testapp: allow attribute mapping by IdP

Author: timlegge

xt/testapp/README.md

@@ -50,6 +50,7 @@ The testapp now supports a simplified automatic configuration for testing agains
    2. Download the metadata from your IdP and save it as IdPs/google/metadata.xml
    3. Download the cacert.pem from the IdP and save it as IdPs/google/cacert.pem
    4. Optionally create IdPs/google/config.yml for custom settings for the IdP (if the a custom config.yml does not exist it will refresh the settings from the default config.yml.
+   4. Optionally create IdPs/google/mappings.yml for custom IdP attribute mappings.  If a custom mappings.yml does not does not exist it will use the defaul mappings.
 
 The index page will automatically list each configured Identity Provider as a link to initiate login against that IdP.
 
@@ -66,6 +67,10 @@ IdPs/
     google/
         cacert.pem
         metadata.yml
+    shibboleth
+        cacert.pem
+        metadata.yml
+        mappings.yml (optional)
 
 ### Run lighttpd to deliver metadata.xml
 
@@ -94,15 +99,21 @@ If there is an option to upload the metadata.xml that is probably your first ste
 
 Saml2Test expects the Identity Provider to provide an assertion with the following values:
 
-   1. DN
-   2. CN
-   3. EmailAddress
-   4. FirstName
-   5. Address
-   6. Phone
-   7. EmployeeNumber
-
-Note that DN and CN (and others) may not be available.  That can be customized in views/user.tt if you want to choose other options.  However the Identity Provider must provide the assertion attributes that match the expected names in views/user.tt.
+   1. EmailAddress
+   2. FirstName
+   3. LastName
+   4. Address
+   5. PhoneNumber
+   6. EmployeeNumber
+
+If the Identity Provider does not provide assertion attributes that match the expected names above you can create a custom mapping in IdPs/idp_name/mappings.yml in the following format.  The setting is the name the testapp expects and the value is the attribure name that the IdP provides in the Assertion.
+
+EmailAddress: "urn:oid:0.9.2342.19200300.100.1.3"
+FirstName: "urn:oid:2.5.4.42"
+LastName: "urn:oid:2.5.4.4"
+Address: "urn:oid:2.5.4.9"
+PhoneNumber: "urn:oid:2.5.4.20"
+EmployeeNumber: "urn:oid:0.9.2342.19200300.100.1.1"
 
 ## Debugging
 

xt/testapp/lib/Saml2Test.pm

@@ -60,6 +60,7 @@ get '/' => sub {
 get '/login' => sub {
 
     config->{cacert} = 'IdPs/' . params->{idp} . '/cacert.pem';
+    config->{idp_name} = params->{idp};
     config->{idp} = 'http://localhost:8880/IdPs/' . params->{idp} . '/metadata.xml';
     if ( -f 'IdPs/' . params->{idp} . '/config.yml' ) {
         my $config_file = YAML::LoadFile('IdPs/' . params->{idp} . '/config.yml');
@@ -71,7 +72,6 @@ get '/login' => sub {
         for my $key (keys %$config_file) {
             config->{$key} = $config_file->{$key};
         }
-
     }
     my $idp = _idp();
     my $sp = _sp();
@@ -196,27 +196,35 @@ post '/consumer-post' => sub {
     my $post = Net::SAML2::Binding::POST->new(
         cacert => config->{cacert},
     );
+
     my $ret = $post->handle_response(
         params->{SAMLResponse}
     );
 
     if ($ret) {
+
         my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
             xml         => decode_base64(params->{SAMLResponse}),
             key_file    => config->{key},
             cacert      => config->{cacert},
         );
 
+        if (! $assertion->valid(config->{issuer})) {
+            return '<html><pre>Bad Assertion</pre></html>';
+        }
+
         my $name_qualifier      = $assertion->nameid_name_qualifier();
         my $sp_name_qualifier   = $assertion->nameid_sp_name_qualifier();
 
         my $slo_urls = config->{slo_urls};
 
+        my $user_attributes = get_user_attributes($assertion);
+
         template 'user', {
-                            assertion => $assertion,
+                            user_attributes => $user_attributes,
                             (defined $name_qualifier ? (name_qualifier => $name_qualifier) : ()),
                             (defined $sp_name_qualifier ? (sp_name_qualifier => $sp_name_qualifier) : ()),
-                            slo_urls => ($slo_urls ? $slo_urls : ()),
+                            (defined $slo_urls ? (slo_urls => $slo_urls) : ()),
                             message => 'Successful Login via POST',
                          };
     }
@@ -225,6 +233,46 @@ post '/consumer-post' => sub {
     }
 };
 
