[OpenSAML] Handling AttributeStatement content

121 views
Skip to first unread message

Pantvaidya, Vishwajit

unread,
Mar 18, 2009, 2:41:32 PM3/18/09
to mace-open...@internet2.edu

I have a working implementation of a saml relying party (RP) that supports the browser POST profile of SAML1.1. It can consume a SAML AttributeStatement which includes the email attribute e.g.

 

<saml:AttributeStatement>

<saml:Attribute AttributeNamespace="ns" AttributeName="email">

<saml:AttributeValue>j...@mail.com</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

 

I need to be able to consume a saml requests from SiteMinder that contain very different and more complex attribute content. Also I am told they cannot configure SiteMinder to send a request in my format. E.g. a sample SiteMinder request is as follows:

 

<saml:AttributeStatement>

            …

<saml:Attribute AttributeName="SMContent" AttributeNamespace="http://www.netegrity.com/SiteMinder">

<saml:AttributeValue>

<SM:SMContent xmlns:SM="http://www.netegrity.com/SiteMinder">

<SM:SMsession>…</SM:SMsession>

<SM:SMlogin>…</SM:SMlogin>

<SM:SMprofile>

<SM:NVpair>header:email=phi...@ca.com</SM:NVpair>

</SM:SMprofile>

</SM:SMContent>

</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

 

(from this request, it seems to me that SiteMinder has an SMContent object which the identifying party is serializing and sending as a saml attribute. The SMContent likely has a HashMap with the email which is being serialized into the NVpair element in xml)

 

Is there any recommended general purpose way to process different Attribute contents and extract the we need from that.

Alternatively are there any standards around Attribute content itself that we can implement and expect the identifying parties to follow?

 

Scott Cantor

unread,
Mar 18, 2009, 3:13:08 PM3/18/09
to mace-open...@internet2.edu
Pantvaidya, Vishwajit wrote on 2009-03-18:
> Is there any recommended general purpose way to process different
Attribute
> contents and extract the we need from that.

I don't understand the question. If you're dealing with XML, you have access
to the objects that make up the attribute value, and it's up to you to
consume them.

> Alternatively are there any standards around Attribute content itself that
> we can implement and expect the identifying parties to follow?

Only in specific communities, and much less so with SAML 1.1.

I don't really understand why you're implementing a standard that's been
superseded for nearly 4 years either. When you have to, you have to, but you
don't *just* implement the out of date one.

-- Scott


Pantvaidya, Vishwajit

unread,
Mar 18, 2009, 7:30:46 PM3/18/09
to mace-open...@internet2.edu

-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Wednesday, March 18, 2009 12:13 PM
To: mace-open...@internet2.edu
Subject: RE: [OpenSAML] Handling AttributeStatement content

Pantvaidya, Vishwajit wrote on 2009-03-18:
> Is there any recommended general purpose way to process different
Attribute
> contents and extract the we need from that.

I don't understand the question. If you're dealing with XML, you have access
to the objects that make up the attribute value, and it's up to you to
consume them.

[Pantvaidya, Vishwajit] The scenario is where my system needs to be able to authenticate using a preexisting 3rdparty auth server. Typically, my system just needs the email attribute. But the auth server is sending a more complex object. So in general, I need ability to process arbitrary xml objects and extract what I need from them.
I did look this up and it seems that the XmlObject returned is an xmlbeans object. So I guess I should be able to use xpath/xquery to do my job.

> Alternatively are there any standards around Attribute content itself that
> we can implement and expect the identifying parties to follow?

Only in specific communities, and much less so with SAML 1.1.

I don't really understand why you're implementing a standard that's been
superseded for nearly 4 years either. When you have to, you have to, but you
don't *just* implement the out of date one.

[Pantvaidya, Vishwajit] That's what we have right now - and I am just migrating to OpenSAML. Next thing we will do is add SAML2 support.

-- Scott

[Pantvaidya, Vishwajit] Thanks.

Scott Cantor

unread,
Mar 18, 2009, 7:54:17 PM3/18/09
to mace-open...@internet2.edu
Pantvaidya, Vishwajit wrote on 2009-03-18:
> I did look this up and it seems that the XmlObject returned is an xmlbeans
> object. So I guess I should be able to use xpath/xquery to do my job.

No, it isn't. Our libraries have nothing to do with XMLBeans.

-- Scott


Brent Putman

unread,
Mar 20, 2009, 8:01:29 PM3/20/09
to mace-open...@internet2.edu

Pantvaidya, Vishwajit wrote:
> <saml:Attribute AttributeName="SMContent" AttributeNamespace="http://www.netegrity.com/SiteMinder">
> <saml:AttributeValue>
> <SM:SMContent xmlns:SM="http://www.netegrity.com/SiteMinder">

> <SM:SMsession>...</SM:SMsession>
> <SM:SMlogin>...</SM:SMlogin>


> <SM:SMprofile>
> <SM:NVpair>header:email=phi...@ca.com</SM:NVpair>
> </SM:SMprofile>
> </SM:SMContent>
> </saml:AttributeValue>
> </saml:Attribute>
>
>

Just in case it wasn't clear: Assuming you don't go out and implement
XMLObject providers for things from this SiteMinder schema, this
AttributeValue (as well as each of its children) is going to get
unmarshalled by OpenSAML as an instance of the XSAny interface. This
allows you to get at any attributes, element children and text content
that are present.

http://www.opensaml.org/docs/opensaml/2.2.2/apidocs/org/opensaml/xml/schema/XSAny.html

So you'll just want to have some QName constants handy to get at the
specific children that you want via getUnknownXMLObjects(QName
typeOrName). You'll obviously have to parse out the contents of the
NVPair manually.

--Brent

Reply all
Reply to author
Forward
0 new messages