The SAML XML.org web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.
Extension to RequestAbstractType
Hello there!
I am currently working on my Master thesis, where I am editing a SAML 2.0 implementation (simpleSAMLphp, but it's not relevant to the question, I think) and making an extension. To achieve my goals, I need to pass an Assertion containing an Authn Statement from one IdP (where the user authenticated himself) to another. I think the way to do this is using the defined "Extensions" field from "RequestAbstractType". While reading the Specification, I noticed it mentions that the Namespace of those extensions must be different from that of SAML 2.0.So my question is, can I just insert my Assertion as an "extra-parameter", inside an Extension, or must I somehow change the namespace?
In either case, could it be something as simple as:
(...)
<samlp:Extensions>
<saml:Assertion>
(...)
</saml:Assertion>
</samlp:Extensions>
Thanks in advance for the help!
Daniel Gomes
Search
SUBSCRIBE
RECENT CONTENT
- SAML Wiki Knowledgebase
9 years ago - SAML 2.0 with java Sample
10 years ago - Govt Computer News: 'The power of one password'
10 years ago
1 reply - OASIS approves SAML 2.0 Errata
10 years ago
1 reply - IBM Pushes Federated Identity Management
10 years ago
1 reply - VMware Unveils Horizon App Manager
10 years ago
1 reply
Extension to RequestAbstractType
The specification forbids putting built-in elements like an Assertion directly into an Extension. A wrapper element would be needed. You can't just "change the namespace".
If you're trying to use the assertion as an authentication token on the SAML request, normally you would use WS-Security and place it into a SOAP header, not put it inside the request. Doing that isn't entirely crazy, but in effect you'd have to define some new construct similar to the WS-Security header and define it for use as a protocol Extension.
It's also unlikely that you can use the original assertion that way unless you've added content that makes it possible to so, such as additional Audience restrictions and an appropriate SubjectConfirmation.