No Attributes from IdP, Can I use SAML Subject instead ?
95 views
Skip to first unread message
Robert Ristroph
May 15, 2021, 3:59:55 PM5/15/21
to SimpleSAMLphp
Hi Everyone,
Firstly, thanks to everyone who has worked and contributed to this tool -- it's essential and probably generally underappreciated.
I am setting up a service provider, and the IdP is giving me back a SAML response that contains no Attributes. It does contain all the info I need ( I need only a NameId that is an email address ) in the SAML Subject.
A couple of questions:
1) Is there a simplesamlphp module that can copy the SAML Subject into Attributes so that it is just faked and works ?
2) What would be the correct way for my code, calling simplesamlphp, to access the SAML Subject ? Reading through the code, I was hoping for a getSAMLSubject() function here https://github.com/simplesamlphp/simplesamlphp/blob/master/lib/SimpleSAML/Auth/Simple.php like there is a getAttribute() and getAuthData.
I am also going to persue just asking the IdP side to put in the right Attributes, but it's a large institution and that might not happen quickly.
Thanks in advance,
--Rob Ristroph
Peter Schober
May 16, 2021, 7:30:20 AM5/16/21
to SimpleSAMLphp
* Robert Ristroph <rgris...@gmail.com> [2021-05-15 22:00]:
relationship between the IDP and SP among other things.
Also the attribute name may be not what you're expecting (or what
you're getting the email address in from other IDPs) so the NameID may
even have an upside to it.
Of course email addresses are among the worst data items you could use
as an identifier, so if that's what you want you really need to be
prepared for them changing all the time, with subjects consequently
losing access to resources on your service (or worse: getting access
to someone else's data, in case an email address value was retired and
later "recycled" and assigned to a different person).
These days saml2int 2.0
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
goes as far as recommending to avoid any and all forms of NameID
(except for transient ones *and* *only* *if* you need them for single
logout, which most have given up on).
So the IDP should probably reconsider this practice anyway.
> 1) Is there a simplesamlphp module that can copy the SAML Subject
> into Attributes so that it is just faked and works ?
Yes. There's nothing 'fake' about it, though, you simply make it
available to other code within your SP instance.
My own approch for handling differnt kinds of NameIDs flexibily within
SSP can be found in the list archives. The copy here has the
formatting messed up (by stripping leading whitespace), though:
https://groups.google.com/g/simplesamlphp/c/rzoNOq1qP3o/m/SfjAHRPWBAAJ
Using that method you'd end up with an internal attribute called
'email-id' which probably only makes sense if you wanted to be able to
differentiate it from email sent in a SAML Attribute. (I.e., maybe
just call it 'mail' everywhere in your case.)
In this case (only one NameID and nothing else) that approach is
probably needlessly complex compared to just doing what you ask about
in your next question:
> 2) What would be the correct way for my code, calling simplesamlphp,
> to access the SAML Subject ? Reading through the code [...]
Instead of reading the code you could Read The Fine Documentation:
https://simplesamlphp.org/docs/stable/ ->
"Hosted SP Configuration Reference", section 3:
https://simplesamlphp.org/docs/stable/saml:sp#section_3
saml:sp:NameID
The NameID the user was issued by the IdP.
"To retrieve these attributes, the application can use the
getAuthData()-function from the SP API." ->
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_7
Example 7.1 shows how to do exactly this.
Of course if you used method 1 (make the NameID available as an
attribute) you wouldn't need to implement method 2 (access the NameID
directly) or vice versa.
-peter
> I am setting up a service provider, and the IdP is giving me back a
> SAML response that contains no Attributes. It does contain all the
> info I need ( I need only a NameId that is an email address ) in the
> SAML Subject.
[...]
> SAML response that contains no Attributes. It does contain all the
> info I need ( I need only a NameId that is an email address ) in the
> SAML Subject.
> I am also going to persue just asking the IdP side to put in the
> right Attributes, but it's a large institution and that might not
> happen quickly.
The latter is what I would have suggested but that depends on the
> right Attributes, but it's a large institution and that might not
> happen quickly.
relationship between the IDP and SP among other things.
Also the attribute name may be not what you're expecting (or what
you're getting the email address in from other IDPs) so the NameID may
even have an upside to it.
Of course email addresses are among the worst data items you could use
as an identifier, so if that's what you want you really need to be
prepared for them changing all the time, with subjects consequently
losing access to resources on your service (or worse: getting access
to someone else's data, in case an email address value was retired and
later "recycled" and assigned to a different person).
These days saml2int 2.0
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
goes as far as recommending to avoid any and all forms of NameID
(except for transient ones *and* *only* *if* you need them for single
logout, which most have given up on).
So the IDP should probably reconsider this practice anyway.
> 1) Is there a simplesamlphp module that can copy the SAML Subject
> into Attributes so that it is just faked and works ?
available to other code within your SP instance.
My own approch for handling differnt kinds of NameIDs flexibily within
SSP can be found in the list archives. The copy here has the
formatting messed up (by stripping leading whitespace), though:
https://groups.google.com/g/simplesamlphp/c/rzoNOq1qP3o/m/SfjAHRPWBAAJ
Using that method you'd end up with an internal attribute called
'email-id' which probably only makes sense if you wanted to be able to
differentiate it from email sent in a SAML Attribute. (I.e., maybe
just call it 'mail' everywhere in your case.)
In this case (only one NameID and nothing else) that approach is
probably needlessly complex compared to just doing what you ask about
in your next question:
> 2) What would be the correct way for my code, calling simplesamlphp,
Instead of reading the code you could Read The Fine Documentation:
https://simplesamlphp.org/docs/stable/ ->
"Hosted SP Configuration Reference", section 3:
https://simplesamlphp.org/docs/stable/saml:sp#section_3
saml:sp:NameID
The NameID the user was issued by the IdP.
"To retrieve these attributes, the application can use the
getAuthData()-function from the SP API." ->
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_7
Example 7.1 shows how to do exactly this.
Of course if you used method 1 (make the NameID available as an
attribute) you wouldn't need to implement method 2 (access the NameID
directly) or vice versa.
-peter
Peter Schober
May 16, 2021, 7:54:16 AM5/16/21
to SimpleSAMLphp
* Peter Schober <peter....@univie.ac.at> [2021-05-16 13:30]:
https://gitlab.com/-/snippets/2121223
-peter
> My own approch for handling differnt kinds of NameIDs flexibily within
> SSP can be found in the list archives. The copy here has the
> formatting messed up (by stripping leading whitespace), though:
> https://groups.google.com/g/simplesamlphp/c/rzoNOq1qP3o/m/SfjAHRPWBAAJ
Here's now a copy that's less hurtful on the eyes:
> SSP can be found in the list archives. The copy here has the
> formatting messed up (by stripping leading whitespace), though:
> https://groups.google.com/g/simplesamlphp/c/rzoNOq1qP3o/m/SfjAHRPWBAAJ
https://gitlab.com/-/snippets/2121223
-peter
Reply all
Reply to author
Forward
0 new messages