Hi, eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the internal market. The eIDAS interoperability framework including its national entities (eIDAS-Connector and eIDAS-Service) need to exchange messages including personal and technical attributes to support cross-border identification and authentication processes (Please refer [1] for more information). For the exchange of messages, the use of the SAML 2.0 specifications has been agreed and there are eIDAS compliant set of technical specifications in [2], which Member States of EU to use to develop their own eIDAS-compliant implementation.
As per the "eIDAS SAML Message Format" specification, handling and inclusion of attributes into exchanged messages is defined as follows. - Attributes MUST be requested as <eidas:RequestedAttributes> and *<eidas:RequestedAttributes> MUST be included in the <saml2p:Extensions> element of the SAML AuthnRequest.* Ex: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; *xmlns:eidas="http://eidas.europa.eu/saml-extensions <http://eidas.europa.eu/saml-extensions>"* ...> ............ *<saml2p:Extensions>* *<eidas:SPType>public</eidas:SPType>* *<eidas:RequestedAttributes>* <eidas:RequestedAttribute FriendlyName="D-2012-17-EUIdentifier" Name="http://eidas.europa.eu/attributes/legalperson/D-2012-17-EUIdentifier"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false" /> <eidas:RequestedAttribute FriendlyName="LegalPersonIdentifier" Name="http://eidas.europa.eu/attributes/legalperson/LegalPersonIdentifier"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /> </eidas:RequestedAttributes> </saml2p:Extensions> ............. </saml2p:AuthnRequest> - Apart from the attributes, for indicating whether an authentication request is made by a private sector or public sector SP, the defined element *<eidas:SPType> MUST be present* either in the <md:Extensions> element of SAML metadata or in the <saml2p:Extensions> element of a <saml2p:AuthnRequest>. As per the SAML Core specification in [3], SAML Extensions is an optional element in SAML 2.0, allowing arbitrary information to be passed to the identity provider which are agreed on between the communicating parties. As mentioned above, eIDAS attributes should be included within SAML extension element. Currently in IS, *SAML Extensions processing *has not taken into the consideration. So that, in order to have eIDAS profile support for SAML, that should be considered. Please find the following proposed implementation. 1. *Register a set of SAML Extension Processors* - extensible mechanism where we can include any extension processing 2. *eIDAS Extension Processor *- specifically handled the eIDAS extension 3. *Invoke the processors when building the SAML assertion* - Consider that all the necessary attributes are configured as the SP requested claims - In the eIDAS processor, filtering out the requested attributes based on the "RequestedAttributes" elements in the authentication request Really appreciate your suggestions and comments. [1] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/How+does+it+work+-+eIDAS+solution [2] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/2016/12/16/eIDAS+Technical+Specifications+v.+1.1 [3] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email indu...@wso2.com Mobile 0772182255
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
