NameID generation filters
This document describes the NameID generation filters in the saml module.
Common options
-
NameQualifier
-
The NameQualifier attribute for the generated NameID.
This can be a string that is used as the value directly.
It can also be
true
, in which case we use the IdP entity ID as the NameQualifier. If it isfalse
, no NameQualifier will be included. -
The default is
false
, which means that we will not include a NameQualifier by default. -
SPNameQualifier
-
The SPNameQualifier attribute for the generated NameID.
This can be a string that is used as the value directly.
It can also be
true
, in which case we use the SP entity ID as the SPNameQualifier. If it isfalse
, no SPNameQualifier will be included. -
The default is
true
, which means that we will use the SP entity ID.
saml:AttributeNameID
Uses the value of an attribute to generate a NameID.
Options :
-
identifyingAttribute
- The name of the attribute we should use as the unique user ID.
-
identifyingAttributes
- An array of attribute names to consider for the unique user ID.
- The first attribute found in this array that's being released to the SP
- will be used. Note that using this option means you must not also use
- identifyingAttribute.
-
Format
-
The
Format
attribute of the generated NameID.
saml:PersistentNameID
Generates a persistent NameID with the format
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
.
The filter will take the user ID from the attribute described in the
identifyingAttribute
option, and hash it with the
secretsalt
from
config.php
, and the SP and IdP entity ID.
The resulting hash is sent as the persistent NameID.
Options :
-
identifyingAttribute
- The name of the attribute we should use as the unique user ID.
saml:TransientNameID
Generates a transient NameID with the format
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
.
No extra options are available for this filter.
saml:SQLPersistentNameID
Generates and stores persistent NameIDs in a SQL database.
This filter generates and stores a persistent NameID in a SQL database.
To use this filter, either specify the
store
option and a database,
or configure SimpleSAMLphp to use a SQL datastore.
See the
store.type
configuration option in
config.php
.
Options :
-
identifyingAttribute
- The name of the attribute we should use as the unique user ID.
-
allowUnspecified
-
Whether a persistent NameID should be created if the SP does not specify any NameID format in the request.
The default is
false
. -
allowDifferent
-
Whether a persistent NameID should be created if there are only other NameID formats specified in the request or the SP's metadata.
The default is
false
. -
alwaysCreate
-
Whether to ignore an explicit
AllowCreate="false"
in the authentication request's NameIDPolicy. The default isfalse
, which will only create new NameIDs when the SP specifiesAllowCreate="true"
in the authentication request. -
store
-
An array of database options passed to
\SimpleSAML\Database
, keys prefixed withdatabase.
. The default is[]
, which uses the global SQL datastore.
Setting both
allowUnspecified
and
alwaysCreate
to
true
causes
saml:SQLPersistentNameID
to behave like
saml:PersistentNameID
(and other NameID generation filters), at the expense of creating unnecessary entries in the SQL datastore.
saml:PersistentNameID2TargetedID
Stores a persistent NameID in the
eduPersonTargetedID
-attribute.
This filter is not actually a NameID generation filter.
Instead, it takes a persistent NameID and adds it as an attribute in the assertion.
This can be used to set the
eduPersonTargetedID
-attribute to the same value as the persistent NameID.
Options :
-
attribute
-
The name of the attribute we should store the result in.
The default is
eduPersonTargetedID
. -
nameId
-
Whether the generated attribute should be an saml:NameID element.
The default is
true
.
Example :
This example makes three NameIDs available:
'authproc' => [
1 => [
'class' => 'saml:TransientNameID',
],
2 => [
'class' => 'saml:PersistentNameID',
'identifyingAttribute' => 'eduPersonPrincipalName',
],
3 => [
'class' => 'saml:AttributeNameID',
'identifyingAttributes' => ['mail','eduPersonPrincipalName'],
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
],
],
Storing persistent NameIDs in a SQL database:
'authproc' => [
1 => [
'class' => 'saml:TransientNameID',
],
2 => [
'class' => 'saml:SQLPersistentNameID',
'identifyingAttribute' => 'eduPersonPrincipalName',
],
],
Generating Persistent NameID and eduPersonTargetedID.
'authproc' => [
// Generate the persistent NameID.
2 => [
'class' => 'saml:PersistentNameID',
'identifyingAttribute' => 'eduPersonPrincipalName',
],
// Add the persistent to the eduPersonTargetedID attribute
60 => [
'class' => 'saml:PersistentNameID2TargetedID',
'attribute' => 'eduPersonTargetedID', // The default
'nameId' => true, // The default
],
// Use OID attribute names.
90 => [
'class' => 'core:AttributeMap',
'name2oid',
],
],
// The URN attribute NameFormat for OID attributes.
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'attributeencodings' => [
'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw', /* eduPersonTargetedID with oid NameFormat is a raw XML value */
],