Simple Question regarding retrieving sent Post data by SP through IDP
VM GmbH
i am a real beginner with simplesamlphp and so i have my first
question:
I set up an IDP and SP locally on two different local hosts.
Currently i playing with the example verysimple.php in the "www/
example-simple" folder.
My Question:
I added to this example a HTML select field with two different values
a user can choose.
When the user submits the form the requireAuth() function is called
What i want to achieve now, is to get this sent POST data (from the
select field) at IDP side with authproc filters. More excactly with
the filter "core:PHP"
For that i edited the config.php and did the following:
=============================
'authproc.idp' => array(
10 => array(
'class' => 'core:PHP',
'code' => '
//TRY TO GET HERE THE INPUT POST DATA
$aal = $_POST["selectdata"];
',
),
//etc etc
=============================
But no data could be carried?!?!
Can somebody please help and tell me what i have to do to get the POST
Data from the verysimple.php at IDP side with authproc filters?
Thx a lot by now
Regards
John
Olav Morken
It doesn't work that way. The POST data is local to the SP, and is not
shared with the IdP. (The only purpose of saving it is to preserve it
until the user has logged in. The typical use case is to avoid losing
changes made to a wiki page due to session timeout.)
There is no general way to transfer data from an SP to an IdP. You can
implement it in a non-standard way if you want to. See the following
thread for some hints about how to do that with simpleSAMLphp on both
ends:
https://groups.google.com/d/topic/simplesamlphp/klbp57ZqlKc/discussion
Of course, that is entirely non-standard.
Best regards,
Olav Morken
UNINETT / Feide
konta...@googlemail.com
But: is there any other (more simple) way to achieve this goal.
The attributes i want to define are standards and are defined by the owner of the SP. With the select i only wanted to demonstrate a prototype implementation of authproc. We can forget the select.
So, how can i put a self defined attribute that is defined by the SP and that is called for example "myAttribute" and has the value "1" to the AuthnRequest, so that the IDP can process it later with the core:PHP auth proc Filter?
I tried to do it that way, but that won´t work:
====================
'authproc.sp' => array(
5 => array(
'class' => 'core:AttributeAdd',
'myAttribute' => array('1'),
),
//etc
====================
and the read it by the IDP
====================
'authproc.idp' => array(
10 => array(
'class' => 'core:PHP',
'code' => '
//further code
',
),
//etc
====================
As said, it does not work. Can anybody help me out, how to put an attribute to the AuthnRequest so that the IDP can work on it?
Thx very much by now
regards
John
Olav Morken
> The attributes i want to define are standards and are defined by the
> owner of the SP. With the select i only wanted to demonstrate a
> prototype implementation of authproc. We can forget the select.
> So, how can i put a self defined attribute that is defined by the SP
> and that is called for example "myAttribute" and has the value "1"
> to the AuthnRequest, so that the IDP can process it later with the
> core:PHP auth proc Filter?
> I tried to do it that way, but that won�t work:
> As said, it does not work.
I think you have got it the wrong way around. The SP does generally not
provide data to the IdP. Instead, the IdP authenticates the user, and
provides attributes about the user to the SP.
Therefore the SP authproc entry executes after the IdP provides it's
response to the SP. (Its purpose is to allow the SP to postprocess
the response from the IdP.)
> Can anybody help me out, how to put an
> attribute to the AuthnRequest so that the IDP can work on it?
There is no space for SAML 2.0 attributes in the authentication
request. Instead you must use a non-standard extension if you need
to transport extra data in the authentication request.