Reputation: 161
Handle user-specific data in a SAML authenticated SP
I am just getting started with SAML. AFAIK, in the authentication step, there is no direct communication between the IdP and the SP and the assertion happens via the browser.
In my applications (which will be the SP), I would like to store some user specific data (stuff like page size, other UI preferences). When the user is deleted from the IdP, I would like to purge this data from my application as well ? Is it possible to get this "event" from the IdP to the SP for such tasks ?
PS - My app is PHP based and I am likely to simplesamlphp.
Thanks, ~preetham
Upvotes: 1
Views: 145
Answers (1)
Reputation: 19397
There is no support in the SAML 2.0 spec for having the Identity Provider call out to the Service Provider for events related to user provisioning or deactivation.
However, there is a SAML protocol called SubjectQuery and a request called NameIDMappingRequest which might serve the purpose if you had a nightly batch job or something that would query users which haven't logged on in x days to see if they still exist on the Idp.
You can find the details on these in the Profiles Section of the SAML spec but I don't know what support (if any) simplesamlphp has for these profiles.
Upvotes: 2
Related Questions
- Spring Security SAML: Extract Attributes from a saml2p:Response as user attributes
- Can SAML do Authorization?
- Saml2.0 and data requested by Service Provider
- How to identify a user from SAML Response?
- Authentication using SAML
- SimpleSamlPhp, Multiple Idps (Identity Providers), Multiple Sps (Service Providers)
- How should I extract a username from a SAML response?
- How to ask IdP for user attributes in SAML
- Are attributes allowed in a SAML authentication request?
- Is this a correct use case for SAML?