Giters

OpenConext / Mujina

A mock IDP and SP using the OpenSAML library

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SAML extensions

roberttoja opened this issue · comments

commented

Hi, is there an option to add SAML Extensions to AuthnRequest?

commented

It is possible. Have a look at the commit b82adb0 in the branch https://github.com/OpenConext/Mujina/tree/feature/SAMLExtensions. It uses a custom WebSSOProfile which adds an Extensions element to the AuthnRequest:

<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
        <policy:Policy policyAttribute="value" xmlns:policy="https://openconext/schema/ext">urn:type:policy:consent</policy:Policy>
    </md:Extensions>

The custom WebSSOProfile is wired in https://github.com/OpenConext/Mujina/blob/feature/SAMLExtensions/mujina-sp/src/main/java/mujina/sp/SAMLConfig.java#L159

commented

Hi,
thanks for your help. I need to produce something like this in extensions

<saml2p:Extensions><eidas:RequestedAttributes xmlns:eidas="http://eidas.europa.eu/saml-extensions"> <eidas:RequestedAttribute Name="http://host/attributes/naturalperson/CurrentGivenName" NameFormat="urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri" isRequired="true"/><eidas:RequestedAttribute Name="http://host/attributes/naturalperson/CurrentFamilyName" NameFormat="urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri" isRequired="true"/><eidas:RequestedAttribute Name="http://host/attributes/naturalperson/PersonIdentifier" NameFormat="urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri" isRequired="true"/></eidas:RequestedAttributes> <xyz:OperationContext xmlns:xyz="http://host/saml-extensions"><xyz:ContextClass>PERSONAL_IDENTIFICATION_ATTRIBUTES</xyz:ContextClass><xyz:ContextDescription>Rejestracja w serwisie DU1</xyz:ContextDescription></xyz:OperationContext></saml2p:Extensions><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><saml2p:RequestedAuthnContext Comparison="minimum"><saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext>

Are you able to guide me a little?

Many thanks

commented

If you want to express per request which specific Attributes are required as opposed to specifying this in the SP SAML metadata you can add RequestedAttribute elements in the Extensions very similar as the example I committed:

  protected Extensions buildExtensions() {
    Extensions extensions = new ExtensionsBuilder().buildObject();
    Arrays.asList("http://host/attributes/naturalperson/CurrentGivenName",
      "http://host/attributes/naturalperson/CurrentFamilyName",
      "http://host/attributes/naturalperson/PersonIdentifier").forEach(s -> {
      RequestedAttribute ra = SAMLBuilder.buildSAMLObject(RequestedAttribute.class, RequestedAttribute.TYPE_NAME);
      ra.setIsRequired(true);
      ra.setName(s);
      ra.setNameFormat("urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri");
      extensions.getUnknownXMLObjects().add(ra);
    });
    return extensions;
  }

I'm unaware of a RequestedAttributes SAML2.0 element, but then again I'm far from being a SAML expert.