-
1. Re: How to add customized attributes in saml request?
pcraveiro Jun 29, 2012 11:10 AM (in response to karl_zhang)Hi Karl,
Do you mean a AuthnRequest or a LogoutRequest ?
I think that according to the the SAML specs the attributes are to be used only with Assertions.
Maybe you can use the Extension element for that. When using extensions both sides have to agree on the syntax and semantics of data sent this way.
Not sure if PicketLink supports extensions when creating the AuthnRequest, for example. Can you tell more about your use case ?
Regards.
Pedro Igor
-
2. Re: How to add customized attributes in saml request?
karl_zhang Jun 29, 2012 2:59 PM (in response to pcraveiro)Hi Pedro,
thank you for the answer. I want to sent the identifier of a SP to IDP. During login process on IDP side a user is checked if he has the right to access the SP based on its identifier. I am not sure, if it is a good idea to add customized attributes in AuthnRequest.
As an alternate solution I am extending the posted form with an additional parameter for my purpose. How do you think about that?
Best Regards,
Karl
-
3. Re: How to add customized attributes in saml request?
pcraveiro Jun 29, 2012 3:36 PM (in response to karl_zhang)Hi Karl,
I think it is a option. But the Identity Provider is related with authentication, IMO.
Authorization should be done by an external mechanism or the by the SPs when checking for a role or specific attributes. You can easily block an user if he does not have a specific role/claims (or use the Authorization statements, for example) when trying to access a SP.
However, the SAML specification do not define how to implement the processing logic for authorization decisions. This open our minds to a lot of solutions, like yours for example.
I think all solutions are valid, as long they are simple and follow the specifications
Btw, maybe you can use the AuthnRequest.AssertionConsumerServiceURL to know the SP.
Regards.
Pedro Igor
-
4. Re: How to add customized attributes in saml request?
karl_zhang Jun 30, 2012 12:53 AM (in response to pcraveiro)Hi Pedro,
thank you for explaining the basic concept of SAML to me.
The reason why I have not used AuthnRequest.AssertionConsumerServiceURL is that SP may have serveral domains.
Best Regards,
Karl
-
5. Re: How to add customized attributes in saml request?
franksked Jul 22, 2012 6:11 AM (in response to karl_zhang)Hi,
Assertions, claims or attributes are all the same thing. SAML was designed to communicate these for whatever purpose you see fit. How you deal with them at the receiving end (the service provider or relying party) is up to that end.
E.g. at authentication time, you may be able to "assert" that someone has the role manager for a a company X that the relying party R does business with. Based on the RP's identity (R is known to the Identity Provider), two assertions/attributes/claims can be added to communicate "role=manager" and "company=X" to the relying party.
More information on how this can be done, dan be found here: https://community.jboss.org/thread/173009
Cheers.