Pass custom attributes from SP to IdP

[Nicolas Toniazzi]

Hello,

I installed SSP and configured an SP and an IdP. Every user in our directory is attached to a customer entity. The login form should be customized per customer, and the user authenticated against the customer. Thus, I need to send additional attributes from the SP to the IdP, namely "customer" and "language".
I'm not yet at ease with SAML nor SSP, and I'm not sure what's the best way to do this. I've seen some posts mentioning RequestedAuthnContext but found little doc about it in SSP.

Can you point me to some code or doc about this?

Thanks,

Nicolas.

[Peter Schober]

* Nicolas Toniazzi <nicolas....@gmail.com> [2015-10-26 11:46]:

> I installed SSP and configured an SP and an IdP. Every user in our
> directory is attached to a customer entity. The login form should be
> customized per customer, and the user authenticated against the
> customer.

Are you saying there needs to be a different authentication source for
each customers, and "customer" is something like a company, not a person?
If so, SSP includes a module that does that out of the box, at least
for LDAP, cf. ldap:LDAPMulti in ldap/docs/ldap.txt
The person trying to log in will need to pick the "customer" (the
company s/he's affiliated with) on the log in form, then, when
supplying their username and password.
(Which does expose the complete list of your "customers", btw.)

A more common (but more complex, too) deployment model would be to
have one IDP per "customer" and treat those completely different.
-peter

[Nicolas Toniazzi]

Hello,
I'm sorry I didn't make it clear enough, but you got the point: "customer" is the company every user is affiliated to. Each user is identified by it's username/company + password. We are using the module "core/loginuserpassorg.php", which presents the user with a list of "organizations" to choose from. There are at least 2 drawbacks:

• the user has to choose a company from the list, but it's already defined in the SP (part of the URL)
  
• the list of companies is exposed
  

The solution of having one IDP per company seems a bit complex as we currently have over 200 companies and new ones are being added regularly. That's why we wanted to "simply" pass the company unique identified from the SP to the IDP. I'll investigate this solution though.

Thanks for your answer.
Nicolas.

[Peter Schober]

* Nicolas Toniazzi <nicolas....@gmail.com> [2015-10-27 10:42]:
> - the user has to choose a company from the list, but it's already

> defined in the SP (part of the URL)

> - the list of companies is exposed

Seems you've written your own module that behaves equivalent to
ldap:LDAPMulti then? Then all the disclaimers for that apply in your
case as well.

Cases like yours are not covered in the SAML spec, i.e., "if the SP
equals X use authentication source/method Y on IDP Z."

If the "customer" (company, IDP tenent) is somehow encoded into the
SAML authentiaction request then you'll probably want to add code to
your SSP instance to pull out the tenant identifier and pick the
appropriate auth source in your IDP automatically.
(No idea how to do that, but others may chime it.)

> The solution of having one IDP per company seems a bit complex as we
> currently have over 200 companies and new ones are being added regularly.
> That's why we wanted to "simply" pass the company unique identified from
> the SP to the IDP. I'll investigate this solution though.

You can do that (and I understand you're doing that already) but as
the behaviour you're after is nothing that's defined in the SAML (or
any other) spec SimpleSAMLphp does not have code to handle exactly
that case.
-peter

[Jaime Perez Crespo]

Hi Nicolas,

> On 27 Oct 2015, at 10:42 AM, Nicolas Toniazzi <nicolas....@gmail.com> wrote:
> Hello,
> I'm sorry I didn't make it clear enough, but you got the point: "customer" is the company every user is affiliated to. Each user is identified by it's username/company + password. We are using the module "core/loginuserpassorg.php", which presents the user with a list of "organizations" to choose from. There are at least 2 drawbacks:
> • the user has to choose a company from the list, but it's already defined in the SP (part of the URL)
> • the list of companies is exposed

Yes, that doesn’t really fit in your scenario. I really hope you are having different LDAP servers per company, or at least different LDAP branches with proper access control policies on each of them.

> The solution of having one IDP per company seems a bit complex as we currently have over 200 companies and new ones are being added regularly. That's why we wanted to "simply" pass the company unique identified from the SP to the IDP. I'll investigate this solution though.

