Merge branch 'release-2.5'

rciam · May 16, 2022 · a8be927 · a8be927
2 parents 50ff4cf + 30f25d5
commit a8be927
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.5.0] - 2022-05-16
+
+# Added
+
+- Redirect users to Community Sign-up flow based on IdP tag in metadata
+
 ## [v2.4.1] - 2022-04-28
 
 ### Fixed

diff --git a/README.md b/README.md
@@ -75,6 +75,7 @@ The following authproc filter configuration options are supported:
     * `blacklist`: An array of strings that contains the SPs that the module will skip to process. Defaults to `array()`.
     * `voWhitelist`: An array of strings that contains VOs (COUs) for which the module will generate entitlements. Defaults to `null`. If `null`, the voWhitelist check is skipped.
     * `communityIdps`: An array of strings that contains the Entity Ids of trusted communities. Defaults to `array()`.
+    * `communityIdpTags`: An array of strings that contains tags, indicating that every Idp having at least one of them is considered as community. Defaults to `array('community')`.
     * `urnLegacy`: A boolean value for controlling whether to generate `eduPersonEntitlement` URN values using the legacy syntax. Defaults to `false`.
     * `certificate`: A boolean value for controlling whether to fetch `Certificates` from User's Profile. Defaults to `false`.
     * `retrieveSshKeys`: A boolean value for controlling whether to retrieve SSH keys from User's Profile. Defaults to `false`.
@@ -103,6 +104,9 @@ Note: In case you need to change the format of the entitlements you need to modi
             'communityIdps' => [
                'https://example1.com/idp',
             ],
+            'communityIdpTags' => [
+               'community',
+            ],
             'voRoles' => [
                 'member',
                 'faculty',

diff --git a/lib/Auth/Process/COmanageDbClient.php b/lib/Auth/Process/COmanageDbClient.php
@@ -24,6 +24,9 @@
  *            'communityIdps' => [
  *               'https://example1.com/idp',
  *            ],
+ *            'communityIdpTags' => [
+ *                'community',
+ *            ],
  *            'voRoles' => [
  *               'member',
  *               'faculty',
@@ -70,6 +73,7 @@
 use SimpleSAML\XHTML\Template;
 use SimpleSAML\Utils\HTTP;
 use SimpleSAML\Database;
+use SimpleSAML\Metadata\MetaDataStorageHandler;
 use SimpleSAML\Module\attrauthcomanage\Attributes;
 use SimpleSAML\Module\attrauthcomanage\Enrollment;
 use SimpleSAML\Module\attrauthcomanage\User;
@@ -99,6 +103,7 @@ class COmanageDbClient extends \SimpleSAML\Auth\ProcessingFilter
     private $retrieveAUP = false;
     private $registryUrls = [];
     private $communityIdps = [];
+    private $communityIdpTags = ['community'];
     private $mergeEntitlements = false;
     private $voGroupPrefix = [];
     // If true, this filter will also generate entitlements using the
@@ -382,7 +387,9 @@ public function process(&$state)
                 // Check if community signup is required
                 if (
                     !empty($state['saml:AuthenticatingAuthority'])
-                    && in_array(end($state['saml:AuthenticatingAuthority']), $this->communityIdps, true)
+                    && (in_array(end($state['saml:AuthenticatingAuthority']), $this->communityIdps, true)
+                        || !empty(array_intersect($this->getIdPTags($this->getIdPMetadata($state)), $this->communityIdpTags))
+                       )
                 ) {
                     // Redirect to community signup flow with all
                     // attributes available including affiliation
@@ -1730,6 +1737,7 @@ private function validateConfigParamRules() {
                 'blacklist' => 'is_array',
                 'voWhitelist' => 'is_array',
                 'communityIdps' => 'is_array',
+                'communityIdpTags' => 'is_array',
                 'voGroupPrefix' => 'is_array',
                 'coUserIdType' => 'is_string',
                 'userIdAttribute' => 'is_string',
@@ -1779,4 +1787,24 @@ private function showNoty($args, $state)
         HTTP::redirectTrustedURL($url, ['StateId' => $id]);
     }
 
+    private function getIdPMetadata($state)
+    {
+        // If the module is active on a bridge,
+        // $request['saml:sp:IdP'] will contain an entry id for the remote IdP.
+        if (!empty($state['saml:sp:IdP'])) {
+            $idpEntityId = $state['saml:sp:IdP'];
+            return MetaDataStorageHandler::getMetadataHandler()->getMetaData($idpEntityId, 'saml20-idp-remote');
+        } else {
+            return $state['Source'];
+        }
+    }
+
+    private function getIdPTags($idpMetadata)
+    {
+        if (!empty($idpMetadata['tags'])) {
+            return $idpMetadata['tags'];
+        }
+
+        return [];
+    }
 }