Reputation: 6947
Causing IDP to include specified attribute in authentication response
I've looked through the standard, as well as browsed the OpenSAML-J API, but can't find an obvious way to do this. Is it possible, and if so, how?
What I want is to include something in an AuthnRequest (which is generated by my code and posted to the IDP) that causes the final AuthnResponse to include a named attribute with a specific value. Ideally the attribute should always be included, but it will work too if the attribute is only included upon successful authentication. The desired name and value are both known when the AuthnRequest is being constructed.
I thought about RelayState for a moment, too, but that doesn't appear to be what I'm looking for either.
Are attributes allowed in a SAML authentication request? talks about including attributes with the AuthnRequest, but insofar as I can tell, using Extensions to include an attribute does not guarantee that the same attribute will be included in the final response issued by the IDP. (But maybe I am misreading Core section 7.2.1 and it really applies to my case?) I can't rely on the behavior of a specific implementation; it must be guaranteed by the standard.
Any suggestions would be greatly appreciated.
The only other solution I can think of is to store the relevant data locally and refer to it using the ID and InResponseTo attributes on the request and response, respectively, but that introduces a fair bit of overhead and complexity which I would rather avoid if I can.
Upvotes: 1
Views: 698
Answers (2)
Reputation: 6272
Could a possible workaround be to make an AttributeQuery back to the IdP after the user has authenticated? In an AttributeQuery you can name whatever attributes you are interested in retrieving. The response will return those if it can.
Not all SAML products support AttributeQuery, so I'm not sure how much flexibility you have on either side of your problem.
Upvotes: 1
Reputation: 15533
RelayState is the right feature to use. As all the values you want returned are already known during request construction time, you can just serialize them into a string, provide as RelayState when sending the AuthnRequest and get them returned together with the AuthnResponse.
Upvotes: 0
Related Questions
- Correct SAML error if an IDP knows a user but won't authenticate
- Custom attributes in Saml2AuthnRequest and Saml2AuthnResponse using itfoxtec-identity-saml2 library
- Is it possible to tie initial SAML request to the SAML Assertion received from the IDP?
- In pysaml2, how does one include attributes in the initial AuthNResponse?
- How to validate whether SAMLv2 response is from IdP?
- How to ask IdP for user attributes in SAML
- How to request IDP to send me additional custom attributes in the AuthnResponse?
- Skip IDP authentication in SAML
- Sending a SAML assertion from IDP to SP
- Are attributes allowed in a SAML authentication request?