On Monday, October 28, 2019, Angelo Immediata <[email protected]> wrote:
> Hi all. > > I'm using WSO2 Identity Server version 5.8.0 and 5.9.0 > > I have this scenario: I have external IdPs and I want to allow SAML > integration with these IdPs. I can register them in WSO2 and all works > pretty good. > > I was facing the following issue: I need to handle several > AttributeConsumingService. So the first thing I created the WSO2 > ServiceProvider metadata file that I gave to the IdPs. This is the metadata > content: > >> <?xml version="1.0" encoding="UTF-8"?> >> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >> ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai";> >> <md:SPSSODescriptor AuthnRequestsSigned="true" >> WantAssertionsSigned="true" protocolSupportEnumeration=" >> urn:oasis:names:tc:SAML:2.0:protocol"> >> <md:KeyDescriptor use="signing"> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:X509Data> >> <ds:X509Certificate><!--Certificate >> info--></ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </md:KeyDescriptor> >> <md:SingleLogoutService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Location="https://localhost:9443/samlsso"; /> >> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid- >> format:transient</md:NameIDFormat> >> <md:AssertionConsumerService >> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Location="https://localhost:9443/commonauth"; index="0" isDefault="true" >> /> >> <md:AttributeConsumingService index="0"> >> <md:ServiceName xml:lang="it">set0</md:ServiceName> >> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >> /> >> <md:RequestedAttribute FriendlyName="Codice Fiscale" >> Name="fiscalNumber" /> >> <md:RequestedAttribute FriendlyName="Indirizzo mail" >> Name="email" /> >> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >> /> >> </md:AttributeConsumingService> >> <md:AttributeConsumingService index="1"> >> <md:ServiceName xml:lang="it">set1</md:ServiceName> >> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >> /> >> <md:RequestedAttribute FriendlyName="Codice Fiscale" >> Name="fiscalNumber" /> >> <md:RequestedAttribute FriendlyName="Indirizzo mail" >> Name="email" /> >> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >> /> >> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >> <md:RequestedAttribute FriendlyName="Data di nascita" >> Name="dateOfBirth" /> >> <md:RequestedAttribute FriendlyName="Luogo di nascita" >> Name="placeOfBirth" /> >> </md:AttributeConsumingService> >> <md:AttributeConsumingService index="2"> >> <md:ServiceName xml:lang="it">set2</md:ServiceName> >> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >> /> >> <md:RequestedAttribute FriendlyName="Codice Fiscale" >> Name="fiscalNumber" /> >> <md:RequestedAttribute FriendlyName="Indirizzo mail" >> Name="email" /> >> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >> /> >> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >> <md:RequestedAttribute FriendlyName="Data di nascita" >> Name="dateOfBirth" /> >> <md:RequestedAttribute FriendlyName="Luogo di nascita" >> Name="placeOfBirth" /> >> <md:RequestedAttribute FriendlyName="Nazione di nascita" >> Name="countyOfBirth" /> >> </md:AttributeConsumingService> >> <md:AttributeConsumingService index="3"> >> <md:ServiceName xml:lang="it">set3</md:ServiceName> >> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >> /> >> <md:RequestedAttribute FriendlyName="Codice Fiscale" >> Name="fiscalNumber" /> >> <md:RequestedAttribute FriendlyName="Indirizzo mail" >> Name="email" /> >> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >> /> >> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >> <md:RequestedAttribute FriendlyName="Data di nascita" >> Name="dateOfBirth" /> >> <md:RequestedAttribute FriendlyName="Luogo di nascita" >> Name="placeOfBirth" /> >> <md:RequestedAttribute FriendlyName="Nazione di nascita" >> Name="countyOfBirth" /> >> <md:RequestedAttribute FriendlyName="Cellulare" >> Name="mobilePhone" /> >> </md:AttributeConsumingService> >> <md:AttributeConsumingService index="4"> >> <md:ServiceName xml:lang="it">set4</md:ServiceName> >> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >> /> >> <md:RequestedAttribute FriendlyName="Codice Fiscale" >> Name="fiscalNumber" /> >> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >> /> >> </md:AttributeConsumingService> >> <md:AttributeConsumingService index="5"> >> <md:ServiceName xml:lang="it">set5</md:ServiceName> >> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >> /> >> <md:RequestedAttribute FriendlyName="Codice Fiscale" >> Name="fiscalNumber" /> >> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >> /> >> <md:RequestedAttribute FriendlyName="Nome azienda" >> Name="companyName" /> >> <md:RequestedAttribute FriendlyName="Ufficio" >> Name="registeredOffice" /> >> <md:RequestedAttribute FriendlyName="Partita IVA" Name="ivaCode" >> /> >> </md:AttributeConsumingService> >> </md:SPSSODescriptor> >> <md:Organization> >> <md:OrganizationName xml:lang="it">Service provider WSO2 >> 590</md:OrganizationName> >> <md:OrganizationDisplayName xml:lang="it">WSO2 590</md: >> OrganizationDisplayName> >> <md:OrganizationURL xml:lang="it">https://localhost:9443/</md: >> OrganizationURL> >> </md:Organization> >> </md:EntityDescriptor> > > > As you can see I have six AttributeConsumingService. So far so good... the > problem was how to solve this issue: let's suppose I have a Service > Provider registered inside WSO2 IS and let's suppose the application > related to this SP sends in the SAML Request the AttributeConsumingService > index. How can I pass this AttributeConsumingService to the SAML request > that WSO2 sends to the external IdPs? I found only one way: to modify the >> >> org.wso2.carbon.identity.application.authenticator.samlsso.manager. >> DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, boolean, >> String, AuthenticationContext) > > method. Just after this instruction > >> //Get the inbound SAMLRequest >> AuthnRequest inboundAuthnRequest = getAuthnRequest(context); > > > I added the following code: > >> Integer attrConsServiceIndex = inboundAuthnRequest. >> getAttributeConsumingServiceIndex(); >> if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) { >> if( log.isInfoEnabled() ) { >> log.info("Inbound SAML Request AttributeConsumingServiceIndex "+ >> attrConsServiceIndex+" Settato nella auth request SAML"); >> } >> authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex); >> } > > > In this way if the Application handled by a Service Provider sends an > AttributeConsumingServiceIndex different from 0, this is set in the > AuthnRequest that WSO2 IS builds for the external IdP. I don't know if > there is a different way to solve it but as far as I investigated this is > the only solution I found > > Is this a proper way? > > If so... I hope you can use it and this can be useful to other people. > > Thank you > Angelo > -- Farasath Ahamed Associate Technical Lead, WSO2 Inc.: http://wso2.com Mobile: +94777603866 Blog: https://farasath.blogspot.com / https://medium.com/@farasath Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
