Hi all. I'm using WSO2 Identity Server version 5.8.0 and 5.9.0
I have this scenario: I have external IdPs and I want to allow SAML integration with these IdPs. I can register them in WSO2 and all works pretty good. I was facing the following issue: I need to handle several AttributeConsumingService. So the first thing I created the WSO2 ServiceProvider metadata file that I gave to the IdPs. This is the metadata content: > <?xml version="1.0" encoding="UTF-8"?> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai";> > <md:SPSSODescriptor AuthnRequestsSigned="true" > WantAssertionsSigned="true" > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > <md:KeyDescriptor use="signing"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate><!--Certificate > info--></ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </md:KeyDescriptor> > <md:SingleLogoutService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:9443/samlsso"; /> > > <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> > <md:AssertionConsumerService > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:9443/commonauth"; index="0" isDefault="true" /> > <md:AttributeConsumingService index="0"> > <md:ServiceName xml:lang="it">set0</md:ServiceName> > <md:RequestedAttribute FriendlyName="Nome" Name="name" /> > <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> > <md:RequestedAttribute FriendlyName="Codice Fiscale" > Name="fiscalNumber" /> > <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" > /> > <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> > </md:AttributeConsumingService> > <md:AttributeConsumingService index="1"> > <md:ServiceName xml:lang="it">set1</md:ServiceName> > <md:RequestedAttribute FriendlyName="Nome" Name="name" /> > <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> > <md:RequestedAttribute FriendlyName="Codice Fiscale" > Name="fiscalNumber" /> > <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" > /> > <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> > <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> > <md:RequestedAttribute FriendlyName="Data di nascita" > Name="dateOfBirth" /> > <md:RequestedAttribute FriendlyName="Luogo di nascita" > Name="placeOfBirth" /> > </md:AttributeConsumingService> > <md:AttributeConsumingService index="2"> > <md:ServiceName xml:lang="it">set2</md:ServiceName> > <md:RequestedAttribute FriendlyName="Nome" Name="name" /> > <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> > <md:RequestedAttribute FriendlyName="Codice Fiscale" > Name="fiscalNumber" /> > <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" > /> > <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> > <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> > <md:RequestedAttribute FriendlyName="Data di nascita" > Name="dateOfBirth" /> > <md:RequestedAttribute FriendlyName="Luogo di nascita" > Name="placeOfBirth" /> > <md:RequestedAttribute FriendlyName="Nazione di nascita" > Name="countyOfBirth" /> > </md:AttributeConsumingService> > <md:AttributeConsumingService index="3"> > <md:ServiceName xml:lang="it">set3</md:ServiceName> > <md:RequestedAttribute FriendlyName="Nome" Name="name" /> > <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> > <md:RequestedAttribute FriendlyName="Codice Fiscale" > Name="fiscalNumber" /> > <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" > /> > <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> > <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> > <md:RequestedAttribute FriendlyName="Data di nascita" > Name="dateOfBirth" /> > <md:RequestedAttribute FriendlyName="Luogo di nascita" > Name="placeOfBirth" /> > <md:RequestedAttribute FriendlyName="Nazione di nascita" > Name="countyOfBirth" /> > <md:RequestedAttribute FriendlyName="Cellulare" > Name="mobilePhone" /> > </md:AttributeConsumingService> > <md:AttributeConsumingService index="4"> > <md:ServiceName xml:lang="it">set4</md:ServiceName> > <md:RequestedAttribute FriendlyName="Nome" Name="name" /> > <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> > <md:RequestedAttribute FriendlyName="Codice Fiscale" > Name="fiscalNumber" /> > <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> > </md:AttributeConsumingService> > <md:AttributeConsumingService index="5"> > <md:ServiceName xml:lang="it">set5</md:ServiceName> > <md:RequestedAttribute FriendlyName="Nome" Name="name" /> > <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> > <md:RequestedAttribute FriendlyName="Codice Fiscale" > Name="fiscalNumber" /> > <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> > <md:RequestedAttribute FriendlyName="Nome azienda" > Name="companyName" /> > <md:RequestedAttribute FriendlyName="Ufficio" > Name="registeredOffice" /> > <md:RequestedAttribute FriendlyName="Partita IVA" Name="ivaCode" > /> > </md:AttributeConsumingService> > </md:SPSSODescriptor> > <md:Organization> > <md:OrganizationName xml:lang="it">Service provider WSO2 > 590</md:OrganizationName> > <md:OrganizationDisplayName xml:lang="it">WSO2 > 590</md:OrganizationDisplayName> > <md:OrganizationURL xml:lang="it">https://localhost:9443/ > </md:OrganizationURL> > </md:Organization> > </md:EntityDescriptor> As you can see I have six AttributeConsumingService. So far so good... the problem was how to solve this issue: let's suppose I have a Service Provider registered inside WSO2 IS and let's suppose the application related to this SP sends in the SAML Request the AttributeConsumingService index. How can I pass this AttributeConsumingService to the SAML request that WSO2 sends to the external IdPs? I found only one way: to modify the > > org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, > boolean, String, AuthenticationContext) method. Just after this instruction > //Get the inbound SAMLRequest > AuthnRequest inboundAuthnRequest = getAuthnRequest(context); I added the following code: > Integer attrConsServiceIndex = > inboundAuthnRequest.getAttributeConsumingServiceIndex(); > if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) { > if( log.isInfoEnabled() ) { > log.info("Inbound SAML Request AttributeConsumingServiceIndex "+ > attrConsServiceIndex+" Settato nella auth request SAML"); > } > authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex); > } In this way if the Application handled by a Service Provider sends an AttributeConsumingServiceIndex different from 0, this is set in the AuthnRequest that WSO2 IS builds for the external IdP. I don't know if there is a different way to solve it but as far as I investigated this is the only solution I found Is this a proper way? If so... I hope you can use it and this can be useful to other people. Thank you Angelo
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
