Handling a custom SAML V2 extension for requesting attributes per request
Cantor, Scott
cantor.2 at osu.edu
Wed Feb 12 12:59:14 EST 2020
> I am setting up a Shibboleth installation (both IdP and SP) to participate in a
> federation which has specified a custom SAML V2 extension. The purpose of
> this extension is similar to an existing SAML 2 extension [1] but with slightly
> different syntax and behavior.
Then you should really change it to match, because we already support the standard extension (in V4) out of the box in a very advanced way that goes way beyond anything you would probably implement, and there's no good place to extend the system to do something like this.
> It allows an
> Authentication Request to specify which attributes the SP wants, and to
> differentiate between attributes that are required and optional. It also allows
> to specify a number of acceptable values for an attribute. It references (but
> may also not be identical to) a mechanism defined in TR03130 of the German
> BSI [2, chapter 4.10.2 "AuthnRequestExtension"].
All of that is supported by the standard extension.
> On the other side, how can I augment the AuthnRequests my SP sends to
> include this custom extension? I'm currently triggering authentication by
> redirecting the user to the /Login-endpoint of the SP, so I'd prefer to pass the
> information about the requested fields in a query parameter to that request as
> well.
I don't think it has obviously good security properties, but the only way to do it is with the template parameter on the redirect with a base64 encoded AuthnRequest message to use.
https://wiki.shibboleth.net/confluence/display/SP3/SAML2+SessionInitiator
-- Scott
More information about the users
mailing list