Is it possible to access the SAML Attributes in the implementation of GetPartnerIdentityProviderConfiguration?
It’s not something we directly support.
Could you explain your use case? Why do you need to access the SAML attributes in order to return the SAML partner identity provider configuration?
We operate a multi-tenant website and may of our clients are using SSO. We are moving from an older SSO library that is the equivalent of your “low-level” API. We are moving to your “high-level” API. Most of our clients us commercial public ID providers (We only implement the SP). Some of them are using the same IdPs. The domain from the provider does not match our client’s domain (provider.com vs. client.com). When one of our clients has this case, they provide an attribute that says I am client.com, not provider.com. as we transition to ComponentSpace, we are trying to keep our clients coding changes to a minimum.
Thank you.
Thanks for the explanation.
We require the SAML configuration in order to process the SAML response and make SAML attributes etc available to the application. There isn’t a simple way to retrieve a SAML attribute prior to retrieving the SAML configuration without invoking our low-level API. It would be even more problematic if the SAML assertion was encrypted.
If two of your clients are using the same IdP (e.g. Azure AD/Entra ID), that shouldn’t be an issue as they will have unique configurations including partner names (aka entity IDs).
You don’t need to rely on domain names to identify the client IdPs. There shouldn’t be any code changes required at the client.
The call to GetPartnerIdentityProviderConfiguration includes a partnerName parameter. This should uniquely identify the client IdPs. For example, if two of your clients are using Entra ID, one partnerName might be “https://sts.windows.net/44b203cf-9fad-4699-92c8-1b5a9078574d/” and the other might be “https://sts.windows.net/bde07e90-b1ac-46ff-8061-d6fa8be96ad2/”.
It’s this partner name that should be used to uniquely identify client IdPs rather than any SAML attribute.
Thanks, I’ll look into that.
Can I get the doc for the low-level API?
We have an API reference but we don’t have detailed information on using the low-level API as we recommend calling the high-level API instead.
Thanks, I’ll see what I can do.