4

Is there a way to explicitly say to the IDP which attributes I am expecting? I guess the answer is yes, but I could not find examples. Would I need to specify "something" in the SP metadata?

Has someone been able to extend the Spring SAML MetadataGeneratorFilter to actually build the list of attributes for the SP xml?

For example, I'd like to have in the response the following:

  • Name
  • Company Name
  • Department
  • Role

Any suggestions please?

nuvio
  • 2,555
  • 4
  • 32
  • 58

1 Answers1

1

SAML 2.0 Service Provider attribute requirements may be called out in the metadata by using the <md:RequestedAttribute> element.

This element has a boolean attribute, isRequired, that can be set as follows:

<md:EntityDescriptor entityID="https://sp.example.org/saml"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <md:SPSSODescriptor
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    ...
    <!-- one or more indexed AssertionConsumerService elements -->
    <md:AssertionConsumerService index="1" Binding="..." Location="..."/>
    ...
    <!-- zero or more indexed AttributeConsumingService elements -->
    <md:AttributeConsumingService index="1">
      <md:ServiceName>The Virtual School of Computational Science and Engineering</md:ServiceName>
      <md:ServiceDescription>The Virtual School of Computational Science and Engineering (VSCSE) helps graduate students, post-docs and young professionals from all disciplines and institutions across the country gain the skills they need to use advanced computational resources to advance their research.</md:ServiceDescription>
      <md:RequestedAttribute isRequired="false"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
          Name="urn:oid:2.5.4.42"
          FriendlyName="givenName"/>
      <md:RequestedAttribute isRequired="true"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
          Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
          FriendlyName="eduPersonEntitlement">
        <saml:AttributeValue
            xsi:type="xs:anyURI">https://example.org/is-a-grad-student</saml:AttributeValue>
      </md:RequestedAttribute>
    </md:AttributeConsumingService>
    ...
  </md:SPSSODescriptor>
  ...
</md:EntityDescriptor>

More information are available at: https://spaces.internet2.edu/.../SP+Attribute+Requirements

Remember that you can always manually customize/extend your metadata and publish them (after all, we are talking about Web-based application), turning off the automatic generation made by the Spring SAML MetadataGeneratorFilter.

Take into account that this approach can be not sufficient to guarantee a reliable attributes release. You should always manually check inside your custom implementation of SAMLUserDetailsService if the required data have been provided by the Identity Provider, thus allow or deny the user authentication.

vdenotaris
  • 13,297
  • 26
  • 81
  • 132
  • That is what I tried without success, but after reading online a few more articles I was led to believe ADFS does not care about that bit of metadata. Not 100% sure though... – nuvio Sep 05 '16 at 15:08
  • 1
    The actual behaviour is related to the specific implementation (some federation systems just ignore some specifications). Generally, the attribute release has to be explicitly declared and agreed as policy for the trust relationship between Identity Provider and Service Provider. – vdenotaris Sep 05 '16 at 15:15