What you want is precisely what we do in Feide (Feide is the Norwegian Identity Federation, with one particularity: it’s hub&spoke, and it’s at the same time the hub and the one and only IdP). Needless to say that we use our own authentication module (which is not available at this point, sorry).

In any case, you don’t need to pass anything to the IdP. When an SP sends a request to the IdP, it’s already identifying itself. The entity ID in the request allows the IdP to select the appropriate metadata in the metadata/ folder. That given, you can add a custom configuration option to SP metadata, telling which organization has access to that specific SP (or which ones, as there might be more than one). Then, you can use that information to build a page asking the user to select his/her organization if needed (more than one org allowed), or proceed to authenticate the user directly against the appropriate LDAP / LDAP branch.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Nicolas Toniazzi]

Hi Jaime,

> On 27 Oct 2015, at 10:42 AM, Nicolas Toniazzi <nicolas....@gmail.com> wrote:
> Hello,
> I'm sorry I didn't make it clear enough, but you got the point: "customer" is the company every user is affiliated to. Each user is identified by it's username/company + password. We are using the module "core/loginuserpassorg.php", which presents the user with a list of "organizations" to choose from. There are at least 2 drawbacks:
>         • the user has to choose a company from the list, but it's already defined in the SP (part of the URL)
>         • the list of companies is exposed

Yes, that doesn’t really fit in your scenario. I really hope you are having different LDAP servers per company, or at least different LDAP branches with proper access control policies on each of them.

Actually we are not using LDAP servers but MySQL databases as a backend.

> The solution of having one IDP per company seems a bit complex as we currently have over 200 companies and new ones are being added regularly. That's why we wanted to "simply" pass the company unique identified from the SP to the IDP. I'll investigate this solution though.

What you want is precisely what we do in Feide (Feide is the Norwegian Identity Federation, with one particularity: it’s hub&spoke, and it’s at the same time the hub and the one and only IdP). Needless to say that we use our own authentication module (which is not available at this point, sorry).

In any case, you don’t need to pass anything to the IdP. When an SP sends a request to the IdP, it’s already identifying itself. The entity ID in the request allows the IdP to select the appropriate metadata in the metadata/ folder. That given, you can add a custom configuration option to SP metadata, telling which organization has access to that specific SP (or which ones, as there might be more than one). Then, you can use that information to build a page asking the user to select his/her organization if needed (more than one org allowed), or proceed to authenticate the user directly against the appropriate LDAP / LDAP branch.

 

That's not exactly what I'm looking for. In fact, the IdP not only needs to know which SP is requesting authentication, but which company was selected on the SP application.
Our SP has URLs strting with: "https://host/{company}/{language}".
I tried to define one IdP per company but I'm still facing a problem: in the saml20-sp-remote.php file on the IdP, there is only one Location per SP, so even if I succeed in getting the company name when calling the IdP, I don't know how to get back to the SP with the proper URL (module.php/saml/sp/saml2-acs.php/<...>).

[Peter Schober]

* Nicolas Toniazzi <nicolas....@gmail.com> [2015-10-29 12:21]:

> That's not exactly what I'm looking for. In fact, the IdP not only needs to
> know which SP is requesting authentication, but which company was selected
> on the SP application.

Then I have already given you the answer 2 days ago.
(TL;DR: You'll need to add code to do that.)

> Our SP has URLs strting with: "https://host/{company}/{language}".

What role do these "URLs" play with regard to the SAML specification?

The unit in SAML are entityIDs (which can be URLs), the other use of
URLs in SAML is in protocol endpoints,
e.g. AuthnRequest/@AssertionConsumerServiceURL

If entityID is not enough and you can't derive the "company" from the
requested ACS URL, you'll have to define an extension for the
authentication request at the SP, plus add code to the IDP to drive
behaviour based on the information in the extension.

> I tried to define one IdP per company but I'm still facing a problem: in
> the saml20-sp-remote.php file on the IdP, there is only one Location per
> SP, so even if I succeed in getting the company name when calling the IdP,
> I don't know how to get back to the SP with the proper URL
> (module.php/saml/sp/saml2-acs.php/<...>).

Sorry, I don't understand that. Maybe Jaime will.
-peter