How to add an attribute to the "Extensions" element
292 views
Skip to first unread message
Petr Huptich
Dec 17, 2020, 4:49:20 AM12/17/20
to SimpleSAMLphp
Please, I need help with creating SAML authentication. Additional attributes must be sent in the "Extensions" element.
There is correct sample XML:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_029ede24d730e70876aba9a303c1b448cd83df6e96"
Version="2.0"
IssueInstant="2020-12-16T19:53:58Z"
Destination="*****"
AssertionConsumerServiceURL="***"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>*****</saml:Issuer>
<saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:eidas="http://eidas.europa.eu/saml-extensions">
<eidas:RequestedAttributes>
<eidas:RequestedAttribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false" />
........................
Using SimpleSAML PHP I am not able to add the necessary attributes and I am only able to create the XML itself as follows:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_24bb2acd9bdc54d640d9bd4cbad3fc3915e4cf04bb"
Version="2.0"
IssueInstant="2020-12-16T19:51:59Z"
Destination="******"
AssertionConsumerServiceURL="https://****/saml/module.php/saml/sp/saml2-acs.php/***"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>******</saml:Issuer>
<samlp:Extensions>
<eidas:RequestedAttributes>
<eidas:RequestedAttribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false" />
........................
The following command is used to create XML:
$auth->requireAuth(array(
'saml:Extensions' => $ext,
));
Can someone please advise me how to add the required attributes?
Thanks a lot.
Peter Schober
Dec 17, 2020, 9:16:50 AM12/17/20
to SimpleSAMLphp
* Petr Huptich <petr.h...@gmail.com> [2020-12-17 10:49]:
exception that the XML above makes use of an undefined (within this
XML document) "eidas" XML namespace declaration.
(Somewhere, e.g. at the root element samlp:AuthnRequest, would have to
be a declaration such as
xmlns:eidas="http://eidas.europa.eu/saml-extensions" -- according to
your first example.)
> The following command is used to create XML:
>
> $auth->requireAuth(array(
> 'saml:Extensions' => $ext,
> ));
I don't know what that means, exactly (what's the value of $ext?) so
it's hard to say what you did wrong.
As it is the XML document (the SAML authn request) is XSD schema
invalid due to the missing nsdecl.
-peter
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_24bb2acd9bdc54d640d9bd4cbad3fc3915e4cf04bb"
> Version="2.0"
> IssueInstant="2020-12-16T19:51:59Z"
> Destination="******"
>
> AssertionConsumerServiceURL="https://****/saml/module.php/saml/sp/saml2-acs.php/***"
>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
> <saml:Issuer>******</saml:Issuer>
> <samlp:Extensions>
> <eidas:RequestedAttributes>
> <eidas:RequestedAttribute
> Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" />
That looks pretty much identical to the desired output with the
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_24bb2acd9bdc54d640d9bd4cbad3fc3915e4cf04bb"
> Version="2.0"
> IssueInstant="2020-12-16T19:51:59Z"
> Destination="******"
>
> AssertionConsumerServiceURL="https://****/saml/module.php/saml/sp/saml2-acs.php/***"
>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
> <saml:Issuer>******</saml:Issuer>
> <samlp:Extensions>
> <eidas:RequestedAttributes>
> <eidas:RequestedAttribute
> Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" />
exception that the XML above makes use of an undefined (within this
XML document) "eidas" XML namespace declaration.
(Somewhere, e.g. at the root element samlp:AuthnRequest, would have to
be a declaration such as
xmlns:eidas="http://eidas.europa.eu/saml-extensions" -- according to
your first example.)
> The following command is used to create XML:
>
> $auth->requireAuth(array(
> 'saml:Extensions' => $ext,
> ));
it's hard to say what you did wrong.
As it is the XML document (the SAML authn request) is XSD schema
invalid due to the missing nsdecl.
-peter
Petr Huptich
Dec 17, 2020, 10:10:38 AM12/17/20
to SimpleSAMLphp
I just don't know how to define those attributes. Only "<samlp:Extensions>" is always created and not the required <saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:eidas="http://eidas.europa.eu/saml-extensions">.
Here is all the code to create SAML authentication:
require_once('/saml/lib/_autoload.php');
$auth = new \SimpleSAML\Auth\Simple('*****');
$dom = \SAML2\DOMDocumentFactory::create();
$attributes_ext = $dom->createElement('eidas:RequestedAttributes');
$item = $dom->createElement('eidas:RequestedAttribute');
$attrName = $dom->createAttribute('Name');
$attrName->value = 'http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier';
$attrNameFormat = $dom->createAttribute('NameFormat');
$attrNameFormat->value = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri";
$attrRequirement = $dom->createAttribute('isRequired');
$attrRequirement->value = "true";
$item->appendChild($attrName);
$item->appendChild($attrNameFormat);
$item->appendChild($attrRequirement);
$attributes_ext->appendChild($item);
$ext[] = new SAML2_XML_Chunk($attributes_ext);
$auth->requireAuth(array(
'saml:Extensions' => $ext,
));
Thanks for your help.
čt 17. 12. 2020 v 15:16 odesílatel Peter Schober <peter....@univie.ac.at> napsal:
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/hGmzBps_OF0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/20201217141644.wmqz2zldz6qofmyt%40aco.net.
Peter Schober
Dec 17, 2020, 10:42:58 AM12/17/20
to SimpleSAMLphp
* Petr Huptich <petr.h...@gmail.com> [2020-12-17 16:10]:
an XML namespace prefix. Once that's done this should be valid.
-peter
> Here is all the code to create SAML authentication:
Well, then you'll need to look at the API you're using how to register
an XML namespace prefix. Once that's done this should be valid.
-peter
Reply all
Reply to author
Forward
0 new messages