Re: [Dev] WSO2 IS - SAML SSO External IdP: handling several AttributeConsumingServiceIndex
Hi Thanuja I’ll answer in line in red > Il giorno 29 ott 2019, alle ore 17:41, Thanuja Jayasinghe > ha scritto: > > > Hi Angelo, > > If I summarize what you are trying to achieve, > > - SP sends a SAML2 Authentication request with > AttributeConsumingServiceIndex value. > - A federated IdP is configured for authentication for this SP. > - Identity Server needs to pass the received AttributeConsumingServiceIndex > value with an authentication request to federated IdP. > - Federated IdP will send back the user attributes based on the > AttributeConsumingServiceIndex. Yes you summarized correctly the scenario. Just to be more precise, we can have multiple SP. Each SP can use only one AttributeConsumingServiceIndex because each SP may need some attributes > > To get a better understanding of the requirement, can you please provide > information on the following as well, > - How the SP identifies required AttributeConsumingServiceIndex? Also the > requirement for the multiple AttributeConsumingServiceIndex. Simply the SP sends just only one AttributeConsumingServiceIndex > - Is there an AttributeConsumingServiceIndex which can be used to get the > union of the above-mentioned attributes from the IdP? We don’t have an AttributeConsumingServiceIndex used to get the union of attributes from the IdP. We simply need that the AttributeConsumingServiceIndex sent by the SP is sent to the external IdP and this external IdP returns the relative attributes > > Thanks, > Thanuja > > >> On Mon, Oct 28, 2019 at 11:41 PM Farasath Ahamed wrote: >> >> >>> On Monday, October 28, 2019, Angelo Immediata wrote: >>> Hi all. >>> >>> I'm using WSO2 Identity Server version 5.8.0 and 5.9.0 >>> >>> I have this scenario: I have external IdPs and I want to allow SAML >>> integration with these IdPs. I can register them in WSO2 and all works >>> pretty good. >>> >>> I was facing the following issue: I need to handle several >>> AttributeConsumingService. So the first thing I created the WSO2 >>> ServiceProvider metadata file that I gave to the IdPs. This is the metadata >>> content: >>> ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai;> >>> WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> http://www.w3.org/2000/09/xmldsig#;> >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/samlsso; /> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/commonauth; index="0" isDefault="true" /> set0 >>> Name="fiscalNumber" /> >>> /> set1 >>> Name="fiscalNumber" /> >>> /> >>> Name="dateOfBirth" /> >>> Name="placeOfBirth" /> set2 >>> Name="fiscalNumber" /> >>> /> >>> Name="dateOfBirth" /> >>> Name="placeOfBirth" /> >>> Name="countyOfBirth" /> set3 >>> Name="fiscalNumber" /> >>> /> >>> Name="dateOfBirth" /> >>> Name="placeOfBirth" /> >>> Name="countyOfBirth" /> >>> Name="mobilePhone" /> set4 >>> Name="fiscalNumber" /> set5 >>> Name="fiscalNumber" /> >>> Name="companyName" /> >>> Name="registeredOffice" /> >>> /> Service provider WSO2 590 WSO2 590 >>> xml:lang="it">https://localhost:9443/ >>> >>> As you can see I have six AttributeConsumingService. So far so good... the >>> problem was how to solve this issue: let's suppose I have a Service >>> Provider registered inside WSO2 IS and let's suppose the application >>> related to this SP sends in the SAML Request the AttributeConsumingService >>> index. How can I pass this AttributeConsumingService to the SAML request >>> that WSO2 sends to the external IdPs? I found only one way: to modify the org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, boolean,
Re: [Dev] WSO2 IS - SAML SSO External IdP: handling several AttributeConsumingServiceIndex
Hi Angelo,
If I summarize what you are trying to achieve,
- SP sends a SAML2 Authentication request
with AttributeConsumingServiceIndex value.
- A federated IdP is configured for authentication for this SP.
