Announcement Announcement Module
Collapse
No announcement yet.
Adding SAML 2.0 <Extensions> to <AuthnRequest> Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adding SAML 2.0 <Extensions> to <AuthnRequest>

    Hello,

    SAML 2.0 standard added an "Extensions" element inside the AuthnRequest message. Supposedly to enable passing of additional arbitrary data elements from SP to IdP as part of the request.


    For example, let's pass an element <MyCustomElement> in the following AuthnRequest example:


    Code:
    <samlp:AuthnRequest>
       ....
       <samlp:Extensions>
          <MyCustomElement myAttribute="myValue" xmlns="mydomain.com/saml" />
       </samlp:Extensions>
       ....
    </samlp:AuthnRequest>

    I've gone through spring-security-saml documentation but could not locate a way to add such custom elements. Is this supported at all? If not, I'd be grateful if someone would point out the proper approach to implement this requirement without compromising future compatibility with spring-security-saml updates.

    Many thanks in advance for any thoughts or assistance.

    Shahto

  • #2
    Hello,

    You can customize the WebSSOProfile implementation, e.g. like this:

    Code:
    package example;
    
    import org.opensaml.common.SAMLException;
    import org.opensaml.saml2.common.Extensions;
    import org.opensaml.saml2.common.impl.ExtensionsBuilder;
    import org.opensaml.saml2.core.AuthnRequest;
    import org.opensaml.saml2.metadata.AssertionConsumerService;
    import org.opensaml.saml2.metadata.SingleSignOnService;
    import org.opensaml.saml2.metadata.provider.MetadataProviderException;
    import org.opensaml.xml.schema.XSAny;
    import org.opensaml.xml.schema.impl.XSAnyBuilder;
    import org.springframework.security.saml.context.SAMLMessageContext;
    import org.springframework.security.saml.websso.WebSSOProfileImpl;
    import org.springframework.security.saml.websso.WebSSOProfileOptions;
    
    import javax.xml.namespace.QName;
    
    /**
     * Customization of the AuthnRequest generation which includes an Extensions element.
     */
    public class WebSSOProfile extends WebSSOProfileImpl {
    
        @Override
        protected AuthnRequest getAuthnRequest(SAMLMessageContext context, WebSSOProfileOptions options, AssertionConsumerService assertionConsumer, SingleSignOnService bindingService) throws SAMLException, MetadataProviderException {
            AuthnRequest authnRequest = super.getAuthnRequest(context, options, assertionConsumer, bindingService);
            authnRequest.setExtensions(buildExtensions());
            return authnRequest;
        }
    
        protected Extensions buildExtensions() {
            Extensions extensions = new ExtensionsBuilder().buildObject();
            XSAny policyClass1 = new XSAnyBuilder().buildObject("http://www.v7security.com/schema/2010/10/ext", "Policy", "policy");
            policyClass1.setTextContent("urn:vsec:type:policy:consent");
            policyClass1.getUnknownAttributes().put(new QName("policyAttribute"), "value");
            extensions.getUnknownXMLObjects().add(policyClass1);
            return extensions;
        }
    
    }
    The code will add the following Extensions element to the request:

    Code:
    <md:Extensions xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><policy:Policy policyAttribute="value" xmlns:policy="http://www.v7security.com/schema/2010/10/ext">urn:vsec:type:policy:consent</policy:Policy></md:Extensions
    You of course need to change the to the new implementation for the webSSOprofile bean in your configuration.

    Comment

    Working...
    X