Adding Subject to AuthnRequest

680 views
Skip to first unread message

Jorge Pombar

unread,
Mar 12, 2014, 8:12:07 PM3/12/14
to simple...@googlegroups.com

First many thanks for creating such great open source product. I apologize in advance for dumb questions, I’m a SAML newbie.

 

Our use case: simpleSAMLphp is the SP, generates the AuthnRequest and sends it to the Idp. Our application is the Idp and consumes the AuthnRequest

I’m able to get everything working except that we expect to consume some value we put in the <Subject>. Something like this:

<Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <NameID>someName</NameID>
</Subject>   

I’ve been searching and trying things all day and I can’t find a way to add this to our AuthnRequest before it gets sent

 

I was able to add extensions to the request in a similar way as explained here (https://simplesamlphp.org/docs/stable/saml:sp Section 4.8) so I have access to the SimpleSAML_Auth_Simple object but I don’t see a way to set the nameId there.

 

I do see the method in the class SAML2_Assertion::addSubject but that’s private. I see that it sets it when the class variable “nameId” is set but that’s private as well. I thought about brute forcing this and make it public and set it. However, I got stuck getting access to this SAML2_Assertion object. Plus I’m pretty sure this is not the right way to go.

 

Is there a configuration I can set? Or some other way to achieve this?

 

Thanks in advance for your help,

Enrique

 

 

Tom Scavo

unread,
Mar 12, 2014, 8:44:05 PM3/12/14
to simpleSAMLphp
On Wed, Mar 12, 2014 at 8:12 PM, Jorge Pombar <Jorge_...@symantec.com> wrote:
> First many thanks for creating such great open source product. I apologize
> in advance for dumb questions, I'm a SAML newbie.
>
> Our use case: simpleSAMLphp is the SP, generates the AuthnRequest and sends
> it to the Idp. Our application is the Idp and consumes the AuthnRequest
>
> I'm able to get everything working except that we expect to consume some
> value we put in the <Subject>. Something like this:
>
> <Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <NameID>someName</NameID>
> </Subject>

I don't know the answer to your question but I just wanted to say that
this is not a dumb question since I want to do exactly the same thing
:-) Please summarize what you find out. I'm very interested!

Thanks,

Tom

Jorge Pombar

unread,
Mar 19, 2014, 2:31:10 PM3/19/14
to simple...@googlegroups.com
Well after trying many things with no luck I ended up changing some of the source files to make it work.

First I'll mention how to enable the logs and where it writes as this is a must when you are changing code so you can keep your sanity.
Enable log:
- open " simplesamlphp/config/config.php"
- change the following lines:
+ 'debug' => TRUE,
+ 'logging.level' => SimpleSAML_Logger::DEBUG,
- SimpleSAML_Logger::debug("write any message you want to see"); //you can choose the level of course

Where are logs written:
- I think this is determine by this config in 'config/config.php': 'logging.handler' => 'syslog',
- Apache's error log [/var/log/apache2/error.log] (for me) for all exceptions. If something goes wrong you'll see a message here
- SimpleSamlPhp syslog file [/var/log/syslog.1] (for me) and debug file [/var/log/debug.1]. You'll see your messages here

This is the basic strategy I used:
- set "saml:sp:NameID" in the array we pass to SimpleSAML_Auth_Simple::login (custom page)
- add code in SP.php to detect that array key (saml:sp:NameID) and call SAML2_AuthnRequest-> setNameId
- add $nameId and the setNameId(array) function to SAML2_Message class
- Pick the nameId in SAML2_Message::toUnsignedXML and put it in the Subject

I'm attaching the source files I changed. You can search for the string "JEPM" that's on the comments above the code I changed.
You need to use a similar approach as when adding extension (https://simplesamlphp.org/docs/stable/saml:sp Sec 4.8). Ie. Write a separate page that initializes the SimpleSML_Auth_Simple object and call the login method with an array w the expected values. That code would look something like this:

$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->login(array(
' saml:sp:NameID ' => array('Value' => 'testSubject'),
));

This call to the login method will initiate the SSO login flow for the 'default-sp'
Notice that the expected value is an array with a key named 'Value'. Otherwise it wont work. Hope this helps.
Thanks,
Enrique
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Message.php
SP.php

Vikas Putcha

unread,
Nov 17, 2015, 5:11:36 PM11/17/15
to SimpleSAMLphp, Jorge_...@symantec.com
On Feb 23rd 2015 Subject support is added by DRvanR 


just for your reference. now a setNameID call will enable one to add subject to AuthnRequest

thanks,
-Vikas.
Reply all
Reply to author
Forward
0 new messages