{"id":19794149,"url":"https://github.com/simplesamlphp/simplesamlphp-module-entitycategories","last_synced_at":"2026-03-11T09:03:04.822Z","repository":{"id":57051326,"uuid":"59204710","full_name":"simplesamlphp/simplesamlphp-module-entitycategories","owner":"simplesamlphp","description":"A SimpleSAMLphp module to create attribute release policies based on entity categories.","archived":false,"fork":false,"pushed_at":"2026-03-08T22:31:12.000Z","size":135,"stargazers_count":5,"open_issues_count":0,"forks_count":4,"subscribers_count":10,"default_branch":"master","last_synced_at":"2026-03-09T03:42:29.543Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simplesamlphp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-05-19T12:34:53.000Z","updated_at":"2026-03-08T22:30:51.000Z","dependencies_parsed_at":"2023-02-02T19:02:07.975Z","dependency_job_id":"9b7632bc-0465-4ba8-a72a-baf97c893e66","html_url":"https://github.com/simplesamlphp/simplesamlphp-module-entitycategories","commit_stats":{"total_commits":64,"total_committers":5,"mean_commits":12.8,"dds":0.40625,"last_synced_commit":"8e31ee66afa76cee92c18a7a538d7a23b75b9371"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/simplesamlphp/simplesamlphp-module-entitycategories","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplesamlphp%2Fsimplesamlphp-module-entitycategories","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplesamlphp%2Fsimplesamlphp-module-entitycategories/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplesamlphp%2Fsimplesamlphp-module-entitycategories/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplesamlphp%2Fsimplesamlphp-module-entitycategories/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simplesamlphp","download_url":"https://codeload.github.com/simplesamlphp/simplesamlphp-module-entitycategories/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplesamlphp%2Fsimplesamlphp-module-entitycategories/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30376782,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-11T06:09:32.197Z","status":"ssl_error","status_checked_at":"2026-03-11T06:09:17.086Z","response_time":84,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T07:12:15.183Z","updated_at":"2026-03-11T09:03:04.806Z","avatar_url":"https://github.com/simplesamlphp.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Build Status](https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/actions/workflows/php.yml/badge.svg)\n[![Coverage Status](https://codecov.io/gh/simplesamlphp/simplesamlphp-module-entitycategories/branch/master/graph/badge.svg)](https://codecov.io/gh/simplesamlphp/simplesamlphp-module-entitycategories)\n[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/simplesamlphp/simplesamlphp-module-entitycategories/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/simplesamlphp/simplesamlphp-module-entitycategories/?branch=master)\n[![Type Coverage](https://shepherd.dev/github/simplesamlphp/simplesamlphp-module-entitycategories/coverage.svg)](https://shepherd.dev/github/simplesamlphp/simplesamlphp-module-entitycategories)\n[![Psalm Level](https://shepherd.dev/github/simplesamlphp/simplesamlphp-module-entitycategories/level.svg)](https://shepherd.dev/github/simplesamlphp/simplesamlphp-module-entitycategories)\n\nEntity Categories\n=================\n\nThis is a SimpleSAMLphp module to create attribute release policies based on entity categories. It allows the modification _on the fly_ of the attributes requested by a service (both removing and adding attributes) depending on the entity category or categories that the service is declared to belong to.\n\nPlease note that **this module is not a replacement for the _core:AttributeLimit_ authentication processing filter**. It will only modify the attributes requested by a service, and therefore it should be used together with the aforementioned _core:AttributeLimit_ filter or any other filter that provides a similar functionality.\n\nInstallation\n------------\n\nOnce you have installed SimpleSAMLphp, installing this module is very simple. Just execute the following\ncommand in the root of your SimpleSAMLphp installation:\n\n```shell\ncomposer.phar require simplesamlphp/simplesamlphp-module-entitycategories:dev-master\n```\n\nwhere `dev-master` instructs Composer to install the `master` (**development**) branch from the Git repository. See the [releases](https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/releases) available if you want to use a stable version of the module.\n\nConfiguration\n-------------\n\nNext thing you need to do is to enable the module:\n\nin `config.php`, search for the `module.enable` key and set `entitycategories` to true:\n\n```php\n    'module.enable' =\u003e [ 'authcrypt' =\u003e true, … ],\n```\n\nThis module includes an authentication processing filter that can be configured as any other filter. Please read [the documentation](https://simplesamlphp.org/docs/stable/simplesamlphp-authproc) for more general information about authentication processing filters.\n\nYou can define your own entity categories, and assign the attributes allowed for each of them. It accepts the following boolean configuration options:\n\n* `default` (defaults to `false`): when set to `true` it indicates that the attributes defined for each category should be considered the minimum set for those service providers not specifying any required attributes.\n* `strict` (defaults to `false`): when this option is `true` and the a service provider has none of the listed entity categories, the module will zero out the list of releasable attributes to it. If set to `false`, the releasable attribute list will remain unchanged for non-matching service providers.\n* `allowRequestedAttributes` (defaults to `false`): if set to `true` the list of requested attributes in the SP metadata will be added to the list of allowed attributes in the entity category configuration. If `false`, the attribute requirements from the metadata (ie. RequestedAttributes) are ignored during the attribute release for the service providers that match one of the entity categories.