AuthRequest with custom attributes

[ronnie.j...@ist.com]

Hey guys..

I am currently working on a custom log-in module...

I was wandering if I can send custom attributes in the authRequest to SimpleSamlPHP and somehow retrieve them in my log-in logic.

I have been looking at the Saml2 protocal http://en.wikipedia.org/wiki/SAML_2.0 but I am not able to decode if there is any way to send my own attributes in the authRequest. Furthermore I have been looking into the simplesaml/saml2/idp/SSOService.php file to determain how its parsing the authRequest. I looks like there is a "hardcoded" mapping(of the Saml2 protocol) happening so I am not even sure that SimpleSamlPHP even would be able to handle such a thing?

And how would I retrieve the authRequest in the module since it have already been parsed and a redirect have happened at this point. 

/Ronnie

[Tom Scavo]

On Tue, Mar 11, 2014 at 6:33 AM, <ronnie.j...@ist.com> wrote:
>
> I have been looking at the Saml2 protocal
> http://en.wikipedia.org/wiki/SAML_2.0

FWIW, I wrote that article...

> but I am not able to decode if there
> is any way to send my own attributes in the authRequest.

Do you mean user attributes? No, there is no way to actively request
user attributes in SAML2 Web Browser SSO. The
<md:AttributeConsumingService> element in metadata is meant to be a
passive method of requesting attributes, but frankly I think SSP
supports this method too aggressively, that is, SSP tries to turn
AttributeConsumingService into an active protocol.

Tom

[ronnie.j...@ist.com]

Hi Tom.

FWIW, I wrote that article...

Good work then! I have used it many times :)

 

Do you mean user attributes? No, there is no way to actively request
user attributes in SAML2 Web Browser SSO. The
<md:AttributeConsumingService> element in metadata is meant to be a
passive method of requesting attributes, but frankly I think SSP
supports this method too aggressively, that is, SSP tries to turn
AttributeConsumingService into an active protocol.

I have written a module that needs some extra validation items in the authnRequest. The user doesn't authenticate by username/password but by values send to the custom module. I would love to simply make a real authnRequest to my module(IDP) and feed the values(my custom fields) from the request itself.

[Peter Schober]

* Tom Scavo <trs...@gmail.com> [2014-03-11 14:38]:

> > but I am not able to decode if there
> > is any way to send my own attributes in the authRequest.
>
> Do you mean user attributes? No, there is no way to actively request
> user attributes in SAML2 Web Browser SSO. The
> <md:AttributeConsumingService> element in metadata is meant to be a

> passive method of requesting attributes, [...]

At least I understood the question to be about sending arbitratry data
from the SP to the IDP, for whatever reason, not to request the
release of SAML attributes from the IDP that way.
-peter

[comel]

Search for "samlp:Extensions" on https://simplesamlphp.org/docs/stable/saml:sp. You can use it for custom data in SAML 2 AuthnRequest, which is then accessible as "saml:Extensions" in authentication state on IdP.

[ronnie.j...@ist.com]

Search for "samlp:Extensions" on https://simplesamlphp.org/docs/stable/saml:sp. You can use it for custom data in SAML 2 AuthnRequest, which is then accessible as "saml:Extensions" in authentication state on IdP.

Great! I can see the that the request is picked up by SSP. How would I operate on the authnRequest in my module? Is there any shortcut to the current request?

/Ronnie 

[comel]

On Tuesday, March 11, 2014 4:44:10 PM UTC+1, ronnie.j...@ist.com wrote:

Search for "samlp:Extensions" on https://simplesamlphp.org/docs/stable/saml:sp. You can use it for custom data in SAML 2 AuthnRequest, which is then accessible as "saml:Extensions" in authentication state on IdP.

Great! I can see the that the request is picked up by SSP. How would I operate on the authnRequest in my module? Is there any shortcut to the current request?

