Add ProviderName attribute to Authnrequest using SimpleSamlPhp
347 views
Skip to first unread message
andrei...@gmail.com
Mar 12, 2018, 11:20:57 AM3/12/18
to SimpleSAMLphp
so my question is, how can I configure authsources.php to allow adding the ProviderName to the request, since the IDP I'm connecting to has this requirement, despite the Issuer.
SP configuration at authsources.php
'name-of-sp' => array(
'saml:SP',
'privatekey' => '/certs/privkey.pem',
'certificate' => '/certs/cert.pem',
'entityID' => 'my-entityid',
'idp' => 'idp-used',
'ProviderName' => 'I WANT TO SET THIS',
),The above doesn't work. So how can I configure this to add ProviderName to the SP? If this is Standard SAML protocol or not, that is an whole other question, but this IDP is not under my control.
IDP remote metadata in case anyone is wondering is:
$metadata['idp-used'] = array(
'name' => array(
'en' => 'idp-used'
),
'description' => 'Here you can login with your account on idp-used',
'SingleSignOnService' => array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://idp-used-location/saml',
),),
'SingleLogoutService' => 'https://idp-used-location/saml/logout',
'redirect.sign' => TRUE,
'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
);Besides that, simplesamlPhp generates the request the following manner with current settings.
<samlp:AuthnRequest
AssertionConsumerServiceURL="http://localhost:8080/simplesaml/module.php/saml/sp/saml2-acs.php/name-of-idp"
Destination="IDP DESTINATION URL"
ID="_0946191c7de9389b04bd2c389af9a24c5fe5bb575f" IssueInstant="2018-03-12T12:48:47Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>The Issuer</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_0946191c7de9389b04bd2c389af9a24c5fe5bb575f">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>The Digest Value</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>The Signature</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>The Certificate</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>Regarding the request it should have the following structure, so I also need to have the
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Issuer but with and xmlns:saml attribute</saml:Issuer>Making the head of the request required to be the following manner:
<samlp:AuthnRequest
ID="_1e736a31-a41c-4c35-b17f-0f9ab4c741b3"
Version="2.0"
IssueInstant="2011-02-17T11:15:24Z"
Destination="DestinationURLOFIDP"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="ACS-URL"
ProviderName="Service Provider Name"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</saml:Issuer>
Is there any way to add ProviderName using saml authsources.php or idp-remote.php and set the attribute assertion from the authnrequest to the issuer?
This IDP doesn't expose a metadata.xml anywhere, unable to get full metadata.xml.
Thanks in advance
Peter Schober
Mar 12, 2018, 11:33:34 AM3/12/18
to SimpleSAMLphp
* andrei...@gmail.com <andrei...@gmail.com> [2018-03-12 16:21]:
> *so my question is, how can I configure authsources.php to allow adding the
The only way to legally add arbitrary data to a SAML 2.0
Authentication Request is using an XSD extension (custom schema,
custom element, custom namespace).
Obviously such a requirement from the IDP breaks interop and as such
is Not A Good Idea. The IDP should be fixed, instead of having every
SP on the planet add something extra.
(Whatever "ProviderName" should be. Doesn't sound useful to me.)
-peter
> *so my question is, how can I configure authsources.php to allow adding the
> ProviderName to the request, since the IDP I'm connecting to has this
> requirement, despite the Issuer.*
The only way to legally add arbitrary data to a SAML 2.0
Authentication Request is using an XSD extension (custom schema,
custom element, custom namespace).
Obviously such a requirement from the IDP breaks interop and as such
is Not A Good Idea. The IDP should be fixed, instead of having every
SP on the planet add something extra.
(Whatever "ProviderName" should be. Doesn't sound useful to me.)
-peter
Jaime Perez Crespo
Mar 12, 2018, 11:46:31 AM3/12/18
to simple...@googlegroups.com
Hi,
Apart from what Peter just said:
That’s perfectly legal XML and a perfectly legal SAML authentication request.
> Regarding the request it should have the following structure, so I also need to have the
>
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Issuer but with and xmlns:saml attribute</saml:Issuer>
No, it shouldn’t. Whether the IdP *wants* it to be like that is a different question.
> Making the head of the request required to be the following manner:
>
> <samlp:AuthnRequest
> ID="_1e736a31-a41c-4c35-b17f-0f9ab4c741b3"
> Version="2.0"
> IssueInstant="2011-02-17T11:15:24Z"
> Destination="DestinationURLOFIDP"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> AssertionConsumerServiceURL="ACS-URL"
> ProviderName="Service Provider Name"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</saml:Issuer>
That’s not wrong, but it implies the IdP is broken. If their code isn’t able to parse the SAML authentication request they get, then their code is completely broken, so that’s what should be fixed.
