All geek questions in one place

SAML request attributes in AuthnRequest

I understand how basic SAML authentication should work:

Custom Request Resource in SP
SP sends auth IDP request
IDP authenticates the user and sends back some userId
SP sends an IDP attribute request for more information using userId
IDP sends attributes back
SP provides a user resource

My problem: can you somehow get around AttributeQuery. When I make a SAML 2.0 request to my Gluu / Shibboleth server, I return givenName (firstname) and sn (lastname). Is there anyway I can request the inum user inum and send email only to AuthnRequest?

My query is pretty simple:

 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="MyPrefix1457456412304" Version="2.0" IssueInstant="2016-03-08T17:00:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer>me.com</saml:Issuer> </samlp:AuthnRequest>

The query I return looks something like this:

 <?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_bff09cf745ea5722aac3f3ec57c0ecf3" IssueInstant="2016-03-08T17:01:06.140Z" Version="2.0"> <saml2:Issuer .... <saml2:AttributeStatement> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>

I read the relevant part of the specification, and it looks like the server can return whatever it wants (and how much it needs). Again, my question is, can I get the SAML Gluu / Shibboleth server to return certain attributes to me as part of AuthnRequest .

+5
source share
2 answers

You need to add the required attributes to the released attributes in your Trust Relationship on IdP. Afaik there is no way to specifically request attributes.

+2
source

To provide a little more detailed information, you need to request additional attributes as a JV when you submit your metadata to IdP. This metadata describes your service, including the ACS endpoint, the public certificate with which your AuthnRequests will be signed, the certificate that you want your partner to encrypt, the attributes you need, the unique identifier of the object, etc. The good thing is that as soon as you determine what you need, this metadata should not be changed - for ANY partner. You can send it to everyone with whom you work.

As soon as your partner receives this metadata, they import it and execute the attributes that you requested from the information from their repository, configure signatures and encryption, etc. Once everything is done, they will send you their metadata that contains them (where you need to send AuthnRequests, etc.), a certificate that can confirm their signing, verification of the attributes that they send you (they can change based on conversations which you must keep with your partner) etc.

You get this metadata and import it into your system, and create connections in your applications if necessary.

+3
source

Source: https://habr.com/ru/post/1244677/

More articles:


All Articles