Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are attributes allowed in a SAML authentication request?

Tags:

saml

Is it possible to send attributes in a SAML authentication request?

<samlp:AuthnRequest
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   ID="aaf23196-1773-2113-474a-fe114412ab72"
   Version="2.0"
   IssueInstant="2004-12-05T09:21:59Z"
   AssertionConsumerServiceIndex="0"
   AttributeConsumingServiceIndex="0">
   <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
   <samlp:NameIDPolicy
     AllowCreate="true"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
 </samlp:AuthnRequest>
like image 228
jon077 Avatar asked Feb 09 '09 19:02

jon077

People also ask

What are attributes in SAML?

An attribute is a characteristic or trait of an entity that describes the entity. It is a name:value pair. The attributes included in the SAML assertion correspond to certain attributes of the service provider to: Convey user information from Verify to the service provider .

What does SAML request contain?

A SAML Request, also known as an authentication request, is generated by the Service Provider to "request" an authentication. A SAML Response is generated by the Identity Provider. It contains the actual assertion of the authenticated user.

Are SAML attributes case sensitive?

SAML's “persistent” NameID definition explicitly requires case-sensitive handling, making them impossible to use safely with such applications without resorting to additional layers of profiling.

What is required for SAML authentication?

SAML uses a claims-based authentication workflow. First, when a user tries to access a site, the service provider asks the identity provider to authenticate the user. Then, the service provider uses the SAML assertion issued by the identity provider to grant the user access.

1 Answers

Technically, yes, it is possible, since AuthnRequest can contain an Extensions element, which can contain anything - see the SAML 'core' spec: AuthnRequest (section 3.4.1) is derived from RequestAbstractType (section 3.2.1) which has an optional Extensions. The sender and recipient would have to agree on the syntax and semantics of data sent this way.

I can't see a more 'conventional' way to do this, since Attributes are usually in Assertions, rather than AuthnRequests.

like image 111
metadaddy Avatar answered Jan 12 '23 17:01

metadaddy
Sign in to Comment

Related questions

Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?
SAML 2.0 Multiple md:NameIDFormat tag in service provider metadata
SSO - SAML, Redirect a user to a specified landing page after successful log in
Creating custom SAML token
Nokogiri::XML::Schema SyntaxError on schema load
G Suite SSO error app_not_configured_for_user
AWS Cognito - create groups from ADFS as Cognito Groups
How appropriate it is to use SAML_login with AEM with more than 1m users?
Using Spring SAML as an IDP rather than an SP
Python - Logging in to Site with SAML 2.0
What is the point of OpenSAML? Any alternative?
Does ADFS 2.0 supports the SAML 1.1 protocol and Web SSO profiles?
Is there a standard format of SAML 2.0 encrypted assertion
ADFS 2.0 simpleSAML issue: More than one claim based on SamlNameIdentifierClaimResource was produced

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!