Scoped Attributes Filtering

This document describes the FilterScopes attribute filter in the saml module.

This filter allows a Service Provider to make sure the scopes included in the values of certain attributes correspond to what the Identity Provider declares in its metadata. If the IdP includes a list of scopes in the metadata, only those scopes will be allowed. On the other hand, if no scopes are declared or the scope is not included in the list of declared scopes, it will be matched against the domain used by the SAML SingleSignOnService endpoint. This means the example.com scope will be allowed in attributes received from an IdP whose SingleSignOnService endpoint is located on the example.com top domain or any subdomain of that. Such scope will be rejected though if the match with the IdP's endpoint does not happen at the top level, like for example with example.com.domain.net .

If you are configuring the metadata of an IdP manually, remember to add an array to it with the key scope , containing the list of scopes expected from that entity.

Configuration

This filter can be configured in the config/authsources.php file, inside the authproc array of the corresponding SAML authentication source in use.

Note that this filter can only be used with SAML authentication sources .

Here are the options available for the filter:

attributes
An array containing a list of attributes that are scoped and therefore should be evaluated. Defaults to eduPersonPrincipalName and eduPersonScopedAffiliation .

Examples

Basic configuration:

    'authproc' => [
        90 => [
            'class' => 'saml:FilterScopes',
        ],
    [,

Specify mail and eduPersonPrincipalName as scoped attributes:

    'authproc' => [
        90 => [
            'class' => 'saml:FilterScopes',
            'attributes' => [
                'mail',
                'eduPersonPrincipalName',
            ],
        ],
    ],

Specify the same attributes in OID format:

    'authproc' => [
        90 => [
            'class' => 'saml:FilterScopes',
            'attributes' => [
                'urn:oid:0.9.2342.19200300.100.1.3',
                'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
            ],
        ],
    ],