No edit summary |
No edit summary |
||
| (2 intermediate revisions by one other user not shown) | |||
| Line 10: | Line 10: | ||
Mapping and filtering controls what attributes are included in the SAML assertion and what their name is. This is most easily seen in the MELLON environment variables. | Mapping and filtering controls what attributes are included in the SAML assertion and what their name is. This is most easily seen in the MELLON environment variables. | ||
If you haven't already, configure your SP to manage /cgi-bin and create printenv.pl like we do in the info plugin test | If you haven't already, configure your SP to manage /cgi-bin and create printenv.pl like we do in the [[QA:Testcase_ipsilonv1_sssd_info|info plugin test]] | ||
Restart Apache | Restart Apache | ||
| Line 20: | Line 20: | ||
Log into the idp as the admin user, https://idp.example.com/idp/ | Log into the idp as the admin user, https://idp.example.com/idp/ | ||
Select Administration -> Identity Providers -> saml2 | Select Administration -> Identity Providers -> saml2 -> Configure | ||
Scroll to the bottom of the screen to see the configuration for default attribute mapping and default attributes. | Scroll to the bottom of the screen to see the configuration for default attribute mapping and default allowed attributes. | ||
By default every attribute is passed as-is and every attribute is allowed. | By default every attribute is passed as-is and every attribute is allowed. | ||
| Line 34: | Line 34: | ||
Then click Save at the bottom of the form. | Then click Save at the bottom of the form. | ||
Now go to https://sp.example.com/cgi-bin/printenv.pl | Now go to https://sp.example.com/cgi-bin/printenv.pl We're already logged in as admin. Look for: | ||
MELLON_namefull=Administrator | MELLON_namefull=Administrator | ||
You'll notice that MELLON_fullname is included. | You'll notice that MELLON_fullname is included as well (plus a few other MELLON variables, that's ok). | ||
==== Filter out fullname | ==== Filter out fullname ==== | ||
Ok, so if we're mapping we probably don't want the old name included so let's drop it. | Ok, so if we're mapping we probably don't want the old name included so let's drop it. | ||
Right now filtering is a white-list defaulting to everything. Since we're dropping fullname we will need to specify everything we want to see. | Right now filtering is a white-list defaulting to everything. Since we're dropping fullname we will need to specify everything we want to see. | ||
Go back to the IDP page, Administration -> Identity Providers -> saml2 -> Configure and scroll down to the very bottom. W're going to change '''default allowed attributes''' | |||
Start by changing * to namefull | Start by changing * to namefull | ||
| Line 51: | Line 54: | ||
givenname | givenname | ||
surname | surname | ||
Click Save | |||
Now select admin -> Logout | Now select admin -> Logout | ||
The ttest user has a lot more interesting attributes than the admin user. | |||
Go to the SP and log in as ttest, https://sp.example.com/cgi-bin/printenv.pl | Go to the SP and log in as ttest, https://sp.example.com/cgi-bin/printenv.pl | ||
You should see the MELLON variables for namefull, givenname and surname. | You should see the only MELLON variables for IDP, NAME_ID, namefull, givenname and surname. | ||
Let's add the rest now. Go to https://idp.example.com/idp and log out as ttest and log back in as admin. | Let's add the rest now. Go back to https://idp.example.com/idp and log out as ttest and log back in as admin. | ||
Now go back to Administration -> Identity Providers -> saml2 -> Configure | Now go back to Administration -> Identity Providers -> saml2 -> Configure | ||
Scroll back to the bottom and add a few more default allowed attributes: | Scroll back to the bottom and add a few more default allowed attributes (by clicking on the +): | ||
street | street | ||
| Line 68: | Line 75: | ||
email | email | ||
Select admin-> Logout | Click Save | ||
Select in the upper right admin-> Logout | |||
Go back to https://sp.example.com/cgi-bin/printenv.pl and authenticate as ttest | Go back to https://sp.example.com/cgi-bin/printenv.pl and authenticate as ttest | ||
You should now see the full list of | You should now see the full list of MELLON variables (IDP, NAME, email, givenname, namefull, sate, street, surname) again with the exception of fullname which we implicitly excluded (not in the white list). | ||
|results= | |results= | ||
Latest revision as of 03:55, 12 March 2015
Description
Attribute Map and Filtering testing.
Setup
- You need an IPD and one SP for this test
How to test
Configuration
Mapping and filtering controls what attributes are included in the SAML assertion and what their name is. This is most easily seen in the MELLON environment variables.
If you haven't already, configure your SP to manage /cgi-bin and create printenv.pl like we do in the info plugin test
Restart Apache
# systemctl restart httpd
Configure mapping and filtering
Log into the idp as the admin user, https://idp.example.com/idp/
Select Administration -> Identity Providers -> saml2 -> Configure
Scroll to the bottom of the screen to see the configuration for default attribute mapping and default allowed attributes.
By default every attribute is passed as-is and every attribute is allowed.
Change fullname to namefull
The first test is to simply rename an attribute. Under default attribute mapping click on the + to add a new rule and add:
fullname namefull
Then click Save at the bottom of the form.
Now go to https://sp.example.com/cgi-bin/printenv.pl We're already logged in as admin. Look for:
MELLON_namefull=Administrator
You'll notice that MELLON_fullname is included as well (plus a few other MELLON variables, that's ok).
Filter out fullname
Ok, so if we're mapping we probably don't want the old name included so let's drop it.
Right now filtering is a white-list defaulting to everything. Since we're dropping fullname we will need to specify everything we want to see.
Go back to the IDP page, Administration -> Identity Providers -> saml2 -> Configure and scroll down to the very bottom. W're going to change default allowed attributes
Start by changing * to namefull
Then for each of these attributes click + to add it:
givenname surname
Click Save
Now select admin -> Logout
The ttest user has a lot more interesting attributes than the admin user.
Go to the SP and log in as ttest, https://sp.example.com/cgi-bin/printenv.pl
You should see the only MELLON variables for IDP, NAME_ID, namefull, givenname and surname.
Let's add the rest now. Go back to https://idp.example.com/idp and log out as ttest and log back in as admin.
Now go back to Administration -> Identity Providers -> saml2 -> Configure
Scroll back to the bottom and add a few more default allowed attributes (by clicking on the +):
street state email
Click Save
Select in the upper right admin-> Logout
Go back to https://sp.example.com/cgi-bin/printenv.pl and authenticate as ttest
You should now see the full list of MELLON variables (IDP, NAME, email, givenname, namefull, sate, street, surname) again with the exception of fullname which we implicitly excluded (not in the white list).
Expected Results
All the test steps should end with the specified results.