A SimpleSAMLphp authentication processing filter for generating long-lived, non-reassignable, non-targeted, opaque and globally unique user identifiers based on the attributes received from the Identity Provider (IdP). The identifier is generated using the first non-empty attribute from a given list of attributes. At least one non-empty attribute is required, otherwise authentication fails with an exception.
This filter is based on the smartattributes:SmartID
authentication
processing filter included in the SimpleSAMLphp distribution. As such,
it can be used to provide consistent user identifiers when there are
multiple SAML IdPs releasing different identifier attributes.
The functionality of the original filter has been extended to support the
following identifier properties:
- Global uniqueness: This can be ensured by specifying a scope for the generated user identifier.
- Opaqueness: The generated user identifier (excluding the "@scope" portion) is based on the SHA-256 hash of the attributes received by the IdP, resulting in an opaque 64-character long string that by itself provides no information about the identified user.
The following configuration options are available:
candidates
: An array of attributes names to consider as the user identifier attribute. Defaults to:eduPersonUniqueId
eduPersonPrincipalName
eduPersonTargetedID
openid
linkedin_targetedID
facebook_targetedID
windowslive_targetedID
twitter_targetedID
id_attribute
. A string to use as the name of the newly added attribute. Defaults tosmart_id
.add_authority
: A boolean to indicate whether or not to append the SAML AuthenticatingAuthority to the resulting identifier. This can be useful to indicate what SAML IdP was used, in case the original identifier is not scoped. Defaults totrue
.add_candidate
: A boolean to indicate whether or not to prepend the candidate attribute name to the resulting identifier. This can be useful to indicate the attribute from which the identifier comes from. Defaults totrue
.scope
: A string to use as the scope portion of the generated user identifier. There is no default scope value; however, you should consider scoping the generated attribute for creating globally unique identifiers that can be used across infrastructures.set_userid_attribute
: A boolean to indicate whether or not to assign the generated user identifier to theUserID
state parameter. Defaults totrue
. If this is set tofalse
, SSP will attempt to use the value of theeduPersonPrincipalName
attribute, leading to errors when the latter is not available.
The generated identifiers have the following form:
SHA-256(AttributeName:AttributeValue!AuthenticatingAuthority!SecretSalt)
or, if a scope has been specified:
SHA-256(AttributeName:AttributeValue!AuthenticatingAuthority!SecretSalt)@scope
authproc = array(
...
'60' => array(
'class' => 'uid:OpaqueSmartID',
'candidates' => array(
'eduPersonUniqueId',
'eduPersonPrincipalName',
'eduPersonTargetedID',
),
'id_attribute' => 'eduPersonUniqueId',
'add_candidate' => false,
'add_authority' => true,
'scope' => 'example.org',
),
Licensed under the Apache 2.0 license, for details see LICENSE
.