2025-03-04
What SimpleSAMLphp's core:AttributeAlter does with creating new attributes
SimpleSAMLphp is a SAML identity provider (and other stuff). It's of deep interest to us because it's about the only SAML or OIDC IdP I can find that will authenticate users and passwords against LDAP and has a plugin that will do additional full MFA authentication against the university's chosen MFA provider (although you need to use a feature branch). In the process of doing this MFA authentication, we need to extract the university identifier to use for MFA authentication from our local LDAP data. Conveniently, SimpleSAMLphp has a module called core:AttributeAlter (a part of authentication processing filters) that is intended to do this sort of thing. You can give it a source, a pattern, a replacement that includes regular expression group matches, and a target attribute. In the syntax of its examples, this looks like the following:
// the 65 is where this is ordered
65 => [
'class' => 'core:AttributeAlter',
'subject' => 'gecos',
'pattern' => '/^[^,]*,[^,]*,[^,]*,[^,]*,([^,]+)(?:,.*)?$/',
'target' => 'mfaid',
'replacement' => '\\1',
],
If you're an innocent person, you expect that your new 'mfaid' attribute will be undefined (or untouched) if the pattern does not match because the required GECOS field isn't set. This is not in fact what happens, and interested parties can follow along the rest of this in the source.
(All of this is as of SimpleSAMLphp version 2.3.6, the current release as I write this.)
The short version of what happens is that when the target is a
different attribute and the pattern doesn't match, the target will
wind up set but empty. Any previous value is lost. How this happens
(and what happens) starts with that 'attributes' here are actually
arrays of values under the covers (this is '$attributes'). When
core:AttributeAlter has a different target attribute than the source
attribute, it takes all of the source attribute's values, passes
each of them through a regular expression search and replace (using
your replacement), and then gathers up anything that changed and
sets the target attribute to this gathered collection. If the pattern
doesn't match any values of the attribute (in the normal case, a
single value), the array of changed things is empty and your target
attribute is set to an empty PHP array.
(This is implemented with an array_diff() between the results of preg_replace() and the original attribute value array.)
My personal view is that this is somewhere around a bug; if the pattern doesn't match, I expect nothing to happen. However, the existing documentation is ambiguous (and incomplete, as the use of capture groups isn't particularly documented), so it might not be considered a bug by SimpleSAMLphp. Even if it is considered a bug I suspect it's not going to be particularly urgent to fix, since this particular case is unusual (or people would have found it already).
For my situation, perhaps what I want to do is to write some PHP code to do this extraction operation by hand, through core:PHP. It would be straightforward to extract the necessary GECOS field (or otherwise obtain the ID we need) in PHP, without fooling around with weird pattern matching and module behavior.
(Since I just looked it up, I believe that in the PHP code that core:PHP runs for you, you can use a PHP 'return' to stop without errors but without changing anything. This is relevant in my case since not all GECOS entries have the necessary information.)