Módosítások

Attribute Conversion for simpleSAMLphp

1 590 bájt hozzáadva, 2009. május 12., 17:34
nincs szerkesztési összefoglaló
= This page describes the features of Attribute Conversion and Filtering library for simpleSAMLphp =
== EduGAIN Introduction ==This library is intented to be configuration-compatible with the [http://edugain.org eduGAIN] uses Bridging Elements for interconnecting federations. To provide attribute translation and filtering services, an [[Attribute_Conversion_for_eduGAIN| attribute 'mangling' library]] was developed for the Java library-based bridging elements. As [http://rnd.feide. The module no/simplesamlphp/ simpleSAMLphp] can read also be used as an eduGAIN bridging element, the eduGAIN converter conversion and filter engine XML configuration and should operate the same way as the Java onefiltering library was ported to PHP.
== Configuration files ==The '''Beyond eduGAIN attribute converter and filter , you can use this module defines its own XML schema for every IdP or SP operating mode (shib13 SP/IdP, saml2 SP/IdP) of simpleSAMLphp in order to provide more powerful attribute conversion and attribute filtering purposes. See the [[Attribute_Conversion_for_eduGAIN]] page for configuration referencecapabilities.'''
== Enabling Compatibility ===== eduGAIN ===This library is intended to be configuration-compatible with the simpleSAMLphp [http://edugain.org eduGAIN] [[Attribute_Conversion_for_eduGAIN]] Java library. The module can read the eduGAIN converter and filter engine XML configuration files and should operate the same way as the Java one.=== Configuration files ===This The eduGAIN attribute converter and filter module depends on defines its own XML schema for attribute conversion and attribute filtering purposes. See the ''xsl'' php extensions ([[Attribute_Conversion_for_eduGAIN]] page for more specifically, the ''XSLTProcessor'' class), so make sure it is properly configuredinformation on attribute rules.
The == Using the module can ==This module has a working name <code>edugain</code>. As this module only addresses the attribute translation part of the 'eduGAIN-problem', it might be enabled by creating an empty file named renamed later.=== Enabling the simpleSAMLphp module ===This module depends on the ''modules/edugain/default-enable'xsl''' php extensions (more specifically, the ''XSLTProcessor''class), so make sure it is properly configured.
The module can be enabled by creating an empty file named <code>modules/edugain/default-enable</code>.=== simpleSAMLphp module configuration ===
EduGAIN is available for simpleSAMLphp as an authentication processing filter: ''edugain:Attributes''. The Attributes processing filter takes the following configuration properties:
)
</source>
;Configuration parameters for the module
* '''class''' (required): defines the eduGAIN filter for simpleSAMLphp.
* '''mode''' (required): configures the way this module operates (<code>idp</code> or <code>sp</code>). See [[#Operating_modes | below for more information on operating modes]]
* '''converterconfig''' (optional): configures the path of the attribute converter configuration xml file.
* '''filterconfig''' (optional): configures the path of the attribute filter configuration xml file.
* '''cache''' (optional, default: true): enables or disables the internal configuration cache. See the [[#Configuration_cache]] section below for more.
* ''class'': defines {{INFO_EN|If either <code>converterconfig</code> or <code>filterconfig</code> is omitted, than the eduGAIN filter for simpleSAMLphp.* ''mode'': configures relevant part of the way this module operates (''idp'' conversion or ''sp''filtering respectively)is disabled. See the [[#Operating_modes]] section below for more.* Note that ''converterconfig'': configures the path of disabling filter means you let all the attribute converter configuration xml file.* 'attributes through'filterconfig'': configures the path of the attribute filter configuration xml file.* ''cache'': enables (default) or disables the internal configuration cache. See the [[#Configuration_cache]] section below for more.}}
== Operating modes ==
EduGAIN module can operate in two modes, '''idp''' or '''sp'''. This mode affects two behaviors: the conversion-filtering order, and the provider matching.
* in '''idp''' mode, attribute filter is ran run '''after ''' conversion, and the RemoteProvider match is done against the SP (or R-BE in eduGAIN bridged environment) which initiated the SSO session.* in '''sp''' mode, attribute filter is ran run '''before ''' conversion, and the RemoteProvider match is done against the IdP (or H-BE in eduGAIN bridged environment) which released the attributes to our simpleSAMLphp SP.
In eduGAIN terms, the ''idp'' mode is often referred as ''home bridging element'', and ''sp'' is referred as ''remote bridging element''. == Configuration reading file ==
The simpleSAMLphp eduGAIN module reads the eduGAIN XML configuration format and transforms it into php arrays using XSL transformation. The submodules (''edugain:SplitMerge'' and ''edugain:Filter') are configured automatically by the edugain:Attributes class.
The ''edugain:SplitMerge'' implements the ''BasicRule'', ''MergeRule'', and ''SplitRule'' rules, the ''edugain:Filter'' implements the ''FilterRule''. PHP configuration interface for these filters are not public supported at the moment and may be subject of to change, so please use the XML configuration. == Configuration cache ==The XML reading is very time-consuming as every request triggers it. Because of that, the eduGAIN module can cache the XML configuration locally in a directory named ''cache''.
If === Configuration cache ===The XML reading is enabledvery time-consuming but conversion and filtering rules should be evaluated on every request. Because of that, the parsed eduGAIN module can cache the XML configuration into a serialized PHP array, which is serialized into stored locally in a file (directory named ''md5(full_configuration_file_path).<code>cache.php'')</code>. If the XML file modification time is older than not updated since the last cache file, generation then the cache is usedand the XML parsing part is skipped.Cache file name is computed according to the following: md5(full_configuration_file_path).cache.php
Please note that enabling {{INFO_EN|Enabling the cache is strongly recommended in production environmentenvironments.}}
== Differences between the Java and the PHP implementations ==
* '''LocalProvider''' matching is unsupported in simpleSAMLphp. Unfortunately when simpleSAMLphp is in bridging mode (using the SP module to protect and an IdP), the IdP processing filters do not see the peer entity of the SP module. However, you can archieve achieve the correct behavior by putting one ''edugain:Attributes'' processing filter in the SP configuration and use '''RemoteProvider''' matches to filter and convert attributes there.* You don't need to use a separate attribute name mapper, because simpleSAMLphp contains built-in '''name2oid''','''oid2name''', '''name2urn''' and '''urn2name''' methods, which provide the same functionality.
* Regular expressions are somewhat different in PHP. The eduGAIN module uses perl-compatible regular expressions (see [http://hu.php.net/manual/en/function.preg-match.php preg_match documentation] for details). Plus, the reading of the configuration involves ''eval'', and thus it swallows the escaping characters. So if one wants to escape something in their regular expressions, double-escaping is needed (eg. 'foo\\.bar' instead of 'foo\.bar').
{{TODO_EN|Double escaping sucks. We are looking for solutions to circumvent this limitation}}
A lap eredeti címe: „https://wiki.niif.hu/index.php?title=Speciális:MobileDiff/941

Navigációs menü