How to extract SAML response attribute?
peter.schober at univie.ac.at
Tue Dec 15 06:25:26 EST 2015
* Abdul Waheed <waheedtechblog at gmail.com> [2015-12-15 11:47]:
> Now, I am struggling with SP entiyID. As per your mail thread there are few
> 1.I can send SP entityId as customAttribute to SP but at the first place I
> don't know how to retreive it.
I'll reply to that in the existing thead. Short version: You're using
the wrong documentation. Scott gave you the current one, but you're
not running current software) and the API is also the wrong one
(principal woul never give you the entityID, you'd have to actually
read the documentation).
> 2. I know, SAML response contains SP entityId then again I don't know how
> to retrieve it at SP side.
Forget about that. Earlier I took what you said literally (you said
wanted the info to be available in the Authentication Statement), that
was a mistake. As it became clear from your other examples that you're
(a) using the Shibboleth SP on the recieving end, and (b) you're
already relying on SAML Attributes (your use of "uid") the answer is
to forget about the Authentication Statement and the SAML Reponse, and
use the available methods (attributes) to also transfer this piece of
> (I have many applications which is protected by single SP but I am
> not using default SP entityId, Each application uses different
> entityId, used ApplicationOverriode)
And why do your applications not know their own SAML entityID?
This whole use cases makes very little sense. Since you don' have the
IDP side working AND you don't have the SP side working, why not do
things in a less awkward way?
Instead of repeating for the n-th time that your system "requires"
things to be that way (when this cannot be true, as you have no part
of that system implemented, it seems) why not start explaining what
you're trying to achieve by sending "uid" plus the SP's entityID?
Also note that almost all cases where people think they need
ApplicationOverriodes that's not needed.
More information about the users