5 Replies Latest reply on Jul 22, 2012 6:11 AM by franksked

    How to add customized attributes in saml request?

    karl_zhang

      Dear All,

      Is there any way to add customized attributes in saml request?

       

      Best Regards,

      Karl

        • 1. Re: How to add customized attributes in saml request?
          pcraveiro

          Hi Karl,

           

             Do you mean a AuthnRequest or a LogoutRequest ?

           

             I think that according to the the SAML specs the attributes are to be used only with Assertions.

           

             Maybe you can use the Extension element for that. When using extensions both sides have to agree on the syntax and semantics of data sent this way.

           

             Not sure if PicketLink supports extensions when creating the AuthnRequest, for example. Can you tell more about your use case ?

           

          Regards.

          Pedro Igor

          • 2. Re: How to add customized attributes in saml request?
            karl_zhang

            Hi Pedro,

            thank you for the answer. I want to sent the identifier of a SP to IDP. During login process on IDP side a user is checked if he has the right to access the SP based on its identifier. I am not sure, if it is a good idea to add customized attributes in AuthnRequest.

             

            As an alternate solution I am extending the posted form with an additional parameter for my purpose. How do you think about that?

             

            Best Regards,

            Karl

            • 3. Re: How to add customized attributes in saml request?
              pcraveiro

              Hi Karl,

               

                  I think it is a option. But the Identity Provider is related with authentication, IMO.

               

                  Authorization should be done by an external mechanism or the by the SPs when checking for a role or specific attributes. You can easily block an user if he does not have a specific role/claims (or use the Authorization statements, for example) when trying to access a SP.

               

                  However, the SAML specification do not define how to implement the processing logic for authorization decisions. This open our minds to a lot of solutions, like yours for example.

               

                  I think all solutions are valid, as long they are simple and follow the specifications

               

                  Btw, maybe you can use the AuthnRequest.AssertionConsumerServiceURL to know the SP.

               

              Regards.

              Pedro Igor

              • 4. Re: How to add customized attributes in saml request?
                karl_zhang

                Hi Pedro,

                 

                thank you for explaining the basic concept of SAML to me.

                 

                The reason why I have not used AuthnRequest.AssertionConsumerServiceURL is that SP may have serveral domains.

                 

                Best Regards,

                Karl

                • 5. Re: How to add customized attributes in saml request?
                  franksked

                  Hi,

                   

                  Assertions, claims or attributes are all the same thing. SAML was designed to communicate these for whatever purpose you see fit. How you deal with them at the receiving end (the service provider or relying party) is up to that end.

                   

                  E.g. at authentication time, you may be able to "assert" that someone has the role manager for a a company X that the relying party R does business with. Based on the RP's identity (R is known to the Identity Provider), two assertions/attributes/claims can be added to communicate "role=manager"  and "company=X" to the relying party.

                   

                  More information on how this can be done, dan be found here: https://community.jboss.org/thread/173009

                   

                  Cheers.