1 260
szerkesztés
Módosítások
nincs szerkesztési összefoglaló
== EduGAIN Introduction ==This library is intented to be configuration-compatible with the [http://edugain.org eduGAIN] uses Bridging Elements for interconnecting federations. To provide attribute translation and filtering services, an [[Attribute_Conversion_for_eduGAIN| attribute 'mangling' library]] was developed for the Java library-based bridging elements. As [http://rnd.feide. The module no/simplesamlphp/ simpleSAMLphp] can read also be used as an eduGAIN bridging element, the eduGAIN converter conversion and filter engine XML configuration and should operate the same way as the Java onefiltering library was ported to PHP.
== Enabling Compatibility ===== eduGAIN ===This library is intended to be configuration-compatible with the simpleSAMLphp [http://edugain.org eduGAIN] [[Attribute_Conversion_for_eduGAIN]] Java library. The module can read the eduGAIN converter and filter engine XML configuration files and should operate the same way as the Java one.=== Configuration files ===This The eduGAIN attribute converter and filter module depends on defines its own XML schema for attribute conversion and attribute filtering purposes. See the ''xsl'' php extensions ([[Attribute_Conversion_for_eduGAIN]] page for more specifically, the ''XSLTProcessor'' class), so make sure it is properly configuredinformation on attribute rules.
The module can be enabled by creating an empty file named <code>modules/edugain/default-enable</code>.=== simpleSAMLphp module configuration ===
EduGAIN is available for simpleSAMLphp as an authentication processing filter: ''edugain:Attributes''. The Attributes processing filter takes the following configuration properties:
)
</source>
;Configuration parameters for the module
* '''class''' (required): defines the eduGAIN filter for simpleSAMLphp.
* '''mode''' (required): configures the way this module operates (<code>idp</code> or <code>sp</code>). See [[#Operating_modes | below for more information on operating modes]]
* '''converterconfig''' (optional): configures the path of the attribute converter configuration xml file.
* '''filterconfig''' (optional): configures the path of the attribute filter configuration xml file.
* '''cache''' (optional, default: true): enables or disables the internal configuration cache. See the [[#Configuration_cache]] section below for more.
== Operating modes ==
EduGAIN module can operate in two modes, '''idp''' or '''sp'''. This mode affects two behaviors: the conversion-filtering order, and the provider matching.
* in '''idp''' mode, attribute filter is ran run '''after ''' conversion, and the RemoteProvider match is done against the SP (or R-BE in eduGAIN bridged environment) which initiated the SSO session.* in '''sp''' mode, attribute filter is ran run '''before ''' conversion, and the RemoteProvider match is done against the IdP (or H-BE in eduGAIN bridged environment) which released the attributes to our simpleSAMLphp SP.
The simpleSAMLphp eduGAIN module reads the eduGAIN XML configuration format and transforms it into php arrays using XSL transformation. The submodules (''edugain:SplitMerge'' and ''edugain:Filter') are configured automatically by the edugain:Attributes class.
== Differences between the Java and the PHP implementations ==
* '''LocalProvider''' matching is unsupported in simpleSAMLphp. Unfortunately when simpleSAMLphp is in bridging mode (using the SP module to protect and an IdP), the IdP processing filters do not see the peer entity of the SP module. However, you can archieve achieve the correct behavior by putting one ''edugain:Attributes'' processing filter in the SP configuration and use '''RemoteProvider''' matches to filter and convert attributes there.* You don't need to use a separate attribute name mapper, because simpleSAMLphp contains built-in '''name2oid''','''oid2name''', '''name2urn''' and '''urn2name''' methods, which provide the same functionality.
* Regular expressions are somewhat different in PHP. The eduGAIN module uses perl-compatible regular expressions (see [http://hu.php.net/manual/en/function.preg-match.php preg_match documentation] for details). Plus, the reading of the configuration involves ''eval'', and thus it swallows the escaping characters. So if one wants to escape something in their regular expressions, double-escaping is needed (eg. 'foo\\.bar' instead of 'foo\.bar').
{{TODO_EN|Double escaping sucks. We are looking for solutions to circumvent this limitation}}