Hi Angelo, If I summarize what you are trying to achieve,
- SP sends a SAML2 Authentication request with AttributeConsumingServiceIndex value. - A federated IdP is configured for authentication for this SP. - Identity Server needs to pass the received AttributeConsumingServiceIndex value with an authentication request to federated IdP. - Federated IdP will send back the user attributes based on the AttributeConsumingServiceIndex. To get a better understanding of the requirement, can you please provide information on the following as well, - How the SP identifies required AttributeConsumingServiceIndex? Also the requirement for the multiple AttributeConsumingServiceIndex. - Is there an AttributeConsumingServiceIndex which can be used to get the union of the above-mentioned attributes from the IdP? Thanks, Thanuja On Mon, Oct 28, 2019 at 11:41 PM Farasath Ahamed <[email protected]> wrote: > > > On Monday, October 28, 2019, Angelo Immediata <[email protected]> wrote: > >> Hi all. >> >> I'm using WSO2 Identity Server version 5.8.0 and 5.9.0 >> >> I have this scenario: I have external IdPs and I want to allow SAML >> integration with these IdPs. I can register them in WSO2 and all works >> pretty good. >> >> I was facing the following issue: I need to handle several >> AttributeConsumingService. So the first thing I created the WSO2 >> ServiceProvider metadata file that I gave to the IdPs. This is the metadata >> content: >> >>> <?xml version="1.0" encoding="UTF-8"?> >>> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" >>> ID="_3574ad74-ba7a-4ea5-b3e8-dbb2dafb55df" entityID="http://wso2_590_ai >>> "> >>> <md:SPSSODescriptor AuthnRequestsSigned="true" >>> WantAssertionsSigned="true" >>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> >>> <md:KeyDescriptor use="signing"> >>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:X509Data> >>> <ds:X509Certificate><!--Certificate >>> info--></ds:X509Certificate> >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </md:KeyDescriptor> >>> <md:SingleLogoutService >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >>> https://localhost:9443/samlsso"; /> >>> >>> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> >>> <md:AssertionConsumerService >>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" >>> https://localhost:9443/commonauth"; index="0" isDefault="true" /> >>> <md:AttributeConsumingService index="0"> >>> <md:ServiceName xml:lang="it">set0</md:ServiceName> >>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >>> /> >>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>> Name="fiscalNumber" /> >>> <md:RequestedAttribute FriendlyName="Indirizzo mail" >>> Name="email" /> >>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >>> /> >>> </md:AttributeConsumingService> >>> <md:AttributeConsumingService index="1"> >>> <md:ServiceName xml:lang="it">set1</md:ServiceName> >>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >>> /> >>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>> Name="fiscalNumber" /> >>> <md:RequestedAttribute FriendlyName="Indirizzo mail" >>> Name="email" /> >>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >>> /> >>> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >>> <md:RequestedAttribute FriendlyName="Data di nascita" >>> Name="dateOfBirth" /> >>> <md:RequestedAttribute FriendlyName="Luogo di nascita" >>> Name="placeOfBirth" /> >>> </md:AttributeConsumingService> >>> <md:AttributeConsumingService index="2"> >>> <md:ServiceName xml:lang="it">set2</md:ServiceName> >>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >>> /> >>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>> Name="fiscalNumber" /> >>> <md:RequestedAttribute FriendlyName="Indirizzo mail" >>> Name="email" /> >>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >>> /> >>> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >>> <md:RequestedAttribute FriendlyName="Data di nascita" >>> Name="dateOfBirth" /> >>> <md:RequestedAttribute FriendlyName="Luogo di nascita" >>> Name="placeOfBirth" /> >>> <md:RequestedAttribute FriendlyName="Nazione di nascita" >>> Name="countyOfBirth" /> >>> </md:AttributeConsumingService> >>> <md:AttributeConsumingService