From 5ca06302bc4c9a1563c74ae6594781b7767d654f Mon Sep 17 00:00:00 2001 From: John Hsu Date: Sun, 21 Jul 2024 20:36:25 -0700 Subject: [PATCH] FIX puid not being stored in cwl data The OID used for the puid was wrong. So I've set it to the right one. I've also updated the dev IDP so that it'll send out the puid attribute on that OID. I've also changed the eduPersonAffiliation to values that I see in staging. I noticed that the dev IDP doesn't have the SP metadata checked in, so I've added it in. Also noticed that nodeservices is probably very outdated, although it still seems to work. Added comments that it might not be necessary in the next LTS due to deprecations. Couldn't get it to work in dev, but seems to be working in prod. --- LocalSettings.php | 5 ++-- docker-compose.yml | 3 ++ .../simplesamlphp/idp/config/authsources.php | 14 ++++----- .../idp/metadata/saml20-sp-remote.php | 30 +++++++++++++++++++ 4 files changed, 42 insertions(+), 10 deletions(-) create mode 100644 docker/simplesamlphp/idp/metadata/saml20-sp-remote.php diff --git a/LocalSettings.php b/LocalSettings.php index 1786c13..241683b 100644 --- a/LocalSettings.php +++ b/LocalSettings.php @@ -643,9 +643,8 @@ function loadenv($envName, $default = "") { # UBCAuth required attributes: # eduPersonAffiliation, an array of (staff, student, faculty, etc) 'eduPersonAffiliationAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1', - # non-standard attributes, uncertain OIDs - # ubc's puid - 'puidAttribute' => 'ubcEduCwlPuid', + # ubc's puid, non-standard attribute/OID + 'puidAttribute' => 'urn:mace:dir:attribute-def:ubcEduCwlPuid', ] ]; diff --git a/docker-compose.yml b/docker-compose.yml index f869b4d..960d0de 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -159,6 +159,9 @@ services: # - MEDIAWIKI_API_URL=http://web/w/api.php # - PARSOID_DOMAIN=localhost # - PARSOID_URL=http://parsoid:8000 +# parsoid is now integrated into mediawiki since 1.35 +# restbase is being deprecated +# TODO: we might not need nodeservices anymore in the next lts nodeservices: image: ubcctlt/mediawiki-node-services ports: diff --git a/docker/simplesamlphp/idp/config/authsources.php b/docker/simplesamlphp/idp/config/authsources.php index 3d31e21..48c21d3 100644 --- a/docker/simplesamlphp/idp/config/authsources.php +++ b/docker/simplesamlphp/idp/config/authsources.php @@ -100,30 +100,30 @@ 'student01:student01' => [ 'uid' => ['student01'], 'displayName' => 'Student 01', - 'ubcEduCwlPuid' => 'PUIDST01', - 'eduPersonAffiliation' => ['member', 'student'], + 'urn:mace:dir:attribute-def:ubcEduCwlPuid' => 'PUIDST01', + 'eduPersonAffiliation' => ['student'], 'mail' => 'student01@example.edu' ], 'instructor01:instructor01' => [ 'uid' => ['instructor01'], 'displayName' => 'Instructor 01', - 'ubcEduCwlPuid' => 'PUIDIN01', + 'urn:mace:dir:attribute-def:ubcEduCwlPuid' => 'PUIDIN01', 'alt' => '51092d7f-2f38-4a91-bfb0-13a021c02df3', - 'eduPersonAffiliation' => ['member', 'student'], + 'eduPersonAffiliation' => ['faculty', 'student'], 'mail' => 'instructor01@example.edu' ], 'employee:employeepass' => [ 