5 Replies Latest reply: Jul 22, 2012 6:11 AM by Frank Sked RSS

How to add customized attributes in saml request?

Karl Gross Newbie

Dear All,

Is there any way to add customized attributes in saml request?

 

Best Regards,

Karl

  • 1. Re: How to add customized attributes in saml request?
    Pedro Igor Apprentice

    Hi Karl,

     

       Do you mean a AuthnRequest or a LogoutRequest ?

     

       I think that according to the the SAML specs the attributes are to be used only with Assertions.

     

       Maybe you can use the Extension element for that. When using extensions both sides have to agree on the syntax and semantics of data sent this way.

     

       Not sure if PicketLink supports extensions when creating the AuthnRequest, for example. Can you tell more about your use case ?

     

    Regards.

    Pedro Igor

  • 2. Re: How to add customized attributes in saml request?
    Karl Gross Newbie

    Hi Pedro,

    thank you for the answer. I want to sent the identifier of a SP to IDP. During login process on IDP side a user is checked if he has the right to access the SP based on its identifier. I am not sure, if it is a good idea to add customized attributes in AuthnRequest.

     

    As an alternate solution I am extending the posted form with an additional parameter for my purpose. How do you think about that?

     

    Best Regards,

    Karl

  • 3. Re: How to add customized attributes in saml request?
    Pedro Igor Apprentice

    Hi Karl,

     

        I think it is a option. But the Identity Provider is related with authentication, IMO.

     

        Authorization should be done by an external mechanism or the by the SPs when checking for a role or specific attributes. You can easily block an user if he does not have a specific role/claims (or use the Authorization statements, for example) when trying to access a SP.

     

        However, the SAML specification do not define how to implement the processing logic for authorization decisions. This open our minds to a lot of solutions, like yours for example.

     

        I think all solutions are valid, as long they are simple and follow the specifications

     

        Btw, maybe you can use the AuthnRequest.AssertionConsumerServiceURL to know the SP.

     

    Regards.

    Pedro Igor

  • 4. Re: How to add customized attributes in saml request?
    Karl Gross Newbie

    Hi Pedro,

     

    thank you for explaining the basic concept of SAML to me.

     

    The reason why I have not used AuthnRequest.AssertionConsumerServiceURL is that SP may have serveral domains.

     

    Best Regards,

    Karl

  • 5. Re: How to add customized attributes in saml request?
    Frank Sked Newbie

    Hi,

     

    Assertions, claims or attributes are all the same thing. SAML was designed to communicate these for whatever purpose you see fit. How you deal with them at the receiving end (the service provider or relying party) is up to that end.

     

    E.g. at authentication time, you may be able to "assert" that someone has the role manager for a a company X that the relying party R does business with. Based on the RP's identity (R is known to the Identity Provider), two assertions/attributes/claims can be added to communicate "role=manager"  and "company=X" to the relying party.

     

    More information on how this can be done, dan be found here: https://community.jboss.org/thread/173009

     

    Cheers.