I have a vendor who wants the attributes to look like this:
saml:AttributeStatement
<saml:Attribute Name=“X1” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified” FriendlyName=“Y1” />
</saml:AttributeStatement>
saml:AttributeStatement
<saml:Attribute Name=“X2” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified” FriendlyName=“Y2” />
</saml:AttributeStatement>
But using SAMLIdentityProvider.InitiateSSO, I only seem to be able to get the attributes to be all in one AttributeStatement like this:
saml:AttributeStatement <saml:Attribute Name=“X1” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified” FriendlyName=“Y1” />
<saml:Attribute Name=“X2” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified” FriendlyName=“Y2” />
</saml:AttributeStatement>
Am I missing some obvious way to make multiple statements or do I need to dig into the low-level APIs?
Thank you!
Ron
Hi Ron
Although both forms are valid it’s more common to have a single attribute statement containing multiple attributes rather than an attribute statement per attribute.
It’s surprising that the service provider can’t handle either approach.
Did they state why they need multiple attribute statements?
I would double check that this is actually required by them.
If they insist then you have a couple of options.
You could revert to the SAML low-level API but a better option is to register an ISAMLObserver and modify the SAML assertion prior to it being sent.
Under the ComponentSpace.SAML2.Notifications namespace, you’ll find an ISAMLObserver interface.
There’s also an AbstractSAMLObserver base class.
You can derive a class from this that implements the OnSAMLAssertionCreated method.
public class MySAMLObserver : AbstractSAMLObserver
{
///
/// Notifies the observer that a SAML assertion has been created.
///
/// The observer may return an updated SAML assertion.
///
/// /// The partner name.
/// The SAML assertion.
/// The SAML assertion.
public override SAMLAssertion OnSAMLAssertionCreated(string partnerName, SAMLAssertion samlAssertion)
{
// TODO - manipulate the SAML attribute statements as required.
return samlAssertion;
}
}
You register your class as follows. A good place to do this is at application start-up.
SAMLObservable.Subscribe(new MySAMLObserver());
Thank you very much for the feedback and assistance! I was able to sort this out with the vendor and you were right; despite documentation that claimed they needed one attribute statement per attribute, they in fact required a single attribute statement. Everything’s working great now. Thank you for the quick response!