- Identity Server needs to pass the
received AttributeConsumingServiceIndex value with an authentication
request to federated IdP.
- Federated IdP will send back the user attributes based on the
AttributeConsumingServiceIndex.
To get a better understanding of the requirement, can you please provide
information on the following as well,
- How the SP identifies required AttributeConsumingServiceIndex? Also the
requirement for the multiple AttributeConsumingServiceIndex.
- Is there an AttributeConsumingServiceIndex which can be used to get the
union of the above-mentioned attributes from the IdP?
Thanks,
Thanuja
On Mon, Oct 28, 2019 at 11:41 PM Farasath Ahamed wrote:
>
>
> On Monday, October 28, 2019, Angelo Immediata wrote:
>
>> Hi all.
>>
>> I'm using WSO2 Identity Server version 5.8.0 and 5.9.0
>>
>> I have this scenario: I have external IdPs and I want to allow SAML
>> integration with these IdPs. I can register them in WSO2 and all works
>> pretty good.
>>
>> I was facing the following issue: I need to handle several
>> AttributeConsumingService. So the first thing I created the WSO2
>> ServiceProvider metadata file that I gave to the IdPs. This is the metadata
>> content:
>>
>>>
>>> >> ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai
>>> ">
>>>>> WantAssertionsSigned="true"
>>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>>
>>> http://www.w3.org/2000/09/xmldsig#;>
>>>
>>>
>>>
>>>
>>>
>>> >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
>>> https://localhost:9443/samlsso; />
>>>
>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>>> >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
>>> https://localhost:9443/commonauth; index="0" isDefault="true" />
>>>
>>> set0
>>>
>>> >> />
>>> >> Name="fiscalNumber" />
>>> >> Name="email" />
>>> >> />
>>>
>>>
>>> set1
>>>
>>> >> />
>>> >> Name="fiscalNumber" />
>>> >> Name="email" />
>>> >> />
>>>
>>> >> Name="dateOfBirth" />
>>> >> Name="placeOfBirth" />
>>>
>>>
>>> set2
>>>
>>> >> />
>>> >> Name="fiscalNumber" />
>>> >> Name="email" />
>>> >> />
>>>
>>> >> Name="dateOfBirth" />
>>> >> Name="placeOfBirth" />
>>> >> Name="countyOfBirth" />
>>>
>>>
>>> set3
>>>
>>> >> />
>>> >> Name="fiscalNumber" />
>>> >> Name="email" />
>>> >> />
>>>
>>> >> Name="dateOfBirth" />
>>> >> Name="placeOfBirth" />
>>> >> Name="countyOfBirth" />
>>> >> Name="mobilePhone" />
>>>
>>>
>>> set4
>>>
>>> >> />
>>> >> Name="fiscalNumber" />
>>> >> />
>>>
>>>
>>> set5
>>>
>>> >> />
>>> >> Name="fiscalNumber" />
>>> >> />
>>> >> Name="companyName" />
>>> >> Name="registeredOffice" />
>>> >> Name="ivaCode" />
>>>
>>>
>>>
>>> Service provider WSO2
>>> 590
>>> WSO2
>>> 590
>>> https://localhost:9443/
>>>
>>>
>>>
>>
>>
>> As you can see I have six AttributeConsumingService. So far so good...
