How to add HTTP query parameter to SAML2 SSO post response

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to add HTTP query parameter to SAML2 SSO post response

Dan Ciarniello

Hi,

 

I have an SP requirement to add an HTTP query parameter to the SAML2 SSO POST response but I cannot see any easy way to do so.

 

I thought that I might be able to do it by modifying saml2-post-binding.vm and appending the parameter to the form action variable but that template is not given access to any of the common template variables such as the session or the flowRequestContext so I have no way to pass the desired parameter value into the template.

 

Is there anyway to do this?

 

Thanks,

Dan Ciarniello.

 

This email and any attachments are strictly confidential, may be privileged, and are intended only for the use of the person(s) named above. Any other person is strictly prohibited from disclosing, distributing, copying or using it. If you are not the intended recipient (or are not receiving this communication on behalf of the intended recipient), please notify the sender immediately by return email or telephone call, and securely destroy this communication. Thank you.
To unsubscribe from this mailing list, please click ?cc=[hidden email]&subject=How to add HTTP query parameter to SAML2 SSO post response&body=Please remove my email address from this mailing list.  I no longer wish to receive commercial messages of this nature..%0D%0A%0D%0A%0D%0A%0D%0AOriginal Message ID: ">here.
To unsubscribe from all commercial electronic messages from Central 1, please click %0D%0ASubject: How to add HTTP query parameter to SAML2 SSO post response%0D%0AOriginal Message ID: ">here.

Please note: If you choose the second option to, "unsubscribe from all commercial electronic messages," you will be removed from all future Central 1 electronic messages (e.g. emails). If you want to stop receiving messages from this mailing list but want to continue receiving other messages from Central 1, choose to, "unsubscribe from this mailing list" above.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add HTTP query parameter to SAML2 SSO post response

Peter Schober
* Dan Ciarniello <[hidden email]> [2018-06-05 23:00]:
> I have an SP requirement to add an HTTP query parameter to the SAML2
> SSO POST response but I cannot see any easy way to do so.

SAML does not allow adding arbitrary stuff to SAML protocol messages,
other than via extensions within the XML, AFAIK.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to add HTTP query parameter to SAML2 SSO post response

Dan Ciarniello
Hi, Peter

I know that this is non-standard but be that is it may, I have the requirement that I have to deal with.

I do know one way to do it but it would involve changing a system configuration file which, for obvious reasons, I don't want to do.

Basically, I would extend HTTPPostEncoder and set it as the class for shibboleth.Encoders.SAML2PostEncoder in system/conf/saml-binding-config.xml.  I would rather override the encoder in conf/<somefile> but I haven't been able to figure out how to do that.

I was hoping that somebody on the list would be able to give me a better option.  Or tell me how to override the encoder without changing saml-binding-config.xml.

Thanks,
Dan Ciarniello

-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: June 6, 2018 1:35 AM
To: [hidden email]
Subject: Re: How to add HTTP query parameter to SAML2 SSO post response

* Dan Ciarniello <[hidden email]> [2018-06-05 23:00]:
> I have an SP requirement to add an HTTP query parameter to the SAML2
> SSO POST response but I cannot see any easy way to do so.

SAML does not allow adding arbitrary stuff to SAML protocol messages,
other than via extensions within the XML, AFAIK.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
This email and any attachments are strictly confidential, may be privileged, and are intended only for the use of the person(s) named above. Any other person is strictly prohibited from disclosing, distributing, copying or using it. If you are not the intended recipient (or are not receiving this communication on behalf of the intended recipient), please notify the sender immediately by return email or telephone call, and securely destroy this communication. Thank you.

Please reply to this message with "Unsubscribe" or "Unsubscribe All" in the subject line to unsubscribe from this mailing list or from all commercial electronic messages from Central 1.

If you choose to "Unsubscribe All", you will be removed from all future Central 1 electronic communications (e.g. texts; emails). If you want to stop receiving messages from this mailing list but want to continue receiving other messages from Central 1, reply with "Unsubscribe" instead.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to add HTTP query parameter to SAML2 SSO post response

Cantor, Scott E.
> I was hoping that somebody on the list would be able to give me a better
> option.  Or tell me how to override the encoder without changing saml-
> binding-config.xml.

If the template doesn't have access to an object that's general enough to get at the servlet request, then I doubt it can directly access anything in the request state it doesn't directly have access to already. As for overriding the encoders I doubt it's supported absent something general like overiding the entire bean definition by relying on file ordering in Spring. It would probably be possible to fix that if asked.

You should not do this, and whatever reason you think you have isn't enough to warrant it. Saying no works, more often than not.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to add HTTP query parameter to SAML2 SSO post response

Peter Schober
In reply to this post by Dan Ciarniello
* Dan Ciarniello <[hidden email]> [2018-06-06 17:32]:
> I know that this is non-standard but be that is it may, I have the
> requirement that I have to deal with.

That also means every single deployer would have to hack their IDP
code in order to enable something that violates the spec -- what more
needs to happen before people Just Say No?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to add HTTP query parameter to SAML2 SSO post response

Dan Ciarniello
Hacking the IDP is not what I want to do.  I already know how to do it by hacking.  I was hoping that there was an easy way to do it by adding something in /conf rather than modifying files in /system/conf.

Unfortunately, saying No is not always an option.  

Dan.

-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: June 6, 2018 8:42 AM
To: [hidden email]
Subject: Re: How to add HTTP query parameter to SAML2 SSO post response

* Dan Ciarniello <[hidden email]> [2018-06-06 17:32]:
> I know that this is non-standard but be that is it may, I have the
> requirement that I have to deal with.

That also means every single deployer would have to hack their IDP
code in order to enable something that violates the spec -- what more
needs to happen before people Just Say No?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
This email and any attachments are strictly confidential, may be privileged, and are intended only for the use of the person(s) named above. Any other person is strictly prohibited from disclosing, distributing, copying or using it. If you are not the intended recipient (or are not receiving this communication on behalf of the intended recipient), please notify the sender immediately by return email or telephone call, and securely destroy this communication. Thank you.

Please reply to this message with "Unsubscribe" or "Unsubscribe All" in the subject line to unsubscribe from this mailing list or from all commercial electronic messages from Central 1.

If you choose to "Unsubscribe All", you will be removed from all future Central 1 electronic communications (e.g. texts; emails). If you want to stop receiving messages from this mailing list but want to continue receiving other messages from Central 1, reply with "Unsubscribe" instead.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]