Handling a custom SAML V2 extension for requesting attributes per request

Cantor, Scott cantor.2 at osu.edu
Wed Feb 12 12:59:14 EST 2020

> I am setting up a Shibboleth installation (both IdP and SP) to participate in a
> federation which has specified a custom SAML V2 extension. The purpose of
> this extension is similar to an existing SAML 2 extension [1] but with slightly
> different syntax and behavior.

Then you should really change it to match, because we already support the standard extension (in V4) out of the box in a very advanced way that goes way beyond anything you would probably implement, and there's no good place to extend the system to do something like this.

> It allows an
> Authentication Request to specify which attributes the SP wants, and to
> differentiate between attributes that are required and optional. It also allows
> to specify a number of acceptable values for an attribute. It references (but
> may also not be identical to) a mechanism defined in TR03130 of the German
> BSI [2, chapter 4.10.2 "AuthnRequestExtension"].

All of that is supported by the standard extension.

> On the other side, how can I augment the AuthnRequests my SP sends to
> include this custom extension? I'm currently triggering authentication by
> redirecting the user to the /Login-endpoint of the SP, so I'd prefer to pass the
> information about the requested fields in a query parameter to that request as
> well.

I don't think it has obviously good security properties, but the only way to do it is with the template parameter on the redirect with a base64 encoded AuthnRequest message to use.


-- Scott

More information about the users mailing list