Hi Thanuja I’ll answer in line in red
> Il giorno 29 ott 2019, alle ore 17:41, Thanuja Jayasinghe <than...@wso2.com> > ha scritto: > > > Hi Angelo, > > If I summarize what you are trying to achieve, > > - SP sends a SAML2 Authentication request with > AttributeConsumingServiceIndex value. > - A federated IdP is configured for authentication for this SP. > - Identity Server needs to pass the received AttributeConsumingServiceIndex > value with an authentication request to federated IdP. > - Federated IdP will send back the user attributes based on the > AttributeConsumingServiceIndex. Yes you summarized correctly the scenario. Just to be more precise, we can have multiple SP. Each SP can use only one AttributeConsumingServiceIndex because each SP may need some attributes > > To get a better understanding of the requirement, can you please provide > information on the following as well, > - How the SP identifies required AttributeConsumingServiceIndex? Also the > requirement for the multiple AttributeConsumingServiceIndex. Simply the SP sends just only one AttributeConsumingServiceIndex > - Is there an AttributeConsumingServiceIndex which can be used to get the > union of the above-mentioned attributes from the IdP? We don’t have an AttributeConsumingServiceIndex used to get the union of attributes from the IdP. We simply need that the AttributeConsumingServiceIndex sent by the SP is sent to the external IdP and this external IdP returns the relative attributes > > Thanks, > Thanuja > > >> On Mon, Oct 28, 2019 at 11:41 PM Farasath Ahamed <farasa...@wso2.com> wrote: >> >> >>> On Monday, October 28, 2019, Angelo Immediata <angelo...@gmail.com> wrote: >>> Hi all. >>> >>> I'm using WSO2 Identity Server version 5.8.0 and 5.9.0 >>> >>> I have this scenario: I have external IdPs and I want to allow SAML >>> integration with these IdPs. I can register them in WSO2 and all works >>> pretty good. >>> >>> I was facing the following issue: I need to handle several >>> AttributeConsumingService. So the first thing I created the WSO2 >>> ServiceProvider metadata file that I gave to the IdPs. This is the metadata >>> content: >>>> <?xml version="1.0" encoding="UTF-8"?> >>>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >>>> ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai";> >>>> <md:SPSSODescriptor AuthnRequestsSigned="true" >>>> WantAssertionsSigned="true" >>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >>>> <md:KeyDescriptor use="signing"> >>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <ds:X509Data> >>>> <ds:X509Certificate><!--Certificate >>>> info--></ds:X509Certificate> >>>> </ds:X509Data> >>>> </ds:KeyInfo> >>>> </md:KeyDescriptor> >>>> <md:SingleLogoutService >>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>> Location="https://localhost:9443/samlsso"; /> >>>> >>>> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> >>>> <md:AssertionConsumerService >>>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>> Location="https://localhost:9443/commonauth"; index="0" isDefault="true" /> >>>> <md:AttributeConsumingService index="0"> >>>> <md:ServiceName xml:lang="it">set0</md:ServiceName> >>>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> >>>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>>> Name="fiscalNumber" /> >>>> <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" >>>> /> >>>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> >>>> </md:AttributeConsumingService> >>>> <md:AttributeConsumingService index="1"> >>>> <md:ServiceName xml:lang="it">set1</md:ServiceName> >>>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> >>>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>>> Name="fiscalNumber" /> >>>> <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" >>>> /> >>>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> >>>> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >>>> <md:RequestedAttribute FriendlyName="Data di nascita" >>>> Name="dateOfBirth" /> >>>> <md:RequestedAttribute FriendlyName="Luogo di nascita" >>>> Name="placeOfBirth" /> >>>> </md:AttributeConsumingService> >>>> <md:AttributeConsumingService index="2"> >>>> <md:ServiceName xml:lang="it">set2</md:ServiceName> >>>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> >>>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>>> Name="fiscalNumber" /> >>>> <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" >>>> /> >>>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> >>>> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >>>> <md:RequestedAttribute