How to pass parameter with SP initiated sso request.

Hello,

I have to pass one parameter with my SP initiated SAML Request for initate sso. Is it possible to pass paramtere as a querystring or any other way to pass parameter to my
IDP at the time of initiate SSO. If yes, then can someone provide sample code block for the same.

Thanks,
Vaibhav S

The SAMLServiceProvider.InitiateSSO includes an overload that takes the SSO service URL as a parameter. Use this overload to include query string parameters etc.


///

/// Initiates single sign-on from the service provider to the identity provider (ie. SP-initiated SSO).
///
/// An authn request is sent to the identity provider.
///
///

/// The HTTP response.
/// The relay state or null if none.
/// The partner identity provider name or null.
/// The SSO options or null.
/// The assertion consumer service URL or null if the configured URL is to be used.
/// The single sign-on service URL or null if the configured URL is to be used.
///
/// Thrown when the single sign-on fails.
///
public static void InitiateSSO(HttpResponse httpResponse, string relayState, string partnerIdP, SSOOptions ssoOptions, string assertionConsumerServiceUrl, string singleSignOnServiceUrl)

For example:


SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP, null, null, “https://www.idp.com/SAML/SSOService.aspx?abc=123”);

Which version was this implemented? I am looking to use this.

We have 2.5.0.20 for SAML v2.0 for .NET4.

Thanks.

Leo

Hi Leo
This change was released in July 2015. It’s available in v2.6.0.7 and above.

Hi. if added an additional parameter to singleSignOnServiceUrl, we faced the error. The problem is, that the URL can be modified but the destination field shall not be changed.
Example:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_556f2422-43a5-4ec4-866f-a6ca22521b33" Version="2.0" IssueInstant="2018-10-24T10:13:41.44Z"Destination="https://idp-server/idp?username=someuser@email.com" ForceAuthn="true" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="">https://sp-server.com/AssertionConsumerService">
https://sp-server.com


Originally, the destination was: Destination="https://idp-server/idp"
But on calling SAMLServiceProvider.InitiateSSO(HttpContext.Current.Response, null, IdP, null, null, loginUrl); loginUrl was set as 'https://idp-server/idp?username=someuser@email.com'
So. the question is, how to send additional parameter and DO NOT change Destination?

As per the SAML specification, we set the destination field to the URL that the authn request is being sent to.
Just to confirm, you want to specify the singleSignOnServiceUrl parameter to SAMLServiceProvider.InitiateSSO but not have the destination field set to this value?
If so, this is a little unusual. May I ask why you wish to do this?

correct. we need to add username to authn request to be able to prefill username on IdP.
It's requested by our client to NOT change 'Destination' but send username.

[quote]we set the destination field to the URL that the authn request is being sent to.[/quote]
But to this url also added 'SAMLRequest' without changing 'Destination'
https://idp-server.com//idp?username=somename@email.com&SAMLRequest=XXXXXX

1.[quote]1. As per the SAML specification,[/quote]
If possible, can You point exact SAML specification, where it's described?

2. If there any other way how to send username to IdP? Client use 'mobileiron' as middleware.

The correct way, as per the SAML specification, to send the user’s name is in the actual SAML authn request.
There’s a SAMLServiceProvider.InitiateSSO overload that takes an SSOOptions object.
If you use this overload and specify the SSOOptions.RequestedUserName property, this will be included as the SAML subject NameID in the authn request.

In which version property RequestedUserName was implemented? My library v. 2.6.0.13 doesn't have it.

It was added in v2.8.8.
Please contact sales@componentspace.com to discuss upgrade options.