Search code examples
phpsaml-2.0simplesamlphp

How to send other paramenters from the IdP to the SP in the POST request?

I have configured an identification provider (IdP) part of a SSO system, using SimpleSAMLphp.

The main sections of my configuration files:

config/config.php

$config = array(
    [...]
    'enable.saml20-idp' => true,
    'enable.shib13-idp' => true,
    [...]
);

config/authsources.php

$config = array(
    [...]
    '*-sql' => array(
        'sqlauth:SQL',
        'dsn' => 'mysql:host=*.*.*.*;port=*;dbname=*',
        'username' => '*',
        'password' => '*',
        'query' => 'SELECT *
                    FROM users
                    WHERE username = *
                    AND password = *',
     ),
    [...]
);

metadata/saml20-idp-hosted.php

$metadata['__DYNAMIC:1__'] = array(
    'host' => '__DEFAULT__',
    'privatekey' => '../cert/*.key',
    'certificate' => '../cert/*.pem',
    'auth' => '*-sql',
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    'authproc' => array(
            3 => array(
                    'class' => 'saml:AttributeNameID',
                    'attribute' => 'uid',
                    'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
            ),
    ),
);

metadata/saml20-idp-remote.php

$metadata['https://www.video2brain.com/shibboleth'] = array(
    'AssertionConsumerService' => 'http://*/Shibboleth.sso/SAML2/POST',
    'SingleSignOnService'      => 'http://*/Shibboleth.sso/SAML2/POST',
    'SingleLogoutService'      => 'http://*/Shibboleth.sso/SLO/POST',
);

The certificates and metadata were successfully configurated. The SSO works fine.

But the service provider (SP) has requested that the IdP has to pass more info of the logged user. The authentication is passed when the query returns a row, but i can't access to the fields in the SELECT.

Currently, the final POST request that my IdP sent to their SP has the following parameters:

HTTP_SHIB_IDENTITY_PROVIDER=https://*/metadata.php,
HTTP_SHIB_AUTHENTICATION_INSTANT=2015-10-20T09:04:42Z,
HTTP_SHIB_AUTHENTICATION_METHOD=urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
HTTP_SHIB_AUTHNCONTEXT_CLASS=urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
HTTP_EMAIL=*@*.*,
HTTP_PERSISTENT_ID=!https://*/shibboleth-sp!6faa919dda0e40e5e42088bcd9beb639ed4dfa5e

And they want the full name of the user in a new parameter. Something like that:

[...]
HTTP_USER_NAME=FooUserName

I have tried using the "Adding attributes (core:AttributeAdd)" method but doesn't work. Is possible do that? Any doc, resource or example for this will be helpful.

Thanks.

Solution

  • I set the parameter as "givenName" instead of "name", and it works!

    1. In the auth query, I put an alias for the user "name" as "givenName".
    2. In the idp-hosted, in the "authproc" key I used de AttributeMap method to add the "givenName".

    I did these things before, but I was trying to use "name" as the final parameter "name", and didn't work until I use "givenName".

    Someone could say me why? The parameter name is no configurable? May be the SP and the IdP has to configure the same name in both sides?