„Attribute Conversion for simpleSAMLphp” változatai közötti eltérés

Innen: KIFÜ Wiki
(EduGAIN)
(Attribute Conversion library for simpleSAMLphp)
55. sor: 55. sor:
 
Please note that enabling the cache is strongly recommended in production environment.
 
Please note that enabling the cache is strongly recommended in production environment.
  
==
+
== Differences between the Java and the PHP implementations ==
 +
* ''LocalProvider'' matching is unsupported in simpleSAMLphp. Unfortunately when simpleSAMLphp is in bridging mode (using the SP module to protect and IdP), the IdP processing filters do not see the peer entity of the SP module. However, you can archieve the correct behavior by putting one ''edugain:Attributes'' processing filter in the SP configuration and use ''RemoteProvider'' matches to filter and convert attributes there.
 +
* Regular expressions are somewhat different in PHP. The eduGAIN module uses perl-compatible regular expressions (see [http://hu.php.net/manual/en/function.preg-match.php preg_match documentation] for details). Plus, the reading of the configuration involves ''eval'', and thus it swallows the escaping characters. So if one wants to escape something in their regular expressions, double-escaping is needed (eg. 'foo\\.bar' instead of 'foo\.bar').

A lap 2009. május 12., 15:29-kori változata

Attribute Conversion library for simpleSAMLphp

EduGAIN

This library is intented to be configuration-compatible with the eduGAIN Attribute_Conversion_for_eduGAIN Java library. The module can read the eduGAIN converter and filter engine XML configuration and should operate the same way as the Java one.

Configuration files

The eduGAIN attribute converter and filter module defines its own XML schema for attribute conversion and attribute filtering purposes. See the Attribute_Conversion_for_eduGAIN page for configuration reference.

Enabling the simpleSAMLphp module

This module depends on the xsl php extensions (more specifically, the XSLTProcessor class), so make sure it is properly configured.

The module can be enabled by creating an empty file named modules/edugain/default-enable.

simpleSAMLphp module configuration

EduGAIN is available for simpleSAMLphp as an authentication processing filter: edugain:Attributes. The Attributes processing filter takes the following configuration properties:

 'authproc' => array(
   50 => array(
    'class' => 'edugain:Attributes',
    'mode' => 'idp',
    'converterconfig' => '/path/to/AttributeConverter.xml',
    'filterconfig' => '/path/to/AttributeFilter.xml',
    'cache' => true
   )
 )
  • class: defines the eduGAIN filter for simpleSAMLphp.
  • mode: configures the way this module operates (idp or sp). See the #Operating_modes section below for more.
  • converterconfig: configures the path of the attribute converter configuration xml file.
  • filterconfig: configures the path of the attribute filter configuration xml file.
  • cache: enables (default) or disables the internal configuration cache. See the #Configuration_cache section below for more.

Operating modes

EduGAIN module can operate in two modes, idp or sp. This mode affects two behaviors: the conversion-filtering order, and the provider matching.

  • in idp mode, attribute filter is ran after conversion, and the RemoteProvider match is done against the SP which initiated the SSO session.
  • in sp mode, attribute filter is ran before conversion, and the RemoteProvider match is done against the IdP which released the attributes to our simpleSAMLphp SP.

In eduGAIN terms, the idp mode is often referred as home bridging element, and sp is referred as remote bridging element.

Configuration reading

The simpleSAMLphp eduGAIN module reads the eduGAIN XML configuration format and transforms it into php arrays using XSL transformation. The submodules (edugain:SplitMerge and edugain:Filter') are configured automatically by the edugain:Attributes class.

The edugain:SplitMerge implements the BasicRule, MergeRule, and SplitRule rules, the edugain:Filter implements the FilterRule.

PHP configuration interface for these filters are not public and may be subject of change, so please use the XML configuration.

Configuration cache

The XML reading is very time-consuming as every request triggers it. Because of that, the eduGAIN module can cache the XML configuration locally in a directory named cache.

If cache is enabled, the parsed configuration is serialized into a file (named md5(full_configuration_file_path).cache.php). If the XML file modification time is older than the cache file, then the cache is used.

Please note that enabling the cache is strongly recommended in production environment.

Differences between the Java and the PHP implementations

  • LocalProvider matching is unsupported in simpleSAMLphp. Unfortunately when simpleSAMLphp is in bridging mode (using the SP module to protect and IdP), the IdP processing filters do not see the peer entity of the SP module. However, you can archieve the correct behavior by putting one edugain:Attributes processing filter in the SP configuration and use RemoteProvider matches to filter and convert attributes there.
  • Regular expressions are somewhat different in PHP. The eduGAIN module uses perl-compatible regular expressions (see preg_match documentation for details). Plus, the reading of the configuration involves eval, and thus it swallows the escaping characters. So if one wants to escape something in their regular expressions, double-escaping is needed (eg. 'foo\\.bar' instead of 'foo\.bar').