'uid' => ['employee'], 'displayName' => 'Employee 00', - 'ubcEduCwlPuid' => 'PUIDEM00', - 'eduPersonAffiliation' => ['member', 'employee'], + 'urn:mace:dir:attribute-def:ubcEduCwlPuid' => 'PUIDEM00', + 'eduPersonAffiliation' => ['staff', 'alumni'], 'mail' => 'employee@example.edu' ], # intended to simulate a basic CWL account 'blockme01:blockme01' => [ 'uid' => ['blockme01'], 'displayName' => 'Block Me01', - 'ubcEduCwlPuid' => 'PUIDBM01', + 'urn:mace:dir:attribute-def:ubcEduCwlPuid' => 'PUIDBM01', 'eduPersonAffiliation' => [], 'mail' => 'blockme01@example.edu' ], diff --git a/docker/simplesamlphp/idp/metadata/saml20-sp-remote.php b/docker/simplesamlphp/idp/metadata/saml20-sp-remote.php new file mode 100644 index 0000000..0106a05 --- /dev/null +++ b/docker/simplesamlphp/idp/metadata/saml20-sp-remote.php @@ -0,0 +1,30 @@ + [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'http://wiki.docker:8080/_saml2/module.php/saml/sp/saml2-logout.php/wiki-sp', + ], + ], + 'AssertionConsumerService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'Location' => 'http://wiki.docker:8080/_saml2/module.php/saml/sp/saml2-acs.php/wiki-sp', + 'index' => 0, + ], + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', + 'Location' => 'http://wiki.docker:8080/_saml2/module.php/saml/sp/saml2-acs.php/wiki-sp', + 'index' => 1, + ], + ], + 'contacts' => [ + [ + 'emailAddress' => 'lt.hub@ubc.ca', + 'givenName' => 'UBC LT Hub', + 'contactType' => 'technical', + ], + ], + 'certData' => 'MIIEcTCCAtmgAwIBAgIUWmBx+tf9d7hKrFe9sjuhClKXFZ8wDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCQ0ExEjAQBgNVBAcMCVZhbmNvdXZlcjEMMAoGA1UECgwDVUJDMRcwFQYDVQQDDA5zcC53aWtpLmRvY2tlcjAeFw0yNDA3MDQwOTA4MzZaFw0zNDA3MDQwOTA4MzZaMEgxCzAJBgNVBAYTAkNBMRIwEAYDVQQHDAlWYW5jb3V2ZXIxDDAKBgNVBAoMA1VCQzEXMBUGA1UEAwwOc3Aud2lraS5kb2NrZXIwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDCEa0f5ZJhpSU+Xc0WNohbxTzpmDkqgI0rtWCmL5vqJakPCHnWnq0icCX2/zwh6//WP+9UPgO1ifHUhNC/NEJhBKGJjtNNKaV+AwUzj43IiLMqgkhMEvkqNePuKNBh/lvzjLl3KYMrLAEZKx+AluMaS7us5CmR9lyhY9nHZS0P1FRjwJ6SJ1o0HEuXHkH5eRotaRtrd8L+L93R9SaIBpgAy0XMkgFDqGmX7NbVAMT6cPNEVmj63J5veMtpCN5mQRXpZFPCSbmXOGlyy7S3cilpSk8QA8QOkt4EB+I6G5W/aaG8hNs4QHKkKMReJ/oHQbQXIJ2d4oMsQaEXk3FtTIbl4l7fKS+LvhCHvB9z8q/ueh3bAIcpSxGzg3oTScZM5ZZAqzjYxCMYdI+3h44FPUtDsZdwezFN/B+JsITQouaYzuRxjUV6uNGhZXSRb+st3VYIBg0+mIvowDyBHgQvOaAZ8/UuSqcfrMH/AwTVY2Ej2YzerKDCwchHmpv5sXRY+o8CAwEAAaNTMFEwHQYDVR0OBBYEFIUt4n/0ouPzNfRNonY/EtJhHXPfMB8GA1UdIwQYMBaAFIUt4n/0ouPzNfRNonY/EtJhHXPfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAAK5QNOmFjLmQZdfWURK+hyCN08RIB6qOgKxuMG6j6u4brKOhktRAx+8hwrgVH96+fW3DkELsNGTTjUzxJvXM01cDDn2lUNMhLA2InHTsFe2zbmKG5sSl0wOFhi0kBnkGL8di3FgnqJJs8sTcQWajoFiEPa0yW3Gad/S6JSPgrHMlPkMPgZ8Vw8aYVprronbj9eiGWzRO5vFrE6YMn2l9es/pVJKzsb362EPhFekJA6f+6Ek2rfPRd0KiF5+Pln8KSooRmXpOZkM2CUfgOmb3lT9mwel2wemnXjUj0sjN5luotbK6YVhnwuq9d1O1a8Lhx8HLLasV7bR1hg9rjz+K2nv1XqWYsiFJelkgD4DOcFP68I/eiUiAf6jqh5+YJuqFXkXS9P6ohOXn5sbiV69+VV64JXG31emPgX/mm/41Bq2j5ESYak1I4RCPdLPpsjPWUMUKAXrRjbj8UZBf5w3Uv7tc4SY+Sc8mcBw0/14Ossz5h2ZLBW0j1QKqDWwSyWn5A==', +];