SimpleSamlPHP (SP) & OKTA (IdP)

Question

I have a web application on my local computer: https://test.staging.me

This is PHP (cakephp) application.

I installed SimpleSamlPHP and configured it as the Service Provider(SP). I created some tests from instruction: https://simplesamlphp.org/docs/stable/simplesamlphp-sp And my tests with openidp.feide.no were successfully.

But I have problem with OKTA. I created "Test App Cakephp" and assigned people and configured SimpleSamlPHP for this.

But after logIn I get this SAML (without user attributes):

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" ID="id12087736095048056708868080" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" > 
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer> 
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    <ds:SignedInfo> 
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
        <ds:Reference URI="#id12087736095048056708868080"> 
            <ds:Transforms> 
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
            </ds:Transforms> 
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
            <ds:DigestValue>pU2jLhg9A4w97r8NVnBKl3IQZLE=</ds:DigestValue> 
        </ds:Reference> 
    </ds:SignedInfo> 
    <ds:SignatureValue>VPDveGXR0s0aL87FHcwlgox2jpF8Ka68+35u5sAwtNPu6YGLeHBZXMM0VJBGubXaP43p7U/bOCEDN28Unvdu+r7nsPayg7KRJtEBG5IPS0aHAsAVvFWCNKwbj/F3V+mNfjj6tyCYxfUv0VzGYFx74sR4jyatwMWM0C8Tn5/
    </ds:SignatureValue> 
    <ds:KeyInfo> 

        <ds:X509Data> 
            <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU 
            </ds:X509Certificate> 
        </ds:X509Data> 
    </ds:KeyInfo> 
</ds:Signature> 

<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> 
</saml2p:Status> 
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id120877360951785121155512781" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" > 
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
        <ds:SignedInfo> 
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
            <ds:Reference URI="#id120877360951785121155512781"> 
                <ds:Transforms> 
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
                </ds:Transforms> 

                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
                <ds:DigestValue>lob8Do3NlCm0YApUEdGks7Lvj5g=</ds:DigestValue> 
            </ds:Reference> 
        </ds:SignedInfo> 
        <ds:SignatureValue>cxCVxow1zv7/C9fyG3n8FqXLNUCx6J3WMzZSB7oOQhBCWt1x+EmkB/Hh3l1AajeCRe50uCZlSfy5eN1kpLQPy1oqyTH/i08cdnzeb94eMh06JRpljSrGFBRyNz7RfoHSs13v8R3PEweDsM0XIUhfX3oL2JpGm7yxwcm/+UZpI2eq
        </ds:SignatureValue> 
        <ds:KeyInfo> 
            <ds:X509Data> 
                <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJv
                </ds:X509Certificate> 
            </ds:X509Data> 

        </ds:KeyInfo> 
    </ds:Signature> 
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> 
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test1@my_domain.com</saml2:NameID> 
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 
            <saml2:SubjectConfirmationData NotOnOrAfter="2015-04-07T15:54:27.571Z" Recipient="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" /> 
        </saml2:SubjectConfirmation> 
    </saml2:Subject> 
    <saml2:Conditions NotBefore="2015-04-07T15:44:27.571Z" NotOnOrAfter="2015-04-07T15:54:27.571Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > 
        <saml2:AudienceRestriction> 
            <saml2:Audience>https://test.staging.me/simplesamlphp/module.php/saml/sp/metadata.php/okta-sp</saml2:Audience> 
        </saml2:AudienceRestriction> 
    </saml2:Conditions> 
    <saml2:AuthnStatement AuthnInstant="2015-04-07T15:49:27.571Z" SessionIndex="id1428421767571.740119289" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > 
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
        </saml2:AuthnContext> 
    </saml2:AuthnStatement> 
</saml2:Assertion> 

I cut off "ds:SignatureValue" and "ds:X509Certificate" fields for convenience.

My question: Why I don't receive attributes of the user? Thanks )

Answer 1

Okta, by default, doesn't send any attributes in the <saml2:AttributeStatement>. To configure the optional Attribute Statement take a look at Configuring the Okta Template SAML 2.0 App. The five standard Okta profile attributes you can send are First Name, Last Name, Email, and Okta Username.

For the users first and last name to be included in the SAMLResponse from Okta:

<saml2:AttributeStatement>
     <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Thomas</saml2:AttributeValue>
     </saml2:Attribute>
     <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kirk</saml2:AttributeValue>
     </saml2:Attribute>
</saml2:AttributeStatement>

You must configure your Okta SAML 2.0 app to include the following Attribute Statement:

FirstName|${user.firstName},LastName|${user.lastName}

In addition to the standard Okta profile attributes (First Name, Last Name, Email, and Okta Username), you can use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories.