SAML 身份验证请求中是否允许使用属性? [英] Are attributes allowed in a SAML authentication request?

问题描述

是否可以在 SAML 身份验证请求中发送属性?

Is it possible to send attributes in a SAML authentication request?

<samlp:AuthnRequest
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   ID="aaf23196-1773-2113-474a-fe114412ab72"
   Version="2.0"
   IssueInstant="2004-12-05T09:21:59Z"
   AssertionConsumerServiceIndex="0"
   AttributeConsumingServiceIndex="0">
   <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
   <samlp:NameIDPolicy
     AllowCreate="true"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
 </samlp:AuthnRequest>

推荐答案

从技术上讲，是的，这是可能的，因为 AuthnRequest 可以包含一个可以包含任何内容的扩展元素 - 请参阅 SAML核心"规范:AuthnRequest(第 3.4.1 节)是派生的来自具有可选扩展的 RequestAbstractType(第 3.2.1 节).发送方和接收方必须就以这种方式发送的数据的语法和语义达成一致.

Technically, yes, it is possible, since AuthnRequest can contain an Extensions element, which can contain anything - see the SAML 'core' spec: AuthnRequest (section 3.4.1) is derived from RequestAbstractType (section 3.2.1) which has an optional Extensions. The sender and recipient would have to agree on the syntax and semantics of data sent this way.

我看不到更传统"的方法来做到这一点，因为属性通常在断言中，而不是在 AuthnRequests 中.

I can't see a more 'conventional' way to do this, since Attributes are usually in Assertions, rather than AuthnRequests.

这篇关于SAML 身份验证请求中是否允许使用属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！