Are attributes allowed in a SAML authentication request?

StackOverflow https://stackoverflow.com/questions/529655

  •  22-08-2019
  •  | 
  •  

Question

Is it possible to send attributes in a SAML authentication request?

<samlp:AuthnRequest
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   ID="aaf23196-1773-2113-474a-fe114412ab72"
   Version="2.0"
   IssueInstant="2004-12-05T09:21:59Z"
   AssertionConsumerServiceIndex="0"
   AttributeConsumingServiceIndex="0">
   <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
   <samlp:NameIDPolicy
     AllowCreate="true"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
 </samlp:AuthnRequest>
Was it helpful?

Solution

Technically, yes, it is possible, since AuthnRequest can contain an Extensions element, which can contain anything - see the SAML 'core' spec: AuthnRequest (section 3.4.1) is derived from RequestAbstractType (section 3.2.1) which has an optional Extensions. The sender and recipient would have to agree on the syntax and semantics of data sent this way.

I can't see a more 'conventional' way to do this, since Attributes are usually in Assertions, rather than AuthnRequests.

OTHER TIPS

There is a case where attributes are to be part of auth request. so that we can get that attribute name from request to construct response assertion with the same.

because service provider validates the response by comparing the attribute names.we can take the example of Salesforce as service provider, where the same happens.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top