Is there a way to explicitly say to the IDP which attributes I am expecting? I guess the answer is yes, but I could not find examples. Would I need to specify "something" in the SP metadata?
Has someone been able to extend the Spring SAML MetadataGeneratorFilter to actually build the list of attributes for the SP xml?
For example, I'd like to have in the response the following:
Any suggestions please?
SAML 2.0 Service Provider attribute requirements may be called out in the metadata by using the <md:RequestedAttribute> element.
This element has a boolean attribute, isRequired, that can be set as follows:
<md:EntityDescriptor entityID="https://sp.example.org/saml"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
<!-- one or more indexed AssertionConsumerService elements -->
<md:AssertionConsumerService index="1" Binding="..." Location="..."/>
...
<!-- zero or more indexed AttributeConsumingService elements -->
<md:AttributeConsumingService index="1">
<md:ServiceName>The Virtual School of Computational Science and Engineering</md:ServiceName>
<md:ServiceDescription>The Virtual School of Computational Science and Engineering (VSCSE) helps graduate students, post-docs and young professionals from all disciplines and institutions across the country gain the skills they need to use advanced computational resources to advance their research.</md:ServiceDescription>
<md:RequestedAttribute isRequired="false"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42"
FriendlyName="givenName"/>
<md:RequestedAttribute isRequired="true"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
FriendlyName="eduPersonEntitlement">
<saml:AttributeValue
xsi:type="xs:anyURI">https://example.org/is-a-grad-student</saml:AttributeValue>
</md:RequestedAttribute>
</md:AttributeConsumingService>
...
</md:SPSSODescriptor>
...
</md:EntityDescriptor>
More information are available at: https://spaces.internet2.edu/.../SP+Attribute+Requirements
Remember that you can always manually customize/extend your metadata and publish them (after all, we are talking about Web-based application), turning off the automatic generation made by the Spring SAML MetadataGeneratorFilter.
Take into account that this approach can be not sufficient to guarantee a reliable attributes release. You should always manually check inside your custom implementation of SAMLUserDetailsService if the required data have been provided by the Identity Provider, thus allow or deny the user authentication.