Authorization implementation - The basics

Hi there,

I’m currently evaluating ComponentSpace SAML for implementing an IdP. Very pleased with the straight forward SSO integration. Now I have to setup an AuthzDecisionQuery fonctionnality and I’m getting a hard time doing it.

Here is the way I understand this, high-level:
1- SP will send an AuthzDecisionQuery to my ACS url
2- I will respond with a SAMLResponse that includes an AuthzDecisionStatement assertion

My questions:
1- Is that correct?
2- Is there an example of that somewhere?
3- If no example, do I have to fill manualy every field of the SAML response or if there is a way to make it prefilled, based on the SP request who is asking the AuthzDecisionQuery? Similar to SAMLIdentityProvider.SendSSO() who pre-fill all the data possible based on the request received.

Don’t assume that I understand well SAML. I’m beginning to work with it. Same thing with your SAML component.


Hi Yannick,

The Assertion Query/Request profile, which includes the AuthzDecisionQuery, is not commonly used. We support it but through our SAML low-level API only.

In response to your questions:

1. Yes. For more information, I suggest taking a look at the “Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0” specification.

2. I’m afraid we don’t have a specific example of this. I suggest taking a look at our SAML2IdentityProvider example project under the LowLevelAPI folder. The SSOService.aspx page includes a CreateSAMLResponse method that demonstrates constructing a SAML response using the low-level API.

3. You would have to construct the SAML response yourself using the low-level API.

We’re happy to assist you getting this working. You’re welcome to contact us at