TIDO-508 Add extracted test SAML Attributes to proxy

README.md

@@ -47,14 +47,22 @@ Now, there are two ways to do testing:
    `user1pass` for the password.
 
   4. After logging in, you should see a PHP information page. Under the
-      "Headers" heading, yous should see the following, letting you know you successsfully authenticated using the proxy:
+      "Headers" heading, you should see the following information, letting you know you successsfully authenticated using the proxy:
 
       | Header             | Value                          |
       |--------------------|--------------------------------|
-      | Referer   | "http://idp.example.edu:8080/"          |
-      | X-Forwarded-Host | "sptest.example.edu" |
+      | Referer            | "http://idp.example.edu:8080/" |
+      | X-Forwarded-Host   | "sptest.example.edu"           |
 
-  5. When finished, shut down the services from `docker compose.yml`:
+  5. You should also see on the PHP information page the following Headers and Values, letting you know you successsfully extracted the specified attributes from the SAML assertion in the response:
+
+      | Header                   | Value                  |
+      |--------------------------|------------------------|
+      | X-Forwarded-DisplayName  | "User One"             |
+      | X-Forwarded-Email        | "user1@example.edu"    |
+      | X-Forwarded-User         | "user1@example.edu"    |
+
+  6. When finished, shut down the services from `docker compose.yml`:
       ```
       docker compose down
       ```

container_files/httpd/proxy.conf

@@ -6,7 +6,8 @@ PassEnv FRONT_HTTPS_PORT
 # Configure behavior for all proxied requests
 <Proxy "*">
   # Prevent these headers from being set by the client
-  RequestHeader unset X-Forwarded-Groups
+  RequestHeader unset X-Forwarded-DisplayName
+  RequestHeader unset X-Forwarded-Email
   RequestHeader unset X-Forwarded-User
 
   # Provide headers to help the back-end application construct URLs correctly
@@ -15,6 +16,7 @@ PassEnv FRONT_HTTPS_PORT
 
   # Set auth headers if corresponding environment variables have been set
   # by the Shibboleth SP
-  RequestHeader set "X-Forwarded-Groups" "%{isMemberOf}e" env=isMemberOf
+  RequestHeader set "X-Forwarded-DisplayName" "%{displayName}e" env=displayName
+  RequestHeader set "X-Forwarded-Email" "%{mail}e" env=mail
   RequestHeader set "X-Forwarded-User" "%{eppn}e" env=eppn
 </Proxy>

container_files/shibboleth/attribute-map.xml

@@ -6,13 +6,13 @@
     few exceptions for newer attributes where the name is the same for both versions. You will
     usually want to uncomment or map the names for both SAML versions as a unit.
     -->
-  
+
     <!-- New standard identifier attributes for SAML. -->
 
     <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
-  
+
     <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
@@ -22,17 +22,20 @@
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
+
     <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
 
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
+
     <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
 
+
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
     <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
 

docker-compose.yml

@@ -31,6 +31,7 @@ services:
       test: ["CMD", "curl", "-f", "--insecure", "http://localhost:8080/simplesaml/module.php/core/frontpage_welcome.php"]
     volumes:
       - "./tests/containers/idp/users.php:/var/www/simplesamlphp/config/authsources.php"
+      - "./tests/containers/idp/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php"
 
   proxy:
     build:
@@ -123,6 +124,9 @@ services:
       SAML_IDP_METADATA: |
         <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://idp.example.edu:8080/simplesaml/saml2/idp/metadata.php">
           <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+            <md:Extensions>
+              <shibmd:Scope xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" regexp="false">example.edu</shibmd:Scope>
+            </md:Extensions>
             <md:KeyDescriptor use="signing">
               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                 <ds:X509Data>

tests/containers/idp/saml20-sp-remote.php

@@ -0,0 +1,12 @@
+<?php
+/**
+ * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+ */
+
+$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
+    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
+    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+    'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+);

tests/containers/idp/users.php

@@ -11,54 +11,15 @@
             'uid' => array('1'),
             'first_name' => 'User',
             'last_name' => 'One',
-            'email' => 'user_1@example.com',
+            'urn:oid:0.9.2342.19200300.100.1.3' => 'user_1@example.edu',
+            'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'user_1@example.edu',
+            'urn:oid:2.16.840.1.113730.3.1.241' => 'User One',
         ),
-        'user2:user2pass' => array(
-            'uid' => array('2'),
-            'first_name' => 'User',
-            'last_name' => 'Two',
-            'email' => 'user_2@example.com',
-        ),
-        'user3:user3pass' => array(
-            'uid' => array('3'),
-            'first_name' => 'User',
-            'last_name' => 'Three',
-            'email' => 'user_3@example.com',
-        ),
-        'user4:user4pass' => array(
-            'uid' => array('4'),
-            'name' => 'User Four',
-            'email' => 'user_4@example.com',
-        ),
-        'unauthorizeduser:unauthorizedpass' => [
-            'uid' => ['unauthorized.user@id.example.org'],
-            'name' => 'Unauthorized User',
-            'email' => 'unauthorized@example.org',
-            'groups' => [],
-        ],
-        'authorizeduser:authorizedpass' => [
-            'uid' => ['authorized.user@id.example.org'],
-            'name' => 'Authorized User',
-            'email' => 'authorized@example.org',
-            'groups' => ['users'],
-        ],
         'externaluser:externalpass' => [
             'uid' => ['external.user@id.example.org'],
             'name' => 'External User',
-            'email' => 'external@example.org',
+            'mail' => 'external@example.org',
             'groups' => ['external'],
         ],
-        'adminuser:adminpass' => [
-            'uid' => ['admin.user@id.example.org'],
-            'name' => 'Admin User',
-            'email' => 'adminuser@example.org',
-            'groups' => ['admins'],
-        ],
-        'auditoruser:auditorpass' => [
-            'uid' => ['auditor.user@id.example.org'],
-            'name' => 'Auditor User',
-            'email' => 'auditor@example.org',
-            'groups' => ['auditors'],
-        ],
     ),
 );