Extracting extansions from saml authentication request

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Extracting extansions from saml authentication request


I am implementing a custom IdP auth flow and need to extract extension attributes from the authentication request.

The request I get from SP looks like this (note that I can control request and if needed it can be adjusted):

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" .. ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <someOtherElementsHere />
    <md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
        <req:myparam xmlns:req="http://www.example.org">my_dynamic_value</req:myparam>

I tried looking through docs / forum / source code (including system/flows/saml) but could not really find any useful information /  figure it out.

Any pointers to articles that would explain this? Or maybe somebody could explain this to me?

Thanks a lot!

Reply | Threaded
Open this post in threaded view

Re: Extracting extansions from saml authentication request

So I have managed to solve this problem and this is how I did it.

First of all, I already had a custom flow, so it turned out that all I needed to do is to add another step to it. So in my flow definition file (myflow-flow.xml) I added the following:

<action-state id="ReadParametersFromAuthnrequest">
    <evaluate expression="AuthnRequestParametersReader" />
    <evaluate expression="'proceed'" />   

    <transition on="proceed" to="YourNextStep" />

and then I added the following bean definition to the corresponding bean definitions file

<bean id="AuthnRequestParametersReader"
    scope="prototype" />

Secondly I created com.example.AuthnRequestParametersReader bean. This bean extends AbstractProfileAction bean. The contents of this bean is very similar to InitializeAuthenticationContext http://svn.shibboleth.net/view/java-identity-provider/tags/3.1.2/idp-saml-impl/src/main/java/net/shibboleth/idp/saml/profile/impl/InitializeAuthenticationContext.java?view=markup. I basically just copy and pasted logic for initializing of authnRequest property, and then I implemented doExecute to read the Extensions element from authnRequest and then the properties I was interested in.

final Extensions extensions = authnRequest.getExtensions();
List<XMLObject> xmlObjectList = extensions.getUnknownXMLObjects();
for (XMLObject xmlObject : xmlObjectList) {
    Element element = xmlObject.getDOM();
    String localName = element.getLocalName();
    String textContent = element.getTextContent();

There was just one catch. The extensions part of the authn request xml needs to be like the following:


The prefix of the QName should be "saml2p", not "md" as in my original example. If it is "md" then the saml library will fail to read this element (maybe this could be fixed from settings, but I did not find the way to do it).

Then I rebuilt the *.war file, redeployed and it was able to read the params.