You have extensions in authentication state array. Example for authentication function in your authentication source:

public function authenticate(&$state) {
    assert('is_array($state)');

    if (isset($state['saml:Extensions']) && is_array($state['saml:Extensions'])) {
        foreach ($state['saml:Extensions'] as $ext) {
            if ($ext instanceof SAML2_XML_Chunk && isset($ext->localName)) {
                if ($ext->localName == 'XFoo') {
                    ...
                }
            }
        }
    }

    ...
}

[ronnie.j...@ist.com]

You have extensions in authentication state array. Example for authentication function in your authentication source:

public function authenticate(&$state) {
    assert('is_array($state)');

    if (isset($state['saml:Extensions']) && is_array($state['saml:Extensions'])) {
        foreach ($state['saml:Extensions'] as $ext) {
            if ($ext instanceof SAML2_XML_Chunk && isset($ext->localName)) {
                if ($ext->localName == 'XFoo') {
                    ...
                }
            }
        }
    }

    ...
}

Perfect! Just what I needed. Thank you very much :) 

[Tom Scavo]

On Thu, Mar 13, 2014 at 6:25 AM, <ronnie.j...@ist.com> wrote:
>
> I think I spoke to fast.... I am not able to extract the extension from the
> AuthnRequest.
> Reading this
> http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf confirms
> that there is no Extension in the AuthnRequest... and it doesn't look like
> there is any way of sending any custom data along in the AuthnRequest.

No, that's not true. The samlp:AuthnRequestType is based on the
samlp:RequestAbstractType, which is fully extensible. Relevant
snippets from the schema are included below for convenience.

Tom

<element name="AuthnRequest" type="samlp:AuthnRequestType"/>
<complexType name="AuthnRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<element ref="saml:Subject" minOccurs="0"/>
<element ref="samlp:NameIDPolicy" minOccurs="0"/>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
<element ref="samlp:Scoping" minOccurs="0"/>
</sequence>
<attribute name="ForceAuthn" type="boolean" use="optional"/>
<attribute name="IsPassive" type="boolean" use="optional"/>
<attribute name="ProtocolBinding" type="anyURI" use="optional"/>
<attribute name="AssertionConsumerServiceIndex"
type="unsignedShort" use="optional"/>
<attribute name="AssertionConsumerServiceURL" type="anyURI"
use="optional"/>
<attribute name="AttributeConsumingServiceIndex"
type="unsignedShort" use="optional"/>
<attribute name="ProviderName" type="string" use="optional"/>
</extension>
</complexContent>
</complexType>
<complexType name="RequestAbstractType" abstract="true">
<sequence>
<element ref="saml:Issuer" minOccurs="0"/>
<element ref="ds:Signature" minOccurs="0"/>
<element ref="samlp:Extensions" minOccurs="0"/>
</sequence>
<attribute name="ID" type="ID" use="required"/>
<attribute name="Version" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
<attribute name="Destination" type="anyURI" use="optional"/>
<attribute name="Consent" type="anyURI" use="optional"/>
</complexType>

[Peter Schober]

* ronnie.j...@ist.com <ronnie.j...@ist.com> [2014-03-13 11:25]:
> I want to be able to send custom dynamic data along the
> AuthnRequest.

Doesn't comel post from the day before yesterday explain just that?
-peter

[ronnie.j...@ist.com]

Yes it does I had some issues implementing it and misread the documentation. Thats why I wrote that it didnt seem to work... but it did and I did delete my post again... but somehow you are able to reply on it?? Strange. 

[Peter Schober]

* ronnie.j...@ist.com <ronnie.j...@ist.com> [2014-03-13 15:44]:

> Yes it does I had some issues implementing it and misread the
> documentation. Thats why I wrote that it didnt seem to work... but it did
> and I did delete my post again... but somehow you are able to reply on it??
> Strange.

Not strange at all. Whatever you're thinking this is, it is also a
mailing list. Meaning everything posted gets sent out to all
subscribers via email. Changing your post on the webinterface (as
seens to be possible) will create yet another mail with the changed
text, not changing sent emails, of course.
Likewise, deleting something from the webinterface obviously will not
do anything to previously delivered emails in subscribers' mailboxes.
-peter

[ronnie.j...@ist.com]

I didn't know that! Great... ill have to remember.