From 61632632e040a013d9137668093b0971aa3c84e1 Mon Sep 17 00:00:00 2001 From: dmartinez Date: Tue, 27 Aug 2024 16:20:28 -0700 Subject: [PATCH 1/6] Add attributes to be extracted by proxy --- README.md | 14 ++++++++++---- container_files/httpd/proxy.conf | 4 ++-- container_files/shibboleth/attribute-map.xml | 12 ++++++++++-- tests/containers/idp/users.php | 8 ++++---- 4 files changed, 26 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index c16f9e4..772b572 100644 --- a/README.md +++ b/README.md @@ -47,14 +47,20 @@ Now, there are two ways to do testing: `user1pass` for the password. 4. After logging in, you should see a PHP information page. Under the - "Headers" heading, yous should see the following, letting you know you successsfully authenticated using the proxy: + "Headers" heading, you should see the following information, letting you know you successsfully authenticated using the proxy: | Header | Value | |--------------------|--------------------------------| - | Referer | "http://idp.example.edu:8080/" | - | X-Forwarded-Host | "sptest.example.edu" | + | Referer | "http://idp.example.edu:8080/" | + | X-Forwarded-Host | "sptest.example.edu" | - 5. When finished, shut down the services from `docker compose.yml`: + 5. You should also see on the PHP information page the following Headers and Values, letting you know you successsfully extracted the specified attributes from the SAML assertion in the response: + + | Header | Value | + |--------------------|--------------------------------| + | X-Forwarded-Email | "user1@example.edu" | + + 6. When finished, shut down the services from `docker compose.yml`: ``` docker compose down ``` diff --git a/container_files/httpd/proxy.conf b/container_files/httpd/proxy.conf index 9b2a3c9..6fd46bc 100644 --- a/container_files/httpd/proxy.conf +++ b/container_files/httpd/proxy.conf @@ -7,7 +7,7 @@ PassEnv FRONT_HTTPS_PORT # Prevent these headers from being set by the client RequestHeader unset X-Forwarded-Groups - RequestHeader unset X-Forwarded-User + RequestHeader unset X-Forwarded-Email # Provide headers to help the back-end application construct URLs correctly RequestHeader set X-Forwarded-Proto "https" @@ -16,5 +16,5 @@ PassEnv FRONT_HTTPS_PORT # Set auth headers if corresponding environment variables have been set # by the Shibboleth SP RequestHeader set "X-Forwarded-Groups" "%{isMemberOf}e" env=isMemberOf - RequestHeader set "X-Forwarded-User" "%{eppn}e" env=eppn + RequestHeader set "X-Forwarded-Email" "%{email}e" env=email diff --git a/container_files/shibboleth/attribute-map.xml b/container_files/shibboleth/attribute-map.xml index 9538676..b37ffce 100644 --- a/container_files/shibboleth/attribute-map.xml +++ b/container_files/shibboleth/attribute-map.xml @@ -6,13 +6,18 @@ few exceptions for newer attributes where the name is the same for both versions. You will usually want to uncomment or map the names for both SAML versions as a unit. --> - + + + + + + - + @@ -22,6 +27,7 @@ + @@ -29,10 +35,12 @@ + + diff --git a/tests/containers/idp/users.php b/tests/containers/idp/users.php index e65744a..40b7edc 100644 --- a/tests/containers/idp/users.php +++ b/tests/containers/idp/users.php @@ -11,24 +11,24 @@ 'uid' => array('1'), 'first_name' => 'User', 'last_name' => 'One', - 'email' => 'user_1@example.com', + 'email' => 'user_1@example.edu', ), 'user2:user2pass' => array( 'uid' => array('2'), 'first_name' => 'User', 'last_name' => 'Two', - 'email' => 'user_2@example.com', + 'email' => 'user_2@example.edu', ), 