Reputation: 60
Does SAML 2.0 allow to send SP data to IdP?
I'm reading the SAML specification and experimenting with Keycloak and Shibboleth IdPs and I'm not sure how to implement one feature in an SP-initiated login.
I have a service that traditionally used to have an SP status information displayed on its login page (e.g. application version, status). After switching to using an IdP login page I'd like to keep displaying such per-SP additional information on the login page of the IdP. I'm interested in the data exchange, not in templating the login page itself.
Does SAML 2.0 specification allow for sending arbitrary data to the IdP for the purpose of logging in? If not, what are other options that can be used to decorate IdP login page using SP-generated data?
Upvotes: 4
Views: 1198
Answers (2)
Reputation: 3969
Sort of. The authentication request from SP to IdP is allowed to have "custom" extensions (the Extensions parent element), the content of the extensions is up to you. From the spec:
[Optional] This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non-SAML-defined namespace.
If you're writing your own IdP, you could certainly make use of Extensions and do whatever you wish with it. "Standard" (commercial/OSS) IdPs won't know what to do with your extension. It'd be an interesting test to see if Shibboleth or Keycloak libraries parse the Extensions element and give you the contents.
The other, more standard possibility is using RelayState. This is a spec-compliant way of passing some provider-specific state information around, incl. from SP to IdP:
3.1.1 Use of RelayState Some bindings define a "RelayState" mechanism for preserving and conveying state information. When such a mechanism is used in conveying a request message as the initial step of a SAML protocol, it places requirements on the selection and use of the binding subsequently used to convey the response. Namely, if a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact RelayState data it received with the request into the corresponding RelayState parameter in the response.
Again, all IdPs or downstack libraries will parse RelayState but how they handle it from there depends on their reading of the spec. For one, the spec requires RelayState to be 80 bytes and integrity protection via a signature or "other means". This limitation is often ignored by IdPs and SPs.
What SP-specific information are you trying to display on IdP login page?
Upvotes: 3
Reputation: 3351
The only thing that an SP can send to the IdP is the Subject (see lines 585-589 of the spec).
Upvotes: 0
Related Questions
- IDP initiated SAML flow with ITfoxtec
- SAML 2.0 IDP with OIDC client, can I have IDP initiated SSO?
- Does simplesaml provide any API for IdP as it does for SP?
- Can IDP Initiated implementation be a SAML 2.0 compliant technique?
- Will be possible to call directly IDP in SAML?
- SSO-SAML Logging into IDP from service provicer
- Connection between SP and IDP in multiple SP SSO scenario
- Skip IDP authentication in SAML
- Sending a SAML assertion from IDP to SP
- Does Azure ACS support saml 2.0 IdPs like Salesforce?