Hi,
Because of our time restrain we are using the high level api to develop our SSO solution, however we need to pass additional user information back to the sp.
Reading the documentation, we should be using the AuthnRequest field for this (the information is things like login guid), however the information we pass into the high level method (SAMLIdentityProvider.SendSSO) doesn’t seem to have an option for this type of data.
Is there a way to pass this kind of information into the high level API, or should the low level API be used?
Wherever possible we recommend using the high-level API.
I’m not sure if I fully understand your requirements.
The AuthnRequest is the protocol message sent by the service provider to the identity provider for SP-initiated SSO.
Typically the identity provider returns additional information to the service provider as SAML attributes within the SAML assertion. These are essentially arbitrary name/value pairs. This could include the login GUID you mentioned.
The SAML attributes are created from the attributes parameter to the SAMLIdentityProvider.SendSSO method.
Feel free to provide more detail if I haven’t answered your question.
My problem is that when I look at the overloads of SendSSO, I can’t see a way to pass in the AuthnRequest data into it.
If we create an AuthnRequest object, how is it passed on to the SendSSO method?
The identity provider doesn’t send an authn request to the service provider.
What exactly did you want to send to the partner service provider?
We use the High level MVC projects as the base of our solution. Within the SAML controller on the IDP side, the method SSOService deals with the request coming in, and sending a response.
We want the loginGuid to be part of that response, however we don’t want to send it back as a attribute, we want to set it deeper into the saml request, where all the other user details are set as well.
You have two options for including user information in the SAML assertion - the SAML subject name identifier or SAML attributes.
Either could be used to specify a login GUID. It really depends on what makes the most sense to you and the service provider that will receive the SAML assertion.