'user3:user3pass' => array( 'uid' => array('3'), 'first_name' => 'User', 'last_name' => 'Three', - 'email' => 'user_3@example.com', + 'email' => 'user_3@example.edu', ), 'user4:user4pass' => array( 'uid' => array('4'), 'name' => 'User Four', - 'email' => 'user_4@example.com', + 'email' => 'user_4@example.edu', ), 'unauthorizeduser:unauthorizedpass' => [ 'uid' => ['unauthorized.user@id.example.org'], From 7a0a727954eb51e0131d7ff0894cd3283c82cfbd Mon Sep 17 00:00:00 2001 From: dmartinez Date: Wed, 28 Aug 2024 10:36:01 -0700 Subject: [PATCH 2/6] Add two different test attribute methods --- README.md | 7 ++++--- container_files/shibboleth/attribute-map.xml | 6 +++++- tests/containers/idp/users.php | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 772b572..45cf418 100644 --- a/README.md +++ b/README.md @@ -56,9 +56,10 @@ Now, there are two ways to do testing: 5. You should also see on the PHP information page the following Headers and Values, letting you know you successsfully extracted the specified attributes from the SAML assertion in the response: - | Header | Value | - |--------------------|--------------------------------| - | X-Forwarded-Email | "user1@example.edu" | + | Header | Value | + |--------------------|------------------------------------------------| + | X-Forwarded-Email | "user1@example.edu" | + | X-Forwarded-Groups | "cn=developers,ou=Groups,dc=internet2,dc=edu" | 6. When finished, shut down the services from `docker compose.yml`: ``` diff --git a/container_files/shibboleth/attribute-map.xml b/container_files/shibboleth/attribute-map.xml index b37ffce..87cd552 100644 --- a/container_files/shibboleth/attribute-map.xml +++ b/container_files/shibboleth/attribute-map.xml @@ -10,7 +10,11 @@ - + + + + + diff --git a/tests/containers/idp/users.php b/tests/containers/idp/users.php index 40b7edc..4ffa455 100644 --- a/tests/containers/idp/users.php +++ b/tests/containers/idp/users.php @@ -12,6 +12,7 @@ 'first_name' => 'User', 'last_name' => 'One', 'email' => 'user_1@example.edu', + 'isMemberOf' => 'cn=developers,ou=Groups,dc=internet2,dc=edu', ), 'user2:user2pass' => array( 'uid' => array('2'), From 0b6d8d7d6bb0dc9919e95c774e6662f21531314d Mon Sep 17 00:00:00 2001 From: dmartinez Date: Wed, 28 Aug 2024 10:43:17 -0700 Subject: [PATCH 3/6] Rename test attributes --- container_files/httpd/proxy.conf | 4 ++-- container_files/shibboleth/attribute-map.xml | 4 ++-- tests/containers/idp/users.php | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/container_files/httpd/proxy.conf b/container_files/httpd/proxy.conf index 6fd46bc..604b0bf 100644 --- a/container_files/httpd/proxy.conf +++ b/container_files/httpd/proxy.conf @@ -15,6 +15,6 @@ PassEnv FRONT_HTTPS_PORT # Set auth headers if corresponding environment variables have been set # by the Shibboleth SP - RequestHeader set "X-Forwarded-Groups" "%{isMemberOf}e" env=isMemberOf - RequestHeader set "X-Forwarded-Email" "%{email}e" env=email + RequestHeader set "X-Forwarded-Groups" "%{isMemberOfTest}e" env=isMemberOfTest + RequestHeader set "X-Forwarded-Email" "%{emailTest}e" env=emailTest diff --git a/container_files/shibboleth/attribute-map.xml b/container_files/shibboleth/attribute-map.xml index 87cd552..4d3b2f9 100644 --- a/container_files/shibboleth/attribute-map.xml +++ b/container_files/shibboleth/attribute-map.xml @@ -10,9 +10,9 @@ - + - + diff --git a/tests/containers/idp/users.php b/tests/containers/idp/users.php index 4ffa455..cacadc6 100644 --- a/tests/containers/idp/users.php +++ b/tests/containers/idp/users.php @@ -11,8 +11,8 @@ 'uid' => array('1'), 'first_name' => 'User', 'last_name' => 'One', - 'email' => 'user_1@example.edu', - 'isMemberOf' => 'cn=developers,ou=Groups,dc=internet2,dc=edu', + 'emailTest' => 'user_1@example.edu', + 'isMemberOfTest' => 'cn=developers,ou=Groups,dc=internet2,dc=edu', ), 'user2:user2pass' => array( 'uid' => array('2'), From f62a60ecdcfa3ec2d95087bf403bb84b4de2d885 Mon Sep 17 00:00:00 2001 From: dmartinez Date: Fri, 30 Aug 2024 14:09:17 -0700 Subject: [PATCH 4/6] Reduce number of example users in IdP test env --- tests/containers/idp/users.php | 41 ---------------------------------- 1 file changed, 41 deletions(-) diff --git a/tests/containers/idp/users.php b/tests/containers/idp/users.php index cacadc6..55f6a43 100644 --- a/tests/containers/idp/users.php +++ b/tests/containers/idp/users.php @@ -14,52 +14,11 @@ 'emailTest' => 'user_1@example.edu', 'isMemberOfTest' => 'cn=developers,ou=Groups,dc=internet2,dc=edu', ), - 'user2:user2pass' => array( - 'uid' => array('2'), - 'first_name' => 'User', - 'last_name' => 'Two', - 'email' => 'user_2@example.edu', - ), - 'user3:user3pass' => array( - 'uid' => array('3'), - 'first_name' => 'User', - 'last_name' => 'Three', - 'email' => 'user_3@example.edu', - ), - 'user4:user4pass' => array( - 'uid' => array('4'), - 'name' => 'User Four', - 'email' => 'user_4@example.edu', - ), - 'unauthorizeduser:unauthorizedpass' => [ - 'uid' => ['unauthorized.user@id.example.org'], - 'name' => 'Unauthorized User', - 'email' => 'unauthorized@example.org', - 'groups' => [], - ], - 'authorizeduser:authorizedpass' => [ - 'uid' => ['authorized.user@id.example.org'], - 'name' => 'Authorized User', - 'email' => 'authorized@example.org', - 'groups' => ['users'], - ], 'externaluser:externalpass' => [ 'uid' => ['external.user@id.example.org'], 'name' => 'External User', 'email' => 'external@example.org', 'groups' => ['external'], ], - 'adminuser:adminpass' => [ - 'uid' => ['admin.user@id.example.org'], - 'name' => 'Admin User', - 'email' => 'adminuser@example.org', - 'groups' => ['admins'], - ], - 'auditoruser:auditorpass' => [ - 'uid' => ['auditor.user@id.example.org'], - 'name' => 'Auditor User', - 'email' => 'auditor@example.org', - 'groups' => ['auditors'], - ], ), ); From e1b278f94802ed9231631d49c1d595625811e102 Mon Sep 17 00:00:00 2001 From: dmartinez Date: Tue, 3 Sep 2024 10:18:58 -0700 Subject: [PATCH 5/6] Add SAML2 names, IdP scope, attributes NameFormat change --- container_files/httpd/proxy.conf | 8 +++++--- container_files/shibboleth/attribute-map.xml | 9 --------- docker-compose.yml | 4 ++++ tests/containers/idp/saml20-sp-remote.php | 12 ++++++++++++ tests/containers/idp/users.php | 7 ++++--- 5 files changed, 25 insertions(+), 15 deletions(-) create mode 100644 tests/containers/idp/saml20-sp-remote.php diff --git a/container_files/httpd/proxy.conf b/container_files/httpd/proxy.conf index 604b0bf..6c4dd82 100644 --- a/container_files/httpd/proxy.conf +++ b/container_files/httpd/proxy.conf @@ -6,8 +6,9 @@ PassEnv FRONT_HTTPS_PORT # Configure behavior for all proxied requests # Prevent these headers from being set by the client - RequestHeader unset X-Forwarded-Groups + RequestHeader unset X-Forwarded-DisplayName RequestHeader unset X-Forwarded-Email + RequestHeader unset X-Forwarded-User # Provide headers to help the back-end application construct URLs correctly RequestHeader set X-Forwarded-Proto "https" @@ -15,6 +16,7 @@ PassEnv FRONT_HTTPS_PORT # Set auth headers if