>> the problem was how to solve this issue: let's suppose I have a Service
>> Provider registered inside WSO2 IS and let's suppose the application
>> related to this SP sends in the SAML Request the AttributeConsumingService
>> index. How can I pass this AttributeConsumingService to the SAML request
>> that WSO2 sends to the external IdPs? I found only one way: to modify the
>>>
>>> org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest,
>>> boolean, String, AuthenticationContext)
>>
>> method. Just after this instruction
>>
>>> //Get the inbound SAMLRequest
>>> AuthnRequest inboundAuthnRequest = getAuthnRequest(context);
>>
>>
>> I added the following code:
>>
>>> Integer attrConsServiceIndex =
>>> inboundAuthnRequest.getAttributeConsumingServiceIndex();
>>> if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) {
>>>if( log.isInfoEnabled() ) {
>>> log.info("Inbound SAML Request AttributeConsumingServiceIndex "+
>>> attrConsServiceIndex+" Settato nella auth request SAML");
>>> }
>>> authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex);
>>> }
>>
>>
>> In this way if the Application handled by a Service Provider sends an
>>
Re: [Dev] WSO2 IS - SAML SSO External IdP: handling several AttributeConsumingServiceIndex
On Monday, October 28, 2019, Angelo Immediata wrote:
> Hi all.
>
> I'm using WSO2 Identity Server version 5.8.0 and 5.9.0
>
> I have this scenario: I have external IdPs and I want to allow SAML
> integration with these IdPs. I can register them in WSO2 and all works
> pretty good.
>
> I was facing the following issue: I need to handle several
> AttributeConsumingService. So the first thing I created the WSO2
> ServiceProvider metadata file that I gave to the IdPs. This is the metadata
> content:
>
>>
>> > ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai;>
>>> WantAssertionsSigned="true" protocolSupportEnumeration="
>> urn:oasis:names:tc:SAML:2.0:protocol">
>>
>> http://www.w3.org/2000/09/xmldsig#;>
>>
>>
>>
>>
>>
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="https://localhost:9443/samlsso; />
>> urn:oasis:names:tc:SAML:2.0:nameid-
>> format:transient
>> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="https://localhost:9443/commonauth; index="0" isDefault="true"
>> />
>>
>> set0
>>
>> > />
>> > Name="fiscalNumber" />
>> > Name="email" />
>> > />
>>
>>
>> set1
>>
>> > />
>> > Name="fiscalNumber" />
>> > Name="email" />
>> > />
>>
>> > Name="dateOfBirth" />
>> > Name="placeOfBirth" />
>>
>>
>> set2
>>
>> > />
>> > Name="fiscalNumber" />
>> > Name="email" />
>> > />
>>
>> > Name="dateOfBirth" />
>> > Name="placeOfBirth" />
>> > Name="countyOfBirth" />
>>
>>
>> set3
>>
>> > />
>> > Name="fiscalNumber" />
>> > Name="email" />
>> > />
>>
>> > Name="dateOfBirth" />
>> > Name="placeOfBirth" />
>> > Name="countyOfBirth" />
>> > Name="mobilePhone" />
>>
>>
>> set4
>>
>> > />
>> > Name="fiscalNumber" />
>> > />
>>
>>
>> set5
>>
>> > />
>> > Name="fiscalNumber" />
>> > />
>> > Name="companyName" />
>> > Name="registeredOffice" />
>> > />
>>
>>
>>
>> Service provider WSO2
>> 590
>> WSO2 590> OrganizationDisplayName>
>> https://localhost:9443/> OrganizationURL>
>>
>>
>
>
> As you can see I have six AttributeConsumingService. So far so good... the
> problem was how to solve this issue: let's suppose I have a Service
> Provider registered inside WSO2 IS and let's suppose the application
> related to this SP sends in the SAML Request the AttributeConsumingService
> index. How can I pass this AttributeConsumingService to the SAML request
> that WSO2 sends to the external IdPs? I found only one way: to modify the
>>
>> org.wso2.carbon.identity.application.authenticator.samlsso.manager.
>> DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, boolean,
>> String, AuthenticationContext)
>
> method. Just after this instruction
>
>> //Get the inbound SAMLRequest
>> AuthnRequest inboundAuthnRequest = getAuthnRequest(context);
>
>
> I added the following code:
>
>> Integer attrConsServiceIndex = inboundAuthnRequest.