index="3"> >>> <md:ServiceName xml:lang="it">set3</md:ServiceName> >>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >>> /> >>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>> Name="fiscalNumber" /> >>> <md:RequestedAttribute FriendlyName="Indirizzo mail" >>> Name="email" /> >>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >>> /> >>> <md:RequestedAttribute FriendlyName="Sesso" Name="gender" /> >>> <md:RequestedAttribute FriendlyName="Data di nascita" >>> Name="dateOfBirth" /> >>> <md:RequestedAttribute FriendlyName="Luogo di nascita" >>> Name="placeOfBirth" /> >>> <md:RequestedAttribute FriendlyName="Nazione di nascita" >>> Name="countyOfBirth" /> >>> <md:RequestedAttribute FriendlyName="Cellulare" >>> Name="mobilePhone" /> >>> </md:AttributeConsumingService> >>> <md:AttributeConsumingService index="4"> >>> <md:ServiceName xml:lang="it">set4</md:ServiceName> >>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >>> /> >>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>> Name="fiscalNumber" /> >>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >>> /> >>> </md:AttributeConsumingService> >>> <md:AttributeConsumingService index="5"> >>> <md:ServiceName xml:lang="it">set5</md:ServiceName> >>> <md:RequestedAttribute FriendlyName="Nome" Name="name" /> >>> <md:RequestedAttribute FriendlyName="Cognome" Name="familyName" >>> /> >>> <md:RequestedAttribute FriendlyName="Codice Fiscale" >>> Name="fiscalNumber" /> >>> <md:RequestedAttribute FriendlyName="SPID Code" Name="spidCode" >>> /> >>> <md:RequestedAttribute FriendlyName="Nome azienda" >>> Name="companyName" /> >>> <md:RequestedAttribute FriendlyName="Ufficio" >>> Name="registeredOffice" /> >>> <md:RequestedAttribute FriendlyName="Partita IVA" >>> Name="ivaCode" /> >>> </md:AttributeConsumingService> >>> </md:SPSSODescriptor> >>> <md:Organization> >>> <md:OrganizationName xml:lang="it">Service provider WSO2 >>> 590</md:OrganizationName> >>> <md:OrganizationDisplayName xml:lang="it">WSO2 >>> 590</md:OrganizationDisplayName> >>> <md:OrganizationURL xml:lang="it">https://localhost:9443/ >>> </md:OrganizationURL> >>> </md:Organization> >>> </md:EntityDescriptor> >> >> >> As you can see I have six AttributeConsumingService. So far so good... >> the problem was how to solve this issue: let's suppose I have a Service >> Provider registered inside WSO2 IS and let's suppose the application >> related to this SP sends in the SAML Request the AttributeConsumingService >> index. How can I pass this AttributeConsumingService to the SAML request >> that WSO2 sends to the external IdPs? I found only one way: to modify the >>> >>> org.wso2.carbon.identity.application.authenticator.samlsso.manager.DefaultSAML2SSOManager.buildAuthnRequest(HttpServletRequest, >>> boolean, String, AuthenticationContext) >> >> method. Just after this instruction >> >>> //Get the inbound SAMLRequest >>> AuthnRequest inboundAuthnRequest = getAuthnRequest(context); >> >> >> I added the following code: >> >>> Integer attrConsServiceIndex = >>> inboundAuthnRequest.getAttributeConsumingServiceIndex(); >>> if( attrConsServiceIndex != null && attrConsServiceIndex > 0 ) { >>> if( log.isInfoEnabled() ) { >>> log.info("Inbound SAML Request AttributeConsumingServiceIndex "+ >>> attrConsServiceIndex+" Settato nella auth request SAML"); >>> } >>> authRequest.setAttributeConsumingServiceIndex(attrConsServiceIndex); >>> } >> >> >> In this way if the Application handled by a Service Provider sends an >> AttributeConsumingServiceIndex different from 0, this is set in the >> AuthnRequest that WSO2 IS builds for the external IdP. I don't know if >> there is a different way to solve it but as far as I investigated this is >> the only solution I found >> >> Is this a proper way? >> >> If so... I hope you can use it and this can be useful to other people. >> >> Thank you >> Angelo >> > > > -- > Farasath Ahamed > Associate Technical Lead, WSO2 Inc.: http://wso2.com > Mobile: +94777603866 > Blog: https://farasath.blogspot.com / https://medium.com/@farasath > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > -- *Thanuja Lakmal* Technical Lead WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