corresponding environment variables have been set # by the Shibboleth SP - RequestHeader set "X-Forwarded-Groups" "%{isMemberOfTest}e" env=isMemberOfTest - RequestHeader set "X-Forwarded-Email" "%{emailTest}e" env=emailTest + RequestHeader set "X-Forwarded-DisplayName" "%{displayName}e" env=displayName + RequestHeader set "X-Forwarded-Email" "%{mail}e" env=mail + RequestHeader set "X-Forwarded-User" "%{eppn}e" env=eppn diff --git a/container_files/shibboleth/attribute-map.xml b/container_files/shibboleth/attribute-map.xml index 4d3b2f9..4386e78 100644 --- a/container_files/shibboleth/attribute-map.xml +++ b/container_files/shibboleth/attribute-map.xml @@ -7,15 +7,6 @@ usually want to uncomment or map the names for both SAML versions as a unit. --> - - - - - - - - - diff --git a/docker-compose.yml b/docker-compose.yml index 3c9c526..f93c5aa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -31,6 +31,7 @@ services: test: ["CMD", "curl", "-f", "--insecure", "http://localhost:8080/simplesaml/module.php/core/frontpage_welcome.php"] volumes: - "./tests/containers/idp/users.php:/var/www/simplesamlphp/config/authsources.php" + - "./tests/containers/idp/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php" proxy: build: @@ -123,6 +124,9 @@ services: SAML_IDP_METADATA: | + + example.edu + diff --git a/tests/containers/idp/saml20-sp-remote.php b/tests/containers/idp/saml20-sp-remote.php new file mode 100644 index 0000000..bcadd77 --- /dev/null +++ b/tests/containers/idp/saml20-sp-remote.php @@ -0,0 +1,12 @@ + getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'), + 'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'), + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', +); diff --git a/tests/containers/idp/users.php b/tests/containers/idp/users.php index 55f6a43..4881c0b 100644 --- a/tests/containers/idp/users.php +++ b/tests/containers/idp/users.php @@ -11,13 +11,14 @@ 'uid' => array('1'), 'first_name' => 'User', 'last_name' => 'One', - 'emailTest' => 'user_1@example.edu', - 'isMemberOfTest' => 'cn=developers,ou=Groups,dc=internet2,dc=edu', + 'urn:oid:0.9.2342.19200300.100.1.3' => 'user_1@example.edu', + 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'user_1@example.edu', + 'urn:oid:2.16.840.1.113730.3.1.241' => 'User One', ), 'externaluser:externalpass' => [ 'uid' => ['external.user@id.example.org'], 'name' => 'External User', - 'email' => 'external@example.org', + 'mail' => 'external@example.org', 'groups' => ['external'], ], ), From 3b324fff9f0fa850cfe8dc598a48ebda1a9fef9f Mon Sep 17 00:00:00 2001 From: dmartinez Date: Tue, 3 Sep 2024 13:32:56 -0700 Subject: [PATCH 6/6] Update README --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 45cf418..6f4b346 100644 --- a/README.md +++ b/README.md @@ -56,10 +56,11 @@ Now, there are two ways to do testing: 5. You should also see on the PHP information page the following Headers and Values, letting you know you successsfully extracted the specified attributes from the SAML assertion in the response: - | Header | Value | - |--------------------|------------------------------------------------| - | X-Forwarded-Email | "user1@example.edu" | - | X-Forwarded-Groups | "cn=developers,ou=Groups,dc=internet2,dc=edu" | + | Header | Value | + |--------------------------|------------------------| + | X-Forwarded-DisplayName | "User One" | + | X-Forwarded-Email | "user1@example.edu" | + | X-Forwarded-User | "user1@example.edu" | 6. When finished, shut down the services from `docker compose.yml`: ```