> Is there any way to add ProviderName using saml authsources.php or idp-remote.php and set the attribute assertion from the authnrequest to the issuer?
No.
> This IDP doesn't expose a metadata.xml anywhere, unable to get full metadata.xml.
Not really a surprise…
This IdP sounds like a home-made implementation of SAML, and it is broken in many ways. I’d recommend them to use some well established implementation and stop using their own. Of course, they can always fix their own implementation, but if they are not even able to parse XML code correctly, I’d suggest them to avoid that at all expense and go for something done by someone who knows what they are doing. XML and SAML are complex, so it’s always a good idea to avoid custom-made implementations.
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Apart from what Peter just said:
> Regarding the request it should have the following structure, so I also need to have the
>
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Issuer but with and xmlns:saml attribute</saml:Issuer>
> Making the head of the request required to be the following manner:
>
> <samlp:AuthnRequest
> ID="_1e736a31-a41c-4c35-b17f-0f9ab4c741b3"
> Version="2.0"
> IssueInstant="2011-02-17T11:15:24Z"
> Destination="DestinationURLOFIDP"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> AssertionConsumerServiceURL="ACS-URL"
> ProviderName="Service Provider Name"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</saml:Issuer>
> Is there any way to add ProviderName using saml authsources.php or idp-remote.php and set the attribute assertion from the authnrequest to the issuer?
> This IDP doesn't expose a metadata.xml anywhere, unable to get full metadata.xml.
This IdP sounds like a home-made implementation of SAML, and it is broken in many ways. I’d recommend them to use some well established implementation and stop using their own. Of course, they can always fix their own implementation, but if they are not even able to parse XML code correctly, I’d suggest them to avoid that at all expense and go for something done by someone who knows what they are doing. XML and SAML are complex, so it’s always a good idea to avoid custom-made implementations.
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Message has been deleted
Message has been deleted
Jaime Perez Crespo
Mar 14, 2018, 5:29:35 AM3/14/18
to simple...@googlegroups.com
Hi,
On 12 Mar 2018, at 17:14 PM, andrei...@gmail.com wrote:
> Hi Jaime, do you mind publishing this as an answer to the same question I made on StackOverflow ( https://stackoverflow.com/questions/49238215/add-providername-attribute-to-authnrequest-using-simplesamlphp )? I'll accept it as correct.
>
> If you don't use StackOverflow, may I use your answer to close the question on StackOverflow?
> https://stackoverflow.com/questions/49238215/add-providername-attribute-to-authnrequest-using-simplesamlphp
Sure, I don’t use StackOverflow but feel free to link to my response in this list.
On 12 Mar 2018, at 17:14 PM, andrei...@gmail.com wrote:
> Hi Jaime, do you mind publishing this as an answer to the same question I made on StackOverflow ( https://stackoverflow.com/questions/49238215/add-providername-attribute-to-authnrequest-using-simplesamlphp )? I'll accept it as correct.
>
> If you don't use StackOverflow, may I use your answer to close the question on StackOverflow?
> https://stackoverflow.com/questions/49238215/add-providername-attribute-to-authnrequest-using-simplesamlphp
Sure, I don’t use StackOverflow but feel free to link to my response in this list.
Jaime Perez Crespo
Mar 14, 2018, 5:31:59 AM3/14/18
to simple...@googlegroups.com
Hi again,
On 12 Mar 2018, at 17:07 PM, andrei...@gmail.com wrote:
> Thank you all for your answers, however I'm not able to request for changes, this is a governmental IDP and they said they had "custom implementations", I've tried to connect before using IDP brokering with keycloak, and was trying my luck with simplesaml, as its more flexible, however, I guess this will require custom solutions.
That’s unfortunate indeed. You should definitely tell them their IdP implementation is broken and they are probably putting their citizens at risk.
In any case, it’s their responsibility to use something interoperable with other implementations, *especially* if their implementation breaks with perfectly valid messages.
> There are several other problems as well, such as having attributes under saml extensions, and so on.
Extensions aren’t a problem, you can use them in SimpleSAMLphp.
On 12 Mar 2018, at 17:07 PM, andrei...@gmail.com wrote:
> Thank you all for your answers, however I'm not able to request for changes, this is a governmental IDP and they said they had "custom implementations", I've tried to connect before using IDP brokering with keycloak, and was trying my luck with simplesaml, as its more flexible, however, I guess this will require custom solutions.
That’s unfortunate indeed. You should definitely tell them their IdP implementation is broken and they are probably putting their citizens at risk.
In any case, it’s their responsibility to use something interoperable with other implementations, *especially* if their implementation breaks with perfectly valid messages.
> There are several other problems as well, such as having attributes under saml extensions, and so on.
Extensions aren’t a problem, you can use them in SimpleSAMLphp.
Reply all
Reply to author
Forward
0 new messages