simplesamlphp-module-oidc
simplesamlphp-module-oidc copied to clipboard
simplesamlphp
Attribute mapping and logging
Hey!
I have two questions:
- Is attribute mapping done automatically? I just configured the module, but I can't retrieve all available attributes. It gives the following error: "Attribute useridattr does not exist in claims. Available attributes are: urn:oid:1.3.6.1.4.1.5923.1.1.1.7, urn:oid:1.3.6.1.4.1.5923.1.1.1.6, urn:oid:2.16.840.1.113730.3.1.241, urn:oid:2.5.4.3, urn:oid:2.5.4.4, urn:oid:2.5.4.42, urn:oid:0.9.2342.19200300.100.1.3, urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
Part of my module configuration file: ModuleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', //'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
// The default translation table from SAML attributes to OIDC claims. ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [ // 'sub' => [ //'attribute-defined-in-useridattr', // 'uid', // added // 'eduPersonPrincipalName', // 'eduPersonTargetedID', // 'eduPersonUniqueId', // 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', //'urn:oid:2.5.4.3',
// ], // Remove default translation //'name' => [ // 'name' => [ 'type' => 'string', 'attributes' => ['urn:oid:2.5.4.3']] //],
],
Do you have any suggestions on how I can retrieve all these attributes?
- How can I view a log from the module? Is there a way to do that?
As per error, it seems that something is not right with your configuration related to identifier attribute (useridattr), although you note that you have actually configured it. I think you should double check this.
As you can see in the description for config options, you are provided with default attribute translation. However, you will probably want to provide your own configuration related to that. I think you misconfigured it / left it commented out.
The module writes log using SimpleSAMLphp (SSP) logger, so any SSP logging configuration / location also applies to it.
Thank you for your response! So, when I configure the user identified as below, the application works (I'm using the OIDC playground to test the complete flow):
ModuleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
However, the attributes still aren't being delivered. Also, in this test, I used a specific translation and a specific sub defined:
ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [
'sub' => [
urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
],
'email' => ['mail','urn:oid:0.9.2342.19200300.100.1.3'],
],
The log doesn't gives me an error, only this message:
Filter config for https://IDP-FQDN/idp/shibboleth->https://OP-MODULE-INSTANCE/: array ( 0 => SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array( 'priority' => 90, 'precondition' => 'return true;', 'langattr' => 'preferredLanguage', )),)
Do you think there is a problem with the default translation built-in SSP?
Thanks in advance!
Not sure if this will solve it for you, but did you notice that you are missing a quote?
urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
Oh, yes! Actually in my code the quote exists, it just disappeared when i paste that part of the code
Hm, ok. I don't believe that there is a problem with default translation table. I think you only have to configure it properly.
Hello, sorry for the delay.
In general, I focused on configuring the authsources from the beginning. I also changed the protocol that the application was using; previously, it was set to auth2, and in the most recent test, I switched it to OpenID (my application will communicate with a SimpleSAMLphp RP). The module is working correctly!