From Fedora Project Wiki

Revision as of 19:09, 11 March 2015 by Rcritten (talk | contribs)

Description

Attribute Map and Filtering testing.

Setup

  1. You need an IPD and one SP for this test

How to test

Configuration

Mapping and filtering controls what attributes are included in the SAML assertion and what their name is. This is most easily seen in the MELLON environment variables.

If you haven't already, configure your SP to manage /cgi-bin and create printenv.pl like we do in the info plugin test <insert link here>

Restart Apache

# systemctl restart httpd

Configure mapping and filtering

Log into the idp as the admin user, https://idp.example.com/idp/

Select Administration -> Identity Providers -> saml2

Scroll to the bottom of the screen to see the configuration for default attribute mapping and default attributes.

By default every attribute is passed as-is and every attribute is allowed.

Change fullname to namefull

The first test is to simply rename an attribute. Under default attribute mapping click on the + to add a new rule and add:

fullname                 namefull

Then click Save at the bottom of the form.

Now go to https://sp.example.com/cgi-bin/printenv.pl and look for:

MELLON_namefull=Administrator

You'll notice that MELLON_fullname is included.

Filter out fullname =

Ok, so if we're mapping we probably don't want the old name included so let's drop it.

Right now filtering is a white-list defaulting to everything. Since we're dropping fullname we will need to specify everything we want to see.

Start by changing * to namefull

Then for each of these attributes click + to add it:

givenname
surname

Now select admin -> Logout

Go to the SP and log in as ttest, https://sp.example.com/cgi-bin/printenv.pl

You should see the MELLON variables for namefull, givenname and surname.

Let's add the rest now. Go to https://idp.example.com/idp and log out as ttest and log back in as admin.

Now go back to Administration -> Identity Providers -> saml2 -> Configure

Scroll back to the bottom and add a few more default allowed attributes:

street
state
email

Select admin-> Logout

Go back to https://sp.example.com/cgi-bin/printenv.pl and authenticate as ttest

You should now see the full list of info variables again with the exception of fullname which we implicitly excluded (not in the white list).

Expected Results

All the test steps should end with the specified results.