Merge pull request #5 from simplesamlphp/bugfix/use-last-authenticatingauthority

thijskh · web-flow · commit 57c3d54513b9 · 2023-10-30T12:07:40.000+01:00
When multiple AuthenticatingAuthority elements are present, use the last
diff --git a/docs/smartattributes.md b/docs/smartattributes.md
@@ -4,28 +4,26 @@ SmartAttributes module
 The SmartAttributes module provides authentication processing filters to add attributes.
 The logic in this filter exceeds what is possible with the standard filters such, as [`core:AttributeAdd`], [`core:AttributeAlter`], and [`core:AttributeMap`].
 
-
-
 `smartattributes:SmartID`
-=========================
+-------------------------
 
 A filter to add an identifier attribute, based on the first non-empty attribute from a given list of attribute names.
 This is useful when there are multiple SAML IdPs configured, and there is no common identifier among them.
 For example some IdPs send eduPersonPrincipalName, while others send eduPersonTargetedID. If any of the social networks are configured as an authsource, they will send yet another identifier.
 The filter has the following configuration options:
 
 * `candidates`. An array of attributes names to consider as the identifier attribute. Defaults to:
-	* eduPersonTargetedID
-	* eduPersonPrincipalName
-	* pairwise-id
-	* subject-id
-	* openid
-	* facebook_targetedID
-	* twitter_targetedID
-	* windowslive_targetedID
-	* linkedin_targetedID
+  * eduPersonTargetedID
+  * eduPersonPrincipalName
+  * pairwise-id
+  * subject-id
+  * openid
+  * facebook_targetedID
+  * twitter_targetedID
+  * windowslive_targetedID
+  * linkedin_targetedID
 * `id_attribute`. A string to use as the name of the newly added attribute. Defaults to `smart_id`.
-* `add_authority`. A boolean to indicate whether or not to append the SAML AuthenticatingAuthority to the resulting identifier. This can be useful to indicate what SAML IdP was used, in case the original identifier is not scoped. Defaults to `TRUE`.
+* `add_authority`. A boolean to indicate whether or not to append the SAML AuthenticatingAuthority to the resulting identifier. This can be useful to indicate what SAML IdP was used, in case the original identifier is not scoped. When multiple values are in the AuthenticatingAuthority element, the last (closest to us) will be used. Defaults to `TRUE`.
 * `add_candidate`. A boolean to indicate whether or not to prepend the candidate attribute name to the resulting identifier. This can be useful to indicate the attribute originating the identifier. Defaults to `TRUE`.
 * `fail_if_empty`. A boolean to indicate whether this module reports a failure if no suitable identifier attribute could be found. Set this to `FALSE` if a missing identifier attribute should be handled at a later step in the AuthProc filter queue. Defaults to `TRUE`.
 
@@ -42,43 +40,48 @@ Examples
 
 Without any configuration:
 
-	'authproc' => array(
-		50 => array(
-			'class' => 'smartattributes:SmartID'
-		),
-	),
-
+```php
+'authproc' => [
+    50 => [
+        'class' => 'smartattributes:SmartID'
+    ],
+],
+```
 
 This will add an attribute called `smart_id` with a value looking like, for example:
 
 `eduPersonTargetedID:c4bcbe7ca8eac074f65291fd5524caa88f3115c8!https://login.terena.org/idp/saml2/idp/metadata.php`
 
 Custom configuration:
 
-	'authproc' => array(
-		50 => array(
-			'class' => 'smartattributes:SmartID',
-			'candidates' => array('eduPersonTargetedID', 'eduPersonPrincipalName'),
-			'id_attribute' => 'FooUniversityLocalID',
-			'add_authority' => FALSE,
-		),
-	),
+```php
+'authproc' => [
+    50 => [
+        'class' => 'smartattributes:SmartID',
+        'candidates' => ['eduPersonTargetedID', 'eduPersonPrincipalName'],
+        'id_attribute' => 'FooUniversityLocalID',
+        'add_authority' => FALSE,
+    ],
+],
+```
 
 This will add an attribute called `FooUniversityLocalID` with a value like:
 
 `eduPersonTargetedID:c4bcbe7ca8eac074f65291fd5524caa88f3115c8`
 
 If you also want to remove the name of the originating attribute, you could configure it like this:
 
-	'authproc' => array(
-		50 => array(
-			'class' => 'smartattributes:SmartID',
-			'candidates' => array('eduPersonTargetedID', 'eduPersonPrincipalName'),
-			'id_attribute' => 'FooUniversityLocalID',
-			'add_authority' => FALSE,
-			'add_candidate' => FALSE,
-		),
-	),
+```php
+'authproc' => [
+    50 => [
+        'class' => 'smartattributes:SmartID',
+        'candidates' => ['eduPersonTargetedID', 'eduPersonPrincipalName'],
+        'id_attribute' => 'FooUniversityLocalID',
+        'add_authority' => FALSE,
+        'add_candidate' => FALSE,
+    ],
+],
+```
 
 Resulting in:
 
diff --git a/src/Auth/Process/SmartID.php b/src/Auth/Process/SmartID.php
@@ -117,9 +117,10 @@ private function addID(array $attributes, array $request): string
         $state = $request['saml:sp:State'];
         foreach ($this->candidates as $idCandidate) {
             if (isset($attributes[$idCandidate][0])) {
-                if (($this->add_authority) && (isset($state['saml:AuthenticatingAuthority'][0]))) {
+                if ($this->add_authority && count($state['saml:AuthenticatingAuthority']) > 0) {
+                    $authority = end($state['saml:AuthenticatingAuthority']);
                     return ($this->add_candidate ? $idCandidate . ':' : '') . $attributes[$idCandidate][0] . '!' .
-                        $state['saml:AuthenticatingAuthority'][0];
+                        $authority;
                 } else {
                     return ($this->add_candidate ? $idCandidate . ':' : '') . $attributes[$idCandidate][0];
                 }
