Adding claim details from SQL Server (Not from Active Directory) in SAML 2.0 Response using ADFS 3.0
I am implementing SSO with SAML 2.0 with IDP initiated flow.Use of a third party IDP is not an option and we will have to use the ADFS 3.0 that comes with Windows Server 2012R2. We have a CRM tool and users are authenticated using their AD account.When the user tries to access account details of our customers in another system, IDP has to pass the username of the customer(This is stored in SQL server database).My question is, Is there any way for us to include that details in the SAML 2.0 Response that we send to our SP.My understanding is that all the claim details that we send to SP should come from AD if we are using ADFS.Is this not the case? If not do I have any control over modifying the claim details in the SAML 2.0 Response in the code(C#) before sending that to the SP? I thought sending SAML 2.0 is done by the ADFS and my application logic has no control over that
Edit: I did more research and found this SO post authentication against ADFS, authorization against sql server this seems like it is pulling the credentials of the logged in user .In my case , I need to get the user info of the customer from another database based on the account# the user selects.Is there a way to do this?
Here is the use case
- Internal user(user) logs into our CRM app with AD credentials
- Searches for a customer and finds an account# for the customer
- User tries to access the account details for this customer on a SP
- User is taken to the SP url(username of the customer gets passed as a query string)
- SP does an HTTP POST SAML Authentication request to IDP(I assume this is inside a post with RelayState and base64 encoded
- Should i create a web api to capture this and get the RelayState and offload this to ADFS via WIF?
- If step 6 is possible,can I get the generated SAML Response back from ADFS,encrypt that and send that back to SP?If step 6 is not possible,is ADFS sending the SAML response with encrypted data back to the SP?
- Also is there a requirement to wrap SAML Request and Response inside a form html element for web sso?
Any help would be appreciated
As per the link, you can get attributes from SQL DB for authorisation.
This is via a claims rule.
There is nothing stopping you have more than one SQL DB and get different attributes from each
These attributes are all added as claims in the SAML token.
You can use normal claims rule manipulation as well.
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Simple way to put AWS Lambda app behind SAML authentication
- Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
- Log out from SSO kerberos
- Getting TypeError: client_secret_basic client authentication method requires a client_secret
- SSO not working in iOS when using AWS Cognito and Azure AD
- Logout from next-auth with keycloak provider not works
- Azure b2c still authenticated after hitting logout
- What's the relationship between Keycloak SSO Session Idle Time and Spring Session Timeout?
- Execute a RESTAPI request from Powershell using the credentials of the user logged into the windows machine(AD Credential's)
- Python SSO: pysaml2 and python3-saml
- Keycloak adapter not able retrieve current username from windows AD logged-in user
- keycloak - realm resolution based on username (email address)
- Rolify and acts_as_tenant with Single Signon (with some Devise & Pundit on the side) - can it be done?
- which Oauth flow is good for Token authentication with javascript SPA
- Can I have secrets that don't expire in Microsoft SSO via Azure Microsoft Entra ID?
- Java 17 Allow RC4 HMAC while keeping allow_weak_crypto as false in krb5.conf
- Zabbix SAML Config using ActiveDirectory WIN 2016-ADFS
- Do Personal Accounts Have a UPN
- Buildfire: login api
- Moodle intergration with ADFS--Plugin SAML2 Single sign on
- Share authentication cookie between IdentityServer4 clients
- Kerberos SSO Issue with AD change of upns in Spring Boot Application
- Integrate SAML in Laravel using existing Idp and SP
- How can i enable Token_IDs in the new Azure/Microsoft Entra interface
- Okta SSO (Allowing other users from another organization to use SSO with the OpenID application i created on my Okta developer dashboard)
- Keycloak: Unique SAML endpoint per SAML Client in the same Realm
- Implement single signon (SSO) using SAML in java and AzureAD as IDP
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- Why is a client secret required when setting up an Azure AD / Identity SSO in Asp.net (legacy .Net Framework), but it is not required in asp.net core?