SAML Attribute Handling

I've just successfully got Projeqtor to authenticate against the SAML IdP built into Google G.Suite. I can login to Projeqtor using the organisation's Gmail accounts and a new local Projeqtor user is created if it didn't already exist. All good, except Projeqtor's handling of SAML attributes is a bit too limited for Google. So I am proposing a couple of enhancements for you to consider:

1) Full Name
Projeqtor's "SAML attribute for user full name" setting will only accept a single attribute. Unfortunately G.Suite does not have a single attribute equivalent - it supplies names as separate attributes for First Name and Last Name. It is possible to create a single custom attributes on G.Suite to store the full name, but this adds extra admin complexity and it's not accessible to the user themselves. A better solution would be for Projeqtor to optionally construct its full name from two separate attributes... eg if the single full name attribute setting is empty, then using the First Name and Last Name attribute settings.

2) Login Name
Similarly for Projeqtor's "SAML attribute for user login name", although not so important as I have opted to use the G.Suite email address attribute for this. Ideally I would have liked to have login names in the format "<FirstName>.<LastName>" or maybe "<first-character-of-FirstName><LastName>" ... you get the idea.

3) Security of SAML Signing Files
sp.crt and in particular sp.key should not be accessible to the public via the web server - the readme in folder sso/cert even says "Be sure that this folder never is published". So there really should be a Projeqtor setting to change this to a folder outside the server's docroot. If the underlying libraries don't support this then please consider putting a default "deny all" .htaccess file in there (which I have done, seemingly without breaking anything).


Finally, a big thank you for creating & evolving such a great software tool =)

Great, thanks for the swift attention.