>> getAttributeConsumingServiceIndex();
>> if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) {
>>if( log.isInfoEnabled() ) {
>> log.info("Inbound SAML Request AttributeConsumingServiceIndex "+
>> attrConsServiceIndex+" Settato nella auth request SAML");
>> }
>> authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex);
>> }
>
>
> In this way if the Application handled by a Service Provider sends an
> AttributeConsumingServiceIndex different from 0, this is set in the
> AuthnRequest that WSO2 IS builds for the external IdP. I don't know if
> there is a different way to solve it but as far as I investigated this is
> the only solution I found
>
> Is this a proper way?
>
> If so... I hope you can use it and this can be useful to other people.
>
> Thank you
> Angelo
>
--
Farasath Ahamed
Associate Technical Lead, WSO2 Inc.: http://wso2.com
Mobile: +94777603866
Blog: https://farasath.blogspot.com / https://medium.com/@farasath
Twitter: @farazath619
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Dev] WSO2 IS - SAML SSO External IdP: handling several AttributeConsumingServiceIndex
Hi all.
I'm using WSO2 Identity Server version 5.8.0 and 5.9.0
I have this scenario: I have external IdPs and I want to allow SAML
integration with these IdPs. I can register them in WSO2 and all works
pretty good.
I was facing the following issue: I need to handle several
AttributeConsumingService. So the first thing I created the WSO2
ServiceProvider metadata file that I gave to the IdPs. This is the metadata
content:
>
> ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai;>
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
> http://www.w3.org/2000/09/xmldsig#;>
>
>
>
>
>
>Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://localhost:9443/samlsso; />
>
> urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://localhost:9443/commonauth; index="0" isDefault="true" />
>
> set0
>
>
> Name="fiscalNumber" />
> />
>
>
>
> set1
>
>
> Name="fiscalNumber" />
> />
>
>
> Name="dateOfBirth" />
> Name="placeOfBirth" />
>
>
> set2
>
>
> Name="fiscalNumber" />
> />
>
>
> Name="dateOfBirth" />
> Name="placeOfBirth" />
> Name="countyOfBirth" />
>
>
> set3
>
>
> Name="fiscalNumber" />
> />
>
>
> Name="dateOfBirth" />
> Name="placeOfBirth" />
> Name="countyOfBirth" />
> Name="mobilePhone" />
>
>
> set4
>
>
> Name="fiscalNumber" />
>
>
>
> set5
>
>
> Name="fiscalNumber" />
>
> Name="companyName" />
> Name="registeredOffice" />
> />
>
>
>
> Service provider WSO2
> 590
> WSO2
> 590
> https://localhost:9443/
>
>
>
As you can see I have six AttributeConsumingService. So far so good... the
problem was how to solve this issue: let's suppose I have a Service
Provider registered inside WSO2 IS and let's suppose the application
related to this SP sends in the SAML Request the AttributeConsumingService
index. How can I pass this AttributeConsumingService to the SAML request
that WSO2 sends to the external IdPs? I found only one way: to modify the
>
> org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest,
> boolean, String, AuthenticationContext)
method. Just after this instruction
> //Get the inbound SAMLRequest
> AuthnRequest inboundAuthnRequest = getAuthnRequest(context);
I added the following code:
> Integer attrConsServiceIndex =
> inboundAuthnRequest.getAttributeConsumingServiceIndex();
> if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) {
>if( log.isInfoEnabled() ) {
> log.info("Inbound SAML Request AttributeConsumingServiceIndex "+
> attrConsServiceIndex+" Settato nella auth request SAML");
> }
> authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex);
> }
In this way if the Application handled by a Service Provider sends an
AttributeConsumingServiceIndex different from 0, this is set in the
AuthnRequest that WSO2 IS builds for the external IdP. I don't know if
there is a different way to solve it but as far as I investigated this is
the only solution I found
Is this a proper way?
If so... I hope you can use it and this can be useful to other people.
Thank you
Angelo
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
