Using the example high level service provider web form API; I’m configuring my existing membership provider web app to authenticate against an IDP.
I’m looking through the lense that there is two levels of authentication, one with the IDP and then one with our application (user has to have a profile).
I’m consuming an IDP’s attributes into a dictionary, one of which is the user’s email:
IDictionary<string, string> attributes = null;
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
Session[AttributesSessionKey] = attributes;
I’m later referencing those attributes on my SSO page:
IDictionary<string, string> attributes = (IDictionary<string, string>)Session[SAML.AssertionConsumerService.AttributesSessionKey];
Because the username of the IDP is not necessarily the username of my membership provider authentication, I want to pull out the email attribute and validate it against my membership provider.
I’m confused on the name of the attribute vs the friendly name.
Using:
attributes.TryGetValue(“email”, out string userName);
If they have a friendly name of email and a name of urn:oid:0.9.2342.19200300.100.1.3; will I be able to search for email as the attribute name?
Apologies this is probably more of understanding how receiveSSO is storing the attributes in the IDictionary<string, string> attributes variable…
SAMLServiceProvider.ReceiveSSO includes an overload that returns an IDictionary<string, string> of SAML attribute names and values.
There’s also an overload that returns a SAMLAttribute array.
The IDictionary overload is provided for convenience as in most cases you simply want the SAML attribute names and values.
If you need more information, such as the SAML attribute friendly name, you need to call the overload that returns a SAMLAttribute array.
For example:
var samlAttribute = samlAttributes.SingleOrDefault(a => a.FriendlyName == “email”)
var emailAddres = samlAttribute.ToString());
The other option is for your application to keep an internal mapping of friendly names (eg. email) to actual names (eg urn:oid:0.9.2342.19200300.100.1.3).
You can then access the attributes through the IDictionary.
For example:
IDictionary<string, string> attributeNameMapping = new Dictionary<string, string>()
{
{ “email”, “urn:oid: 0.9.2342.19200300.100.1.3” }
};
attributes.TryGetValue(attributeNameMapping[“email”], out string emailAddress);
There's also an overload that returns a SAMLAttribute array.
The IDictionary overload is provided for convenience as in most cases you simply want the SAML attribute names and values.
If you need more information, such as the SAML attribute friendly name, you need to call the overload that returns a SAMLAttribute array.
For example:
var samlAttribute = samlAttributes.SingleOrDefault(a => a.FriendlyName == "email")
var emailAddres = samlAttribute.ToString());
The other option is for your application to keep an internal mapping of friendly names (eg. email) to actual names (eg urn:oid:0.9.2342.19200300.100.1.3).
You can then access the attributes through the IDictionary.
For example:
IDictionary attributeNameMapping = new Dictionary()
{
{ "email", "urn:oid: 0.9.2342.19200300.100.1.3" }
};
attributes.TryGetValue(attributeNameMapping["email"], out string emailAddress);
Thanks!
Is this always static "urn:oid: 0.9.2342.19200300.100.1.3" does that always represent email?
No.
The URN is an LDAP object ID.
https://ldap.com/ldap-oid-reference-guide/
This is used by Shibboleth and some other identity providers.
ADFS uses http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
Other IdPs might use email etc.
The URN is an LDAP object ID.
https://ldap.com/ldap-oid-reference-guide/
This is used by Shibboleth and some other identity providers.
ADFS uses http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
Other IdPs might use email etc.
Thx!
You’re welcome.