FriendlyName="Data di nascita" >>>> Name="dateOfBirth" /> >>>> <md:RequestedAttribute FriendlyName="Luogo di nascita" >>>> Name="placeOfBirth" /> >>>> <md:RequestedAttribute FriendlyName="Nazione di nascita" >>>> Name="countyOfBirth" /> >>>> </md:AttributeConsumingService> >>>> <md:AttributeConsumingService index="3"> >>>> <md:ServiceName xml:lang="it">set3</md:ServiceName> >>>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> >>>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>>> Name="fiscalNumber" /> >>>> <md:RequestedAttribute FriendlyName="Indirizzo mail" Name="email" >>>> /> >>>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> >>>> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >>>> <md:RequestedAttribute FriendlyName="Data di nascita" >>>> Name="dateOfBirth" /> >>>> <md:RequestedAttribute FriendlyName="Luogo di nascita" >>>> Name="placeOfBirth" /> >>>> <md:RequestedAttribute FriendlyName="Nazione di nascita" >>>> Name="countyOfBirth" /> >>>> <md:RequestedAttribute FriendlyName="Cellulare" >>>> Name="mobilePhone" /> >>>> </md:AttributeConsumingService> >>>> <md:AttributeConsumingService index="4"> >>>> <md:ServiceName xml:lang="it">set4</md:ServiceName> >>>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> >>>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>>> Name="fiscalNumber" /> >>>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> >>>> </md:AttributeConsumingService> >>>> <md:AttributeConsumingService index="5"> >>>> <md:ServiceName xml:lang="it">set5</md:ServiceName> >>>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" /> >>>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>>> Name="fiscalNumber" /> >>>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" /> >>>> <md:RequestedAttribute FriendlyName="Nome azienda" >>>> Name="companyName" /> >>>> <md:RequestedAttribute FriendlyName="Ufficio" >>>> Name="registeredOffice" /> >>>> <md:RequestedAttribute FriendlyName="Partita IVA" Name="ivaCode" >>>> /> >>>> </md:AttributeConsumingService> >>>> </md:SPSSODescriptor> >>>> <md:Organization> >>>> <md:OrganizationName xml:lang="it">Service provider WSO2 >>>> 590</md:OrganizationName> >>>> <md:OrganizationDisplayName xml:lang="it">WSO2 >>>> 590</md:OrganizationDisplayName> >>>> <md:OrganizationURL >>>> xml:lang="it">https://localhost:9443/</md:OrganizationURL> >>>> </md:Organization> >>>> </md:EntityDescriptor> >>> >>> As you can see I have six AttributeConsumingService. So far so good... the >>> problem was how to solve this issue: let's suppose I have a Service >>> Provider registered inside WSO2 IS and let's suppose the application >>> related to this SP sends in the SAML Request the AttributeConsumingService >>> index. How can I pass this AttributeConsumingService to the SAML request >>> that WSO2 sends to the external IdPs? I found only one way: to modify the >>>> >>>> org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, >>>> boolean, String, AuthenticationContext) >>> method. Just after this instruction >>>> //Get the inbound SAMLRequest >>>> AuthnRequest inboundAuthnRequest = getAuthnRequest(context); >>> >>> I added the following code: >>>> Integer attrConsServiceIndex = >>>> inboundAuthnRequest.getAttributeConsumingServiceIndex(); >>>> if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) { >>>> if( log.isInfoEnabled() ) { >>>> log.info("Inbound SAML Request AttributeConsumingServiceIndex "+ >>>> attrConsServiceIndex+" Settato nella auth request SAML"); >>>> } >>>> authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex); >>>> } >>> >>> In this way if the Application handled by a Service Provider sends an >>> AttributeConsumingServiceIndex different from 0, this is set in the >>> AuthnRequest that WSO2 IS builds for the external IdP. I don't know if >>> there is a different way to solve it but as far as I investigated this is >>> the only solution I found >>> >>> Is this a proper way? >>> >>> If so... I hope you can use it and this can be useful to other people. >>> >>> Thank you >>> Angelo >> >> >> -- >> Farasath Ahamed >> Associate Technical Lead, WSO2 Inc.: http://wso2.com >> Mobile: +94777603866 >> Blog: https://farasath.blogspot.com / https://medium.com/@farasath >> Twitter: @farazath619 >> >> >> >> >> > > > -- > Thanuja Lakmal > Technical Lead > WSO2 Inc. http://wso2.com/ > lean.enterprise.middleware > Mobile: +94715979891
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