+sub get_attribute_map {
+
+    my $attribute_mappings;
+
+    my $file = 'IdPs/' . config->{idp_name} . '/mappings.yml';
+
+    if ( -e $file ) {
+        $attribute_mappings = YAML::LoadFile($file);
+    } else {
+
+        $attribute_mappings->{EmailAddress} = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress';
+        $attribute_mappings->{FirstName} = 'fname';
+        $attribute_mappings->{LastName} = 'lname';
+        $attribute_mappings->{Address} = 'Address';
+        $attribute_mappings->{PhoneNumber} = 'PhoneNumber';
+        $attribute_mappings->{EmployeeNumber} = 'EmployeeNumber';
+    }
+
+    return $attribute_mappings;
+}
+
+sub get_user_attributes {
+    my $assertion = shift;
+
+    my %user;
+
+    my $map = get_attribute_map();
+    $user{issuer} = $assertion->{issuer};
+    $user{session} = $assertion->{session};
+    $user{nameid} = $assertion->nameid();
+    $user{EmailAddress} = $assertion->{attributes}{$map->{EmailAddress}}[0];
+    $user{FirstName} = $assertion->{attributes}{$map->{FirstName}}[0];
+    $user{LastName} = $assertion->{attributes}{$map->{LastName}}[0];
+    $user{Address} = $assertion->{attributes}{$map->{Address}}[0];
+    $user{PhoneNumber} = $assertion->{attributes}{$map->{PhoneNumber}}[0];
+    $user{EmployeeNumber} = $assertion->{attributes}{$map->{EmployeeNumber}}[0];
+
+    return \%user;
+}
+
 get '/consumer-artifact' => sub {
     my $idp = _idp();
     my $idp_cert = $idp->cert('signing');
@@ -265,8 +313,10 @@ get '/consumer-artifact' => sub {
 
         my $slo_urls = config->{slo_urls};
 
+        my $user_attributes = get_user_attributes($assertion);
+
         template 'user', {
-                            assertion => $assertion,
+                            user_attributes => $user_attributes,
                             ($name_qualifier ? (name_qualifier => $name_qualifier) : ()),
                             ($sp_name_qualifier ? (sp_name_qualifier => $sp_name_qualifier) : ()),
                             slo_urls => ($slo_urls ? $slo_urls : ()),

xt/testapp/views/user.tt

@@ -1,24 +1,24 @@
-<h2>NameID: <% assertion.nameid %></h2>
+<h2>NameID: <% user_attributes.nameid %></h2>
 
 <% FOREACH type IN slo_urls.keys.sort %>
    <% slo_url = slo_urls.$type %>
    <% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' %>
-<p><a href="/logout-redirect?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (redirect binding)</a></p>
+<p><a href="/logout-redirect?nameid=<% user_attributes.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% user_attributes.session | html %>">Logout (redirect binding)</a></p>
    <% end %>
    <% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP' %>
-<p><a href="/logout-soap?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (soap binding)</a></p>
+<p><a href="/logout-soap?nameid=<% user_attributes.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% user_attributes.session | html %>">Logout (soap binding)</a></p>
    <% end %>
    <% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' %>
 <p>Logout (post binding) - Unsupported</p>
    <% end %>
    <% if type == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' %>
-<!-- <p><a href="/logout-soap?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (soap artifact)</a></p> -->
+<!-- <p><a href="/logout-soap?nameid=<% user_attributes.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% user_attributes.session | html %>">Logout (soap artifact)</a></p> -->
 <p>Logout (Artifact binding) - Unsupported</p>
    <% end %>
 
 <% END %>
 
-<p><a href="/logout-local?nameid=<% assertion.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% assertion.session | html %>">Logout (local)</a></p>
+<p><a href="/logout-local?nameid=<% user_attributes.nameid | html %>&name_qualifier=<% name_qualifier | html %>&sp_name_qualifier=<% sp_name_qualifier | html %>&session=<% user_attributes.session | html %>">Logout (local)</a></p>
 
 <% if message %>
     <div id="hideMe"><p><% message %></p></div>
@@ -33,30 +33,30 @@
   </tr>
   <tr>
     <td>Issuer</td>
-    <td><% assertion.issuer %></td>
+    <td><% user_attributes.issuer %></td>
   </tr>
   <tr>
     <td>EmailAddress</td>
-    <td><% assertion.attributes.EmailAddress.0 %></td>
+    <td><% user_attributes.EmailAddress %></td>
   </tr>
   <tr>
     <td>FirstName</td>
-    <td><% assertion.attributes.FirstName.0 %><% assertion.attributes.fname.0 %></td>
+    <td><% user_attributes.FirstName %></td>
   </tr>
   <tr>
     <td>LastName</td>
-    <td><% assertion.attributes.LastName.0 %><% assertion.attributes.lname.0 %></td>
+    <td><% user_attributes.LastName %></td>
   </tr>
   <tr>
     <td>Address</td>
-    <td><% assertion.attributes.Address.0 %></td>
+    <td><% user_attributes.Address %></td>
   </tr>
   <tr>
     <td>Phone</td>
-    <td><% assertion.attributes.Phone %></td>
+    <td><% user_attributes.PhoneNumber %></td>
   </tr>
   <tr>
     <td>EmployeeNumber</td>
-    <td><% assertion.attributes.EmployeeNumber %></td>
+    <td><% user_attributes.EmployeeNumber %></td>
   </tr>
 </table>