CODEWITHSUNDEEP
saml
jon077
jon077

Reputation: 10449

Are attributes allowed in a SAML authentication request?

Is it possible to send attributes in a SAML authentication request?

<samlp:AuthnRequest
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   ID="aaf23196-1773-2113-474a-fe114412ab72"
   Version="2.0"
   IssueInstant="2004-12-05T09:21:59Z"
   AssertionConsumerServiceIndex="0"
   AttributeConsumingServiceIndex="0">
   <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
   <samlp:NameIDPolicy
     AllowCreate="true"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
 </samlp:AuthnRequest>

Upvotes: 7

Views: 7074

Answers (2)

user1733951
user1733951

Reputation: 43

There is a case where attributes are to be part of auth request. so that we can get that attribute name from request to construct response assertion with the same.

because service provider validates the response by comparing the attribute names.we can take the example of Salesforce as service provider, where the same happens.

Upvotes: 0

metadaddy
metadaddy

Reputation: 4419

Technically, yes, it is possible, since AuthnRequest can contain an Extensions element, which can contain anything - see the SAML 'core' spec: AuthnRequest (section 3.4.1) is derived from RequestAbstractType (section 3.2.1) which has an optional Extensions. The sender and recipient would have to agree on the syntax and semantics of data sent this way.

I can't see a more 'conventional' way to do this, since Attributes are usually in Assertions, rather than AuthnRequests.

Upvotes: 7

Related Questions