#Hub & Spoke utilities for SimpleSAMLphp

##TargetedID

A flexible way for generate one or more values for the eduPersonTargetedId attribute.

hubandspoke:TargetedID is an Authentication Processing Filter for SimpleSAMLphp, based on core:TargetedID by Olav Morken, UNINETT AS.

This filter generates one or more values for the eduPersonTargetedID attribute, using:

• an attribute identifying the authenticated user
• (optionally) a value identifying the SP requesting authentication
• (optionally) a value identifying the IdP
• (optionally) a fixed random value for salting the result
• a hash algorithm

Configuration allows:

• set alternative attributes (in order of preference) to identify the user
• set alternative attributes (in order of preference) to identify the target
• set alternative attributes (in order of preference) to identify the IdP
• transform the target identifier
• filter SP and/or users (send a value only for matching entities)

Read the docs to see all the options.

###Configuration samples

• eduPersonTargetedId with one unique standard value:

    'authproc' => array(
        50 => 'hubandspoke:TargetedID',
    ),

sha256(userID + '@@' + targetID + '@@' + sourceID)

• eduPersonTargetedId obfuscated with a salt:

    'authproc' => array(
        50 => array(
            'class' => 'hubandspoke:TargetedID',
            'salt'  => 'randomString',
        ),
    ),

sha256(salt + '@@' + userID + '@@' + targetID + '@@' + sourceID + '@@' + salt)

• eduPersonTargetedId with a different formula:

    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'userID' => 'Attributes/mail',
            'fields' => array('salt', 'userID', 'targetID'),
            'salt'   => 'randomString',
        ),
    ),

sha256(salt + '@@' + mail + '@@' + targetID)

• eduPersonTargetedId with two values:

    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'salt'   => 'randomString',
            'values' => array(
                'new' => array(
                    'fieldSeparator' => '//',
                ),
                'old' => array(
                    'hashFunction' => 'md5',
                    'fields'       => array('userID'),
                ),
            ),
        ),
    ),

sha256(salt + '//' + userID + '//' + targetID + '//' + sourceID + '//' + salt)
md5(userID)

• eduPersonTargetedId with two values prefixed:
  • one of them only for a specific SP (http://*.example.com)
  • the other one for all SP, but considering the same SP all URL https://*.blogs.example.com (same eduPersonTargetedId)

    'authproc' => array(
        50 => array(
            'class'  => 'hubandspoke:TargetedID',
            'salt'   => 'randomString',
            'values' => array(
                'new' => array(
                    'prefix'          => '{new}',
                    'targetTransform' => array(
                        '#^(https?://)[^./]+\.(blogs\.example\.com)(/|$).*$#' => '$1$2/',
                    ),
                ),
                'old' => array(
                    'prefix'       => '{old}',
                    'hashFunction' => 'md5',
                    'userID'       => array('Attributes/mail', 'UserID'),
                    'fields'       => 'userID',
                    'ifTarget'     => '#^https?://([^./]+\.)*example\.com(/|$)#',
                ),
            ),
        ),
    ),

'{new}' + sha256(salt + '@@' + userID + '@@' + targetID* + '@@' + sourceID + '@@' + salt)
'{old}' + md5(userID) 						  only for *.example.com