SAML Request Attributes In AuthnRequest

Question

I kind of understand how basic SAML authentication supposed to work:

User request resource at SP
SP sends auth request to IDP
IDP authenticates user and sends back some userId
SP sends attribute query to IDP for additional details with userId
IDP sends back attributes
SP gives user resource

My issue is, can you any way bypass AttributeQuery. When I make a SAML 2.0 request to my testing Gluu/Shibboleth server, I get back givenName (firstname) and sn (lastname). Is there anyway I can request inum user id and email in just the AuthnRequest?

My request is pretty simple:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="MyPrefix1457456412304" Version="2.0" IssueInstant="2016-03-08T17:00:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
   <saml:Issuer>me.com</saml:Issuer>
</samlp:AuthnRequest>

Request I get back is something like this:

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_bff09cf745ea5722aac3f3ec57c0ecf3" IssueInstant="2016-03-08T17:01:06.140Z" Version="2.0">
    <saml2:Issuer ....
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

I read the relevant part of the spec, and it seems to say the server can give back whatever it wants really (and how many attributes it wants)? Again, my question is whether I can force the SAML Gluu/Shibboleth server to give me back specific attributes as part of AuthnRequest.

Answer 1

You need to add the wanted attributes to the released attributes in your Trust Relationship on the IdP. Afaik there's no way to specifically request attributes.

Answer 2

Just to provide a bit more detail, the time for you to request additional attributes as the SP is when you send your metadata to the IdP. That metadata describes your service, to include the ACS endpoint, the public certificate that your AuthnRequests will be signed with, the certificate that you want your partner to encrypt with, the attributes that you require, your unique entity ID, etc. The nice thing is that once you determine what your service needs, this metadata doesn't have to change - for ANY partner. You can send it to everyone you partner with.

Once your partner receives this metadata, they import it, and fulfill the attributes you requested with information out of their identity repository, configure the signing and encryption, etc. Once everything is done they send their metadata to you, which contains their protocol endpoints (where you need to send AuthnRequests, etc., to), the certificate that can validate their signing, validation of the attributes that they are sending to you (these can change, based on conversations that you should be holding with your partner) etc.

You get this metadata, and import it into your system, and build out the connection(s) to your apps as needed.