如何在基于SimpleSAMLphp的IdP中用属性替换NameId的值？ [英] How to replace a value of NameId with attribute in SimpleSAMLphp-based IdP?

问题描述

我正在尝试设置SimpleSAMLphp IdP以将SAML响应发送到本地开发服务器（在这种情况下为SP启动的流程）。此IdP基于来自 https：//hub.docker的Docker映像。 com / r / kristophjunge / test-saml-idp / （我相信是1.15版）。

I'm trying to setup SimpleSAMLphp IdP to send a SAML response to my local dev server (SP-initiated flow in this case) . This IdP is based on a Docker image from https://hub.docker.com/r/kristophjunge/test-saml-idp/ (ver. 1.15 I believe).

整个设置是为了模拟我所拥有的类似环境，从而针对同一本地dev SP使用G Suite IdP-试图最终消除本地的云依赖性开发环境，并用等效的SimpleSAMLphp替换它。

The whole setup is to emulate a similar environment that I have whereby G Suite IdP is used against the same local dev SP - trying to eventually eliminate the cloud dependency from my local dev environment and replace it with an equivalent SimpleSAMLphp one.

我遇到的问题是Google在其SAML响应中发送NameId如下：

The problem I'm experiencing is Google sends NameId in its SAML response as this:

<saml2:Subject> 
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">a.b@c.com</saml2:NameID> 
                  <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
                     <saml2:SubjectConfirmationData InResponseTo="ONELOGIN_88ebd953f02c07d01b19714cd70133827ff1228e" NotOnOrAfter="2018-05-07T20:21:25.433Z" .                         Recipient="https://ee0138c4.ngrok.io/saml/?acs" /> 
</saml2:SubjectConfirmation>
</saml2:Subject>

但是SimpleSAMLphp却以这种格式发送它：

but SimpleSAMLphp one instead sends it in this format:

<saml:Subject> 
<saml:NameID SPNameQualifier="https://ee0138c4.ngrok.io/saml/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_69d05500bd6e797de3674df0165facbfa0af699589</saml:NameID> 
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2018-05-09T17:47:57Z" Recipient="https://ee0138c4.ngrok.io/saml/?acs" InResponseTo="ONELOGIN_170bb7a0ff82100318ba498583e8e59cdae8607b" /> 
</saml:SubjectConfirmation> 
</saml:Subject>

我需要将其作为属性值

（ ab@c.com 而不是 _69d05500bd6e797de3674df0165facbfa0af699589 ）

然后我可以掌握我SP的逻辑，而是发送一些随机数，我假设它是一个transientId。

which I can then grab in my SP's logic, instead it sends some random number, I'm assuming it's a transientId.

这是我的配置：

要启动Docker容器：

To start the Docker container:

docker run --name=testsamlidp_idp \
-p 8080:8080 \
-p 8443:8443 \
-e SIMPLESAMLPHP_SP_ENTITY_ID=https://ee0138c4.ngrok.io/saml/metadata \
-e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=https://ee0138c4.ngrok.io/saml/?acs  \
-e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp \
-v $(pwd)/users.php:/var/www/simplesamlphp/config/authsources.php \
-v $(pwd)/_saml20-sp-remote.php:/var/www/simplesamlphp/config/saml20-sp-remote.php \
-d kristophjunge/test-saml-idp

其中 users.php 包含：

<?php
$config = array(
    'admin' => array(
        'core:AdminPassword',
    ),
    'example-userpass' => array(
        'exampleauth:UserPass',
        'user1:user1pass' => array(
            'uid' => array('1'),
            'Groups' => array('group1','group2', 'group3'),
            'email' => 'user1@example.com',
        ),
        'user2:user2pass' => array(
            'uid' => array('2'),
            'Groups' => array('group2', 'group4', 'group5'),
            'email' => 'user2@example.com',
        ),
    ),
);

和 _saml20-sp-remote.php 是：

<?php
/**
 * SAML 2.0 remote SP metadata for SimpleSAMLphp.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
 */
$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(

    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),

    #'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:persistent',
      #'simplesaml.nameidattribute' => 'email',
      #'simplesaml.attributes' => FALSE,

    'authproc.idp' => array(
            /* Filter to create a NameID with the "unspecified" format. */
            3 => array(
                'class' => 'saml:AtrributeNameID',
                'attribute' => 'email',
                'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
            ),
        ),
        /* Select the unspecified NameID format by default. */
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

);

我假设在后者文件中存在某种配置错误，也许有人可以借给我尽一切努力。

I'm assuming it's some kind of a misconfiguration in the latter file, perhaps someone could lend me a hand in getting to the bottom of it.

预先感谢您。

推荐答案

以下设置适用于我：

docker run --name=testsamlidp_idp \
-p 8080:8080 \
-p 8443:8443 \
-e SIMPLESAMLPHP_SP_ENTITY_ID=https://ee0138c4.ngrok.io/saml/metadata \
-e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=https://ee0138c4.ngrok.io/saml/?acs  \
-e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp \
-v $(pwd)/users.php:/var/www/simplesamlphp/config/authsources.php \
-v $(pwd)/saml20-idp-hosted.php:/var/www/simplesamlphp/metadata/saml20-idp-hosted.php \
-d kristophjunge/test-saml-idp

saml20-idp-hosted.php 在 / var / www / simplesamlphp / Docker容器中的metadata / saml20-idp-hosted.php

saml20-idp-hosted.php in /var/www/simplesamlphp/metadata/saml20-idp-hosted.php in Docker container

<?php

$metadata['__DYNAMIC:1__'] = array(
    /*
     * The hostname of the server (VHOST) that will use this SAML entity.
     *
     * Can be '__DEFAULT__', to use this entry by default.
     */
    'host' => '__DEFAULT__',
    // X.509 key and certificate. Relative to the cert directory.
    'privatekey' => 'server.pem',
    'certificate' => 'server.crt',
    /*
     * Authentication source to use. Must be one that is configured in
     * 'config/authsources.php'.
     */
    'auth' => 'example-userpass',

  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',


// refer to https://simplesamlphp.org/docs/stable/saml:nameid
'authproc' => array(
  3 => array(
          'class' => 'saml:AttributeNameID',
          'attribute' => 'email',
          'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
      ),
  ),

);

NameIDFormat 和 Format 是必需的。 电子邮件应该对应于

Both NameIDFormat and Format are necessary. email should correspond to the attribute specified in

<?php
$config = array(
    'admin' => array(
        'core:AdminPassword',
    ),
    'example-userpass' => array(
        'exampleauth:UserPass',
        'user1:user1pass' => array(
            'uid' => array('1'),
            'Groups' => array('group1','group2', 'group3'),
            'email' => 'user1@example.com',
        ),
        'user2:user2pass' => array(
            'uid' => array('2'),
            'Groups' => array('group2', 'group4', 'group5'),
            'email' => 'user2@example.com',
        ),
    ),
);

关于如何到达它的一般想法是有点已记录
，但该文档并不适合胆小者，当然也欢迎有关基本原理的部分为什么事情就是这样。

The general idea on how to get to it is somewhat documented but the documentation is not for the faint of heart and certainly welcomes sections on rationale of why things are the way they are.

这篇关于如何在基于SimpleSAMLphp的IdP中用属性替换NameId的值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！