jlrodriguez Super Contributor.
Super Contributor.
292 views

Custom fields to the SAML2 request made to an IdP

Hi,

Is it possible to add custom fields to the SAML2 request made to an IdP (NAM acting as SAMLv2 SP). A RequestedAuthnContext, here is an example from another SP:

<saml2p:RequestedAuthnContext Comparison="minimum">
<saml2:AuthnContextClassRef>http://idp.acme.com/LoA/low</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Custom fields to the SAML2 request made to an IdP

On 29-05-2019 4:16 AM, jlrodriguez wrote:
>
> Hi,
>
> Is it possible to add custom fields to the SAML2 request made to an IdP
> (NAM acting as SAMLv2 SP). A RequestedAuthnContext, here is an example
> from another SP:
>
> <saml2p:RequestedAuthnContext Comparison="minimum">
>
> <saml2:AuthnContextClassRef>http://idp.acme.com/LoA/low</saml2:AuthnContextClassRef>
> </saml2p:RequestedAuthnContext>
>
>


Yes, you can. You do this with a contract. The way to do it is a little obscure to be honest. I'll post the exact steps as i'll have to do it in my lab.

--
Cheers,
Edward
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: Custom fields to the SAML2 request made to an IdP

edmaa;2500324 wrote:
On 29-05-2019 4:16 AM, jlrodriguez wrote:
>
> Hi,
>
> Is it possible to add custom fields to the SAML2 request made to an IdP
> (NAM acting as SAMLv2 SP). A RequestedAuthnContext, here is an example
> from another SP:
>
> <saml2p:RequestedAuthnContext Comparison="minimum">
>
> <saml2:AuthnContextClassRef>http://idp.acme.com/LoA/low</saml2:AuthnContextClassRef>
> </saml2p:RequestedAuthnContext>
>
>


Yes, you can. You do this with a contract. The way to do it is a little obscure to be honest. I'll post the exact steps as i'll have to do it in my lab.

--
Cheers,
Edward


Thanks Edward.

I've tried to imagine how it can be achieved through a contract and I do not see the form. Could you give me some clue to investigate while you document it?

Regards
Jose Luis
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Custom fields to the SAML2 request made to an IdP

On 30-05-2019 7:24 AM, jlrodriguez wrote:

> Thanks Edward.
>
> I've tried to imagine how it can be achieved through a contract and I do
> not see the form. Could you give me some clue to investigate while you
> document it?


Sorry for the delay, life got in the way....

Here are the steps:

Create a new contract:

Display Name: remoteidp (or whatever name you fancy)
URI: remoteidp/auth (or whatever name you fancy)
Tick 'Satisfiable by external provider'
Requested by: Use Types
Allowable Class: http://idp.acme.com/LoA/low (I got this from your original post)

second page:
Can leave all blank really. Its up to your standards really what you put in there

Now go back to the SAML 2 IDP you created and select Authentication Card
Under satifies contract select the new contract you just created and update the IDP.

Now on the protected resource where you want to use the IDP for authentication and select this new contract. When people try to access this PR they'll
get redirected and the request will look like:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false"
ID="id6gOUdJj-VMynuKGCk7JLLD6clGQ" IsPassive="false" IssueInstant="2019-06-01T00:16:42Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Version="2.0">
<saml:Issuer>https://idp.site.com/nidp/saml2/metadata</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="https://idp.site.com/nidp/saml2/metadata"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>contract1</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>


Now whilst writing this i also noticed you can make similar settings on the IDP under the authentication card. One of the differences is that when
solely using the contract, you cant control the value of the Comparison attribute as its always set to exact but on the IDP you can set it to better,
minimal etc. I guess you could play with those too. It probably depends a little how you are planning to call the remote IDP (through a contract or
some other way?)

Hopefully this helps.





--
Cheers,
Edward
0 Likes
jlrodriguez Super Contributor.
Super Contributor.

Re: Custom fields to the SAML2 request made to an IdP

Thanks a lot Edward. I will work from your indications to see if I get it.

Regards
Jose Luis
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.