How to Add AttributeStatement into saml assertion?

Hi, I want to add AttributeStatement when initiate SSO.
This is my code to initiate SSO

string partnerIdP = WebConfigurationManager.AppSettings[AppSettings.PartnerIdPTest];
SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP);

I know how to create attribute statement, but I don’t know how to add it to the request.

AttributeStatement attStatement = new AttributeStatement();
attStatement.Attributes.Add(new SAMLAttribute(“Level”, SAMLIdentifiers.AttributeNameFormats.Basic, “Level”, “Medium”));

Can it be done or I’m I doing something wrong?

The SAML specification doesn’t directly support a SAML attribute statement being included in the SAML authn request.

SAMLServiceProvider.InitiateSSO creates and sends a SAML authn request to the IdP. SAMLServiceProvider.ReceiveSSO receives and processes the SAML response from the IdP. The SAML response contains a SAML assertion which may contain SAML attribute statements.

If you’re acting as the IdP you can include SAML attributes when you call SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.ReceiveSSO.

I want to add extra data to SAML assertion. I thought this can be done using attribute statement. Since I’m acting as Service provider is there a way to add extra data to SAML authn request?

If you were the identity provider you can add extra data (ie SAML attributes) to the SAML assertion sent to the service provider.

However, as you’re the service provider, you’re limited to what you can add to the SAML authn request sent to the identity provider.

What type of extra data do you wish to add to the SAML authn request?

Will the identity provider understand this extra data?

The data is a string or key-value. The identity provider should be able to read it and do some actions while authenticate the user.

Could it be added as a query string parameter to the URL where the authn request is sent?

There isn’t any standard field in the SAML authn request to send arbitrary key-value data. There is an extensions child element of the authn request that supports arbitrary XML. However, you would have to use the SAML low-level API to access this. Also, many identity providers would simply ignore the extensions. You would have to ensure the identity provider knows how and where to access this non-standard information.

I will try adding query string parameter and see if it will work or not. But can it be done with high level api? The url is inside saml.config, How can I add query parameter?

There’s a SAMLServiceProvider.InitiateSSO overload that takes a singleSignOnServiceUrl. If specified, this is used is used instead of the configured URL.


/// Initiates single sign-on from the service provider to the identity provider (ie. SP-initiated SSO).
/// An authn request is sent to the identity provider.

/// The HTTP response.
/// The relay state or null if none.
/// The partner identity provider name or null.
/// The SSO options or null.
/// The assertion consumer service URL or null if the configured URL is to be used.
/// The single sign-on service URL or null if the configured URL is to be used.
/// Thrown when the single sign-on fails.
public static void InitiateSSO(HttpResponseBase httpResponse, string relayState, string partnerIdP, SSOOptions ssoOptions, string assertionConsumerServiceUrl, string singleSignOnServiceUrl)

For example:

SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP, null, null, singleSignOnServiceUrl);