|
|
# SAML
|
|
|
SAML can be connected by setting the profile in `/config/initializers/devise.rb`. The certificate files are stored in `/certificates/<profile_name>/` and are `certificate`, `idp_cert` and `private_key`.
|
|
|
|
|
|
**Certificate**: A (self-signed) certificate used for encryption of the interaction.
|
|
|
**Private Key**: The private key belonging to the certificate
|
|
|
**IDP Certificate**: The (web) certificate of the identity provider.
|
|
|
|
|
|
## Attributes
|
|
|
The actual attributes are defined in `/config/attribute-map.yml`. This file maps attributes sent by the IDP to (setter) methods in the code.
|
|
|
|
|
|
I.e.
|
|
|
|
|
|
```ruby
|
|
|
'givenName': 'init_first_name'
|
|
|
```
|
|
|
maps the `givenName` attribute from SAML to the `init_first_name=` method on the `User` model.
|
|
|
|
|
|
More specifically, the methods can be found in the `/app/models/concerns/user/Initable.rb`. Any method not defined there refers directly to the property of the model (as defined in the schema). I.e. `email=` is not specified as it maps directly to the `email=` method which is present because the user model has an email property.
|
|
|
|
|
|
_NOTE: Please be aware that a method like `netid=` will also be called whenever other code calls `user.netid = ...`. If you want to have specific behavior for when a user is initialized from SAML, use a different method name._
|
|
|
|
|
|
## Currently used attributes
|
|
|
| Attribute | Meaning | Optional? |
|
|
|
| --------- | ------- | --------- |
|
|
|
| email | Email address | :x: |
|
|
|
| givenName | The first name of the user | :x: |
|
|
|
| tudPrefix | The last name prefix | :large_orange_diamond: |
|
|
|
| sn | Last name | :x: |
|
|
|
| uid | Netid | :x: |
|
|
|
| eduPersonAffiliation | Role (student/employee) | :x: |
|
|
|
| tudStudentNumber | Student number | :heavy_check_mark: |
|
|
|
| nlEduPersonStudyBranch | Study programme | :heavy_check_mark: |
|
|
|
| nlEduPersonOrgUnit | TUD Faculty | :heavy_check_mark: |
|
|
|
| tudOrgDivision | Organisation unit code | :heavy_check_mark: |
|
|
|
|
|
|
## Problems
|
|
|
Email is used as primary key because of the external login mechanism. However, sometimes the email addresses of TU Delft users are changed. These users will get a 422 error when attempting to log in.
|
|
|
|
|
|
This can be fixed by going to the database and executing
|
|
|
```sql
|
|
|
UPDATE users SET email="..." WHERE first_name = "..." AND last_name = "...";
|
|
|
``` |
|
|
\ No newline at end of file |