How SAML responses are parsed (not specific to Shib)
Nick Myers
nick.myers at digitaltheatre.com
Tue Aug 16 20:15:06 UTC 2022
Hello Shibboleth Users,
I'm posting this question here as I think you may be able to help me,
although the query is not specific to Shibboleth. My sincere apologies if
this is too far off-topic for this list; I don't want to abuse your
goodwill. It can be deleted if so.
I'm trying to find information on "how to parse SAML responses". I've dug
around the OASIS specs [1, 2] to no avail, and my search engine attempts
have also yielded no results. To illustrate my query, I understand that
most IDP/SP understand that that the value for `SubjectNameID` is the
result of extracting the value from something along the lines of:
<saml:Assertion ... >
<saml:Subject ... >
<saml:NameID ...
>_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
I'm trying to understand "how" a SAML service would "know" that value for
the attribute named SubjectNameID is inside the <saml:NameID> element,
which is inside the <saml:Subject> element, which is inside the
<saml:Assertion> element. And I assume (wrongly?) that there's some
documentation that describes this expected behaviour?
Additionally, I'm trying to understand if SAML consumers automatically
accept extensions, for example, can a SP invent a new attribute to assert,
and simply include it in the response. E.g. would SAML consumers identify
SubjectMyNewIdentifier as an attribute if something like this was in the
response.
<saml:Assertion ... >
<saml:Subject ... >
<saml:NameID ...
>_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
<saml:MyNewIdentifier>Elephants</saml:MyNewIdentifier>
And how do SAML consumers extract the values of an attribute, when it
contains another element (rather than just the value) such as the following
(assuming you can't just use urn:oid:1.3.6.1.4.1.5923.1.1.1.10NameID ?):
<saml:Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" ... >
<saml:AttributeValue>
<saml:NameID ... >PpiUBF11Nak/b86AqJUQiAVs8xs=</saml:NameId>
Any pointers as to where to learn more, would be sincerely appreciated.
And again, if this is too off-topic, please accept my apologies and delete
the message.
Best regards,
Nick
[1]
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
[2] http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220816/5031c2da/attachment.htm>
More information about the users
mailing list