Inject further assertions

[gawpertron]

In the Service Provider's \LightSaml\Builder\Action\Profile\SingleSignOn\Sp\SsoSpSendAuthnRequestActionBuilder there is an opportunity to attach a listener that can manipulate the Profile Context or Outbound Message before the message is signed or encrypted.

However in the Identity Provider's
\LightSaml\Idp\Builder\Action\Profile\SingleSignOn\Idp\SsoIdpAssertionActionBuilder there is no such like dispatch event handler before the Outbound Message is signed or encrypted.

Is there an alternate way of adding Assertions to the LoginResponse before signing and encryption?

[gawpertron]

I may have answered my own question: Looks like this could be done by adding a callback factory for \LightSaml\Bridge\Pimple\Container\ProviderContainer::ATTRIBUTE_VALUE_PROVIDER container service. there is an example in lightsaml/lightsaml-idp/web/idp/_config.php in IdpConfig::buildProviderContext()

[tmilos]

Don't know what \Dms\Saml\* is.

In LightSAML if you want to manipulate outgoing message before the signing or encryption, you should add a custom action to the action builder with according priority, for example

$builder = new \LightSaml\Idp\Builder\Action\Profile\SingleSignOn\Idp\SsoIdpAssertionActionBuilder($buildContainer);
$builder->add(new MyCustomAction(), 120);
$action = $builder->build();

Though, priorities in https://github.com/lightSAML/lightSAML-IDP/blob/master/src/LightSaml/Idp/Builder/Action/Profile/SingleSignOn/Idp/SsoIdpAssertionActionBuilder.php#L83 are not distributed and spaced well, so atm you won't quite be able to do that. A fix would require each action in the builder to get a priority with some spacing from before, so others like you can inject custom actions in between.

[tmilos]

Attribute value provider is used to provide attributes that will be put in the assertion.
Note that you don't have to use pimple, it was added to the lib just as one of possible implementations. There's also lightSAML/SymfonyBridgeBundle which implements Symfony DPI container.

[gawpertron]

Ah, I didn't notice that you could add Actions at different priorities, that's useful to know for the future.

I have mutiple ZF2/3 projects that I've managed to create wrappers and proxy classes to use the existing examples and profiles. Not ideal, if I had more time I would port the models to use the native ZF2 Service Manager, Event Manager, Session Containers and Request/Response.