\n\nThe rest of the configuration would be `category =\u003e attributes` pairs, where *category* is the identifier of the entity category, and *attributes* is an array containing a list of attributes allowed for that category.\n\nFor example, to allow all the services in your domain to receive *eduPersonPrincipalName* as an identifier of the user, tag them all with a custom category, and define the following filter:\n```php\n    50 =\u003e [\n        'class' =\u003e 'entitycategories:EntityCategory',\n        'default' =\u003e true,\n        'urn:something:local_service' =\u003e [\n            'eduPersonPrincipalName',\n        ],\n    ],\n```\n\nNow, all the services with the following fragment in their metadata are guaranteed to receive *eduPersonPrincipalName* in case they ask for it or they don't ask for any attributes at all:\n\n```php\n    'EntityAttributes' =\u003e [\n        'http://macedir.org/entity-category' =\u003e [\n            'urn:something:local_service'\n        ],\n    ],\n```\n\nPlease note that if the service asks for other attributes, not including *eduPersonPrincipalName*, **that attribute will not be sent**. If the service asks for some attributes but not *eduPersonPrincipalName*, **no attributes** will be sent. Also remember that this filter must be used together with `core:AttributeLimit` or a similar filter. Therefore, after configuring the `entitycategories:EntityCategory` filter, you should also configure the former:\n\n```php\n    51 =\u003e [\n        'class' =\u003e 'core:AttributeLimit',\n        'default' =\u003e true,\n    ],\n```\n\nThis will deny all attributes by default, but let the configuration of each service to override that limitation. Notice the indexes used for each filter. Filters are evaluated in order based on their indexes, so the filters defined in this module should have a lower index than the one assigned to `core:AttributeLimit`.\n\nNow, if you just want to allow certain attributes to be sent to a service of a specific category, but don't want to send them in case the service doesn't ask for them, skip the `default` configuration option or set it to `false`:\n\n```php\n    50 =\u003e [\n        'class' =\u003e 'entitycategories:EntityCategory',\n        'urn:something:local_service' =\u003e [\n            'eduPersonPrincipalName',\n        ],\n    ],\n```\n\nNow, if a service belonging to the `urn:something:local_service` category requests the *eduPersonPrincipalName* attribute in the `attributes` array on its metadata, it is guaranteed to get it. If it doesn't request it (no matter whether it requests other attributes or not), it won't get it.\n\nThe following example will release the attribute bundle defined in [Research and Scholarship Entity Category](https://refeds.org/category/research-and-scholarship) for SP's having the R\u0026S entity category, but also the released set may be extended by additional attributes. For non-matching SP's, the the release rules are controlled by the metadata.\n\n```php\n    50  =\u003e [\n         'class' =\u003e 'entitycategories:EntityCategory',\n         'default' =\u003e true,\n         'strict' =\u003e false,\n         'allowRequestedAttributes' =\u003e true,\n         'http://refeds.org/category/research-and-scholarship' =\u003e [\n             'urn:oid:2.16.840.1.113730.3.1.241', #displayName\n             'urn:oid:2.5.4.4', #sn\n             'urn:oid:2.5.4.42', #givenName\n             'urn:oid:0.9.2342.19200300.100.1.3', #mail\n             'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', #eduPersonPrincipalName\n             'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', #eduPersonScopedAffiliation\n         ],\n    ],\n```\n\nThe following example implements the following logic:\n\n1. Attributes requested in metadata are released to SP's having the `urn:x-myfederation:entities` and [GÉANT Data Protection Code of Conduct](http://www.geant.net/uri/dataprotection-code-of-conduct/v1) entity categories.\n2. The Research \u0026 Scholarship entity category attribute bundle is released to R\u0026S SP's, but the list of attributes can be extended, if the SP has additional attribute requirements in metadata.\n3. No attributes are released to any other SP's.\n\n```php\n    50  =\u003e [\n         'class' =\u003e 'entitycategories:EntityCategory',\n         'default' =\u003e true,\n         'strict' =\u003e true,\n         'allowRequestedAttributes' =\u003e true,\n         'urn:x-myfederation:entities' =\u003e [],\n         'http://www.geant.net/uri/dataprotection-code-of-conduct/v1' =\u003e [],\n         'http://refeds.org/category/research-and-scholarship' =\u003e [\n             'urn:oid:2.16.840.1.113730.3.1.241', #displayName\n             'urn:oid:2.5.4.4', #sn\n             'urn:oid:2.5.4.42', #givenName\n             'urn:oid:0.9.2342.19200300.100.1.3', #mail\n             'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', #eduPersonPrincipalName\n             'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', #eduPersonScopedAffiliation\n         ],\n    ],\n```\n\nYou may want to release some attributes to SP's based on bilateral agreements rather than metadata. There is a [modified version of core:AttributeLimit](https://github.com/NIIF/simplesamlphp-module-attributelimit) module available that makes it possible to *add* certain attributes to some listed SP's, as presented in the next example:\n\n```php\n    51 =\u003e [\n        'class' =\u003e 'niif:AttributeLimit',\n        'default' =\u003e true,\n        'bilateralSPs' =\u003e [\n            'google.com' =\u003e ['mail'],\n            'urn:federation:MicrosoftOnline' =\u003e ['IDPEmail', 'ImmutableID'],\n         ],\n    ],\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimplesamlphp%2Fsimplesamlphp-module-entitycategories","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimplesamlphp%2Fsimplesamlphp-module-entitycategories","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimplesamlphp%2Fsimplesamlphp-module-entitycategories/lists"}