问题描述

我理解基本的SAML身份验证应该如何工作：

I kind of understand how basic SAML authentication supposed to work:

SP的用户请求资源

SP向IDP发送身份验证请求

IDP对用户进行身份验证并发回一些userId

SP向IDP发送属性查询以获取有关userId的其他详细信息

IDP发送回属性

SP提供用户资源

User request resource at SP
SP sends auth request to IDP
IDP authenticates user and sends back some userId
SP sends attribute query to IDP for additional details with userId
IDP sends back attributes
SP gives user resource

我的问题是，你能绕过AttributeQuery吗？当我向我的测试Gluu / Shibboleth服务器发出SAML 2.0请求时，我得到 givenName （名字）和 sn （姓）。 无论如何我可以在AuthnRequest中请求 inum 用户ID和电子邮件吗？

My issue is, can you any way bypass AttributeQuery. When I make a SAML 2.0 request to my testing Gluu/Shibboleth server, I get back givenName (firstname) and sn (lastname). Is there anyway I can request inum user id and email in just the AuthnRequest?

我的请求非常简单：

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="MyPrefix1457456412304" Version="2.0" IssueInstant="2016-03-08T17:00:12Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
   <saml:Issuer>me.com</saml:Issuer>
</samlp:AuthnRequest>

请求我回来是这样的：

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_bff09cf745ea5722aac3f3ec57c0ecf3" IssueInstant="2016-03-08T17:01:06.140Z" Version="2.0">
    <saml2:Issuer ....
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

我阅读了规范的相关部分，似乎说服务器可以回馈它真的想要（以及它想要多少属性）？ 同样，我的问题是我是否可以强制SAML Gluu / Shibboleth服务器将特定属性作为AuthnRequest 的一部分返回。

I read the relevant part of the spec, and it seems to say the server can give back whatever it wants really (and how many attributes it wants)? Again, my question is whether I can force the SAML Gluu/Shibboleth server to give me back specific attributes as part of AuthnRequest.

推荐答案

您需要将所需属性添加到IdP上的信任关系中的已发布属性。 Afaik没有办法专门请求属性。

You need to add the wanted attributes to the released attributes in your Trust Relationship on the IdP. Afaik there's no way to specifically request attributes.

这篇关于AuthnRequest中的SAML请求属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！