Questions related to requestedAttributes

[MatthijsvW]

I have two questions related to the requestedAttributes (in the sp-settings)

1. I'm trying to figure you how the requestedAttributes (configuration on the sp-settings) works. I've included it in the sp-configuration, but they only seem to be present in the metadata and not in the generated SAMLRequest. What am I missing?

2. I would expect that if the requestedAttributes (the ones marked required) on the sp are validated somehow in the processing of the SAMLResponse. Meaning if an attribute that is marked required:true is missing in the attribute statement of the SAMLResponse some sort of error is going to be added to the errorlist. Is this something that is supported and I just can't figured out? If it is not supported would it be a nice improvement?

[pitbulk]

1) That is how SAML works, the SP defines in its metadata what attributes it requires so any IdP trusting on this SP can record it and provide such attributes on the SAMLResponse. That why the requestedAttributes attributes appear on the SP XML metadata and not in the AuthNRequest.

See AuthNRequest schema: http://www.datypic.com/sc/saml2/e-samlp_AuthnRequest.html

Another Reference: StackOverflow thread: https://stackoverflow.com/questions/35873526/saml-request-attributes-in-authnrequest

2) That depends on how the IdP was implemented. IdP could try to satisfy the SP requirements and in case of not be able to provide them: a) Cancel the authentication and return a non Status=Success SAMLResponse b) Return the attributes available and leave the SP to validate them and raise the errors.

I believe b) is the most implemented scenario.

The SAML toolkit has no idea about the Attribute Mapping (the relation between how the IdP names the user attributes and how the SP expects such attribute names), Sometime the Mapping is done on the IdP side, others on the SP sides, so isn't ideal to implement such validation at the toolkit level and I consider that is something that needs to be handled at the app level, where there is the info about app user accounts

At the end gonna be a matter of extract the attributes with auth.get_attributes() and then apply the Attribute Mapping changes to the array if need to be applied and later validate that the required attributes are in the array returned and contains data.

[MatthijsvW]

@pitbulk Thank you for your quick and informative reply.

1. I had been reading this technical specification from OASIS which is an extension to the standard SAML protocol I now see. This however would then probably not be widely supported and thus not worth including in the SAML toolkit.

2. I did not take into consideration that the mapping could happen a the idp-side, which in the case of requested attributes which specify the attribute name, would not make much sense to me. I'm relatively new to the SAML protocol and it's implementations so I'm not yet very familiar with it's implementation conventions.

Again thank you for your explanation. It is very much appreciated.