
+ RequestHeader unset Shib-Proxy-mail
# Provide headers to help the back-end application construct URLs correctly
RequestHeader set X-Forwarded-Proto "https"
@@ -15,6 +16,7 @@ PassEnv FRONT_HTTPS_PORT
# Set auth headers if corresponding environment variables have been set
# by the Shibboleth SP
- RequestHeader set "X-Forwarded-Groups" "%{isMemberOf}e" env=isMemberOf
- RequestHeader set "X-Forwarded-User" "%{eppn}e" env=eppn
+ RequestHeader set "Shib-Proxy-displayName" "%{displayName}e" env=displayName
+ RequestHeader set "Shib-Proxy-eppn" "%{eppn}e" env=eppn
+ RequestHeader set "Shib-Proxy-mail" "%{mail}e" env=mail
diff --git a/docker-compose.yml b/docker-compose.yml
index 3c9c526..f93c5aa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,6 +31,7 @@ services:
test: ["CMD", "curl", "-f", "--insecure", "http://localhost:8080/simplesaml/module.php/core/frontpage_welcome.php"]
volumes:
- "./tests/containers/idp/users.php:/var/www/simplesamlphp/config/authsources.php"
+ - "./tests/containers/idp/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php"
proxy:
build:
@@ -123,6 +124,9 @@ services:
SAML_IDP_METADATA: |
+
+ example.edu
+
diff --git a/tests/containers/idp/saml20-sp-remote.php b/tests/containers/idp/saml20-sp-remote.php
new file mode 100644
index 0000000..bcadd77
--- /dev/null
+++ b/tests/containers/idp/saml20-sp-remote.php
@@ -0,0 +1,12 @@
+ getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
+ 'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+ 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+);
diff --git a/tests/containers/idp/users.php b/tests/containers/idp/users.php
index e65744a..4881c0b 100644
--- a/tests/containers/idp/users.php
+++ b/tests/containers/idp/users.php
@@ -11,54 +11,15 @@
'uid' => array('1'),
'first_name' => 'User',
'last_name' => 'One',
- 'email' => 'user_1@example.com',
+ 'urn:oid:0.9.2342.19200300.100.1.3' => 'user_1@example.edu',
+ 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'user_1@example.edu',
+ 'urn:oid:2.16.840.1.113730.3.1.241' => 'User One',
),
- 'user2:user2pass' => array(
- 'uid' => array('2'),
- 'first_name' => 'User',
- 'last_name' => 'Two',
- 'email' => 'user_2@example.com',
- ),
- 'user3:user3pass' => array(
- 'uid' => array('3'),
- 'first_name' => 'User',
- 'last_name' => 'Three',
- 'email' => 'user_3@example.com',
- ),
- 'user4:user4pass' => array(
- 'uid' => array('4'),
- 'name' => 'User Four',
- 'email' => 'user_4@example.com',
- ),
- 'unauthorizeduser:unauthorizedpass' => [
- 'uid' => ['unauthorized.user@id.example.org'],
- 'name' => 'Unauthorized User',
- 'email' => 'unauthorized@example.org',
- 'groups' => [],
- ],
- 'authorizeduser:authorizedpass' => [
- 'uid' => ['authorized.user@id.example.org'],
- 'name' => 'Authorized User',
- 'email' => 'authorized@example.org',
- 'groups' => ['users'],
- ],
'externaluser:externalpass' => [
'uid' => ['external.user@id.example.org'],
'name' => 'External User',
- 'email' => 'external@example.org',
+ 'mail' => 'external@example.org',
'groups' => ['external'],
],
- 'adminuser:adminpass' => [
- 'uid' => ['admin.user@id.example.org'],
- 'name' => 'Admin User',
- 'email' => 'adminuser@example.org',
- 'groups' => ['admins'],
- ],
- 'auditoruser:auditorpass' => [
- 'uid' => ['auditor.user@id.example.org'],
- 'name' => 'Auditor User',
- 'email' => 'auditor@example.org',
- 'groups' => ['auditors'],
- ],
),
);