ComponentSpace

Forums



How to Add AttributeStatement into saml assertion?


How to Add AttributeStatement into saml assertion?

Author
Message
ahmad1357
ahmad1357
New Member
New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)

Group: Forum Members
Posts: 14, Visits: 71
Hi, I want to add AttributeStatement when initiate SSO.
This is my code to initiate SSO

string partnerIdP = WebConfigurationManager.AppSettings[AppSettings.PartnerIdPTest];
SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP);

I know how to create attribute statement, but I don't know how to add it to the request.
    
AttributeStatement attStatement = new AttributeStatement();
attStatement.Attributes.Add(new SAMLAttribute("Level", SAMLIdentifiers.AttributeNameFormats.Basic, "Level", "Medium"));

Can it be done or I'm I doing something wrong?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
The SAML specification doesn't directly support a SAML attribute statement being included in the SAML authn request.

SAMLServiceProvider.InitiateSSO creates and sends a SAML authn request to the IdP. SAMLServiceProvider.ReceiveSSO receives and processes the SAML response from the IdP. The SAML response contains a SAML assertion which may contain SAML attribute statements.

If you're acting as the IdP you can include SAML attributes when you call SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.ReceiveSSO. 

Regards
ComponentSpace Development
ahmad1357
ahmad1357
New Member
New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)

Group: Forum Members
Posts: 14, Visits: 71
I want to add extra data to SAML assertion. I thought this can be done using attribute statement. Since I’m acting as Service provider is there a way to add extra data to SAML authn request?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
If you were the identity provider you can add extra data (ie SAML attributes) to the SAML assertion sent to the service provider.

However, as you're the service provider, you're limited to what you can add to the SAML authn request sent to the identity provider.

What type of extra data do you wish to add to the SAML authn request?

Will the identity provider understand this extra data?

Regards
ComponentSpace Development
ahmad1357
ahmad1357
New Member
New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)

Group: Forum Members
Posts: 14, Visits: 71
The data is a string or key-value. The identity provider should be able to read it and do some actions while authenticate the user.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
Could it be added as a query string parameter to the URL where the authn request is sent?

There isn't any standard field in the SAML authn request to send arbitrary key-value data. There is an extensions child element of the authn request that supports arbitrary XML. However, you would have to use the SAML low-level API to access this. Also, many identity providers would simply ignore the extensions. You would have to ensure the identity provider knows how and where to access this non-standard information. 

Regards
ComponentSpace Development
ahmad1357
ahmad1357
New Member
New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)New Member (36 reputation)

Group: Forum Members
Posts: 14, Visits: 71
I will try adding query string parameter and see if it will work or not. But can it be done with high level api? The url is inside saml.config, How can I add query parameter?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
There's a SAMLServiceProvider.InitiateSSO overload that takes a singleSignOnServiceUrl. If specified, this is used is used instead of the configured URL.


/// <summary>
/// Initiates single sign-on from the service provider to the identity provider (ie. SP-initiated SSO).
/// <para>
/// An authn request is sent to the identity provider.
/// </para>
/// </summary>
/// <param name="httpResponse">The HTTP response.</param>
/// <param name="relayState">The relay state or <c>null</c> if none.</param>
/// <param name="partnerIdP">The partner identity provider name or <c>null</c>.</param>
/// <param name="ssoOptions">The SSO options or <c>null</c>.</param>
/// <param name="assertionConsumerServiceUrl">The assertion consumer service URL or <c>null</c> if the configured URL is to be used.</param>
/// <param name="singleSignOnServiceUrl">The single sign-on service URL or <c>null</c> if the configured URL is to be used.</param>
/// <exception cref="SAMLException">
/// Thrown when the single sign-on fails.
/// </exception>
public static void InitiateSSO(HttpResponseBase httpResponse, string relayState, string partnerIdP, SSOOptions ssoOptions, string assertionConsumerServiceUrl, string singleSignOnServiceUrl)



For example:

SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP, null, null, singleSignOnServiceUrl);

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search