SAML extensions
roberttoja opened this issue · comments
Hi, is there an option to add SAML Extensions to AuthnRequest?
It is possible. Have a look at the commit b82adb0 in the branch https://github.com/OpenConext/Mujina/tree/feature/SAMLExtensions. It uses a custom WebSSOProfile which adds an Extensions
element to the AuthnRequest
:
<md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<policy:Policy policyAttribute="value" xmlns:policy="https://openconext/schema/ext">urn:type:policy:consent</policy:Policy>
</md:Extensions>
The custom WebSSOProfile
is wired in https://github.com/OpenConext/Mujina/blob/feature/SAMLExtensions/mujina-sp/src/main/java/mujina/sp/SAMLConfig.java#L159
Hi,
thanks for your help. I need to produce something like this in extensions
<saml2p:Extensions><eidas:RequestedAttributes xmlns:eidas="http://eidas.europa.eu/saml-extensions"> <eidas:RequestedAttribute Name="http://host/attributes/naturalperson/CurrentGivenName" NameFormat="urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri" isRequired="true"/><eidas:RequestedAttribute Name="http://host/attributes/naturalperson/CurrentFamilyName" NameFormat="urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri" isRequired="true"/><eidas:RequestedAttribute Name="http://host/attributes/naturalperson/PersonIdentifier" NameFormat="urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri" isRequired="true"/></eidas:RequestedAttributes> <xyz:OperationContext xmlns:xyz="http://host/saml-extensions"><xyz:ContextClass>PERSONAL_IDENTIFICATION_ATTRIBUTES</xyz:ContextClass><xyz:ContextDescription>Rejestracja w serwisie DU1</xyz:ContextDescription></xyz:OperationContext></saml2p:Extensions><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><saml2p:RequestedAuthnContext Comparison="minimum"><saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext>
Are you able to guide me a little?
Many thanks
If you want to express per request which specific Attributes are required as opposed to specifying this in the SP SAML metadata you can add RequestedAttribute
elements in the Extensions
very similar as the example I committed:
protected Extensions buildExtensions() {
Extensions extensions = new ExtensionsBuilder().buildObject();
Arrays.asList("http://host/attributes/naturalperson/CurrentGivenName",
"http://host/attributes/naturalperson/CurrentFamilyName",
"http://host/attributes/naturalperson/PersonIdentifier").forEach(s -> {
RequestedAttribute ra = SAMLBuilder.buildSAMLObject(RequestedAttribute.class, RequestedAttribute.TYPE_NAME);
ra.setIsRequired(true);
ra.setName(s);
ra.setNameFormat("urn:pl:kir:wb:names:SAML:2.0:attrname-format:uri");
extensions.getUnknownXMLObjects().add(ra);
});
return extensions;
}
I'm unaware of a RequestedAttributes
SAML2.0 element, but then again I'm far from being a SAML expert.