在SAML 2.0联合身份验证中为一个SP生成自定义属性-标识 [英] Generate custom attribute for one SP in a SAML 2.0 Federation - Identity

问题描述

我们有一个SAML 2.0联合环境(IDP和SP).我想为仅为一个SP创建的断言生成一个自定义属性.因此，我不会修改IDP配置.

We have a SAML 2.0 federated environment (IDP and SP). I would like to generate a custom attribute for assertions created only for one SP. As such, I will not modify the IDP configuration.

我们需要创建的SAML断言的代码段:

The snippet of the SAML Assertion we need to create:

< saml:Attribute NameFormat ="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
Name ="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups" >

< saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
Name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">

< saml:AttributeValue xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance">
xsi:type ="xsd:string"> ABCD

< saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
xsi:type="xsd:string">ABCD

根据SAML2规范，我们需要修改SP扩展元数据以提供此属性.常量字符串"ABCD"是我们要发送的属性.我已经进行了修改，但没有结果.谁能提供见识?

According to SAML2 specifications, we need to modify the SP extended metadata to provide this attribute. The constant string "ABCD" is the attribute we want to send. I've modified as such, but no results. Can anyone provide insight?

<属性名称="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">

< Attribute name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups">

 < Value>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|ABCD</Value>

< /Attribute>

< /Attribute>

也尝试过:

<属性名称="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups" nameformat ="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

< Attribute name="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups" nameformat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

 < Value>"ABCD"</Value>

< /Attribute>

< /Attribute>

推荐答案

查看元数据规范，似乎您使用以下语法定义了IDP所需的属性.当然，必须将IDP配置为允许将此类属性导出到.

Looking at the metadata spec it seems like you use the following syntax to define what attributes you want from the IDP. Of course the IDP must be configured to allow the export of such attribute to..

<AttributeConsumingService>
   <ServiceName xml:lang="en">youname</ServiceName>
   <RequestedAttribute 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:theformat"
      Name="theAttributeName"
      FriendlyName="humanReadableName"/>
</AttributeConsumingService>

此规范在此处第21页 https ://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf

The spec of this is here at page 21 https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf

这篇关于在SAML 2.0联合身份验证中为一个SP生成自定义属性-标识的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！