Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are attributes allowed in a SAML authentication request?

Tags:

saml

Is it possible to send attributes in a SAML authentication request?

<samlp:AuthnRequest
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   ID="aaf23196-1773-2113-474a-fe114412ab72"
   Version="2.0"
   IssueInstant="2004-12-05T09:21:59Z"
   AssertionConsumerServiceIndex="0"
   AttributeConsumingServiceIndex="0">
   <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
   <samlp:NameIDPolicy
     AllowCreate="true"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
 </samlp:AuthnRequest>
like image 228
jon077 Avatar asked Feb 09 '09 19:02

jon077


People also ask

What are attributes in SAML?

An attribute is a characteristic or trait of an entity that describes the entity. It is a name:value pair. The attributes included in the SAML assertion correspond to certain attributes of the service provider to: Convey user information from Verify to the service provider .

What does SAML request contain?

A SAML Request, also known as an authentication request, is generated by the Service Provider to "request" an authentication. A SAML Response is generated by the Identity Provider. It contains the actual assertion of the authenticated user.

Are SAML attributes case sensitive?

SAML's “persistent” NameID definition explicitly requires case-sensitive handling, making them impossible to use safely with such applications without resorting to additional layers of profiling.

What is required for SAML authentication?

SAML uses a claims-based authentication workflow. First, when a user tries to access a site, the service provider asks the identity provider to authenticate the user. Then, the service provider uses the SAML assertion issued by the identity provider to grant the user access.


1 Answers

Technically, yes, it is possible, since AuthnRequest can contain an Extensions element, which can contain anything - see the SAML 'core' spec: AuthnRequest (section 3.4.1) is derived from RequestAbstractType (section 3.2.1) which has an optional Extensions. The sender and recipient would have to agree on the syntax and semantics of data sent this way.

I can't see a more 'conventional' way to do this, since Attributes are usually in Assertions, rather than AuthnRequests.

like image 111
metadaddy Avatar answered Jan 12 '23 17:01

metadaddy