I've implemented SSO using spring SAML and I'm wondering is there any way to request the IDP(ssocircle.com in my case) to send me additional attributes along with nameID which it is already sending.
Lets say I want the IdP to send me the accountID of the person who is authenticated successfully. I've searched a lot and found some suggestions like:
Overide the getAuthnRequest method in WebSSOProfileImpl.java so that the authnRequest sent to IdP has this attribute set. But I dont have any clue how to go ahead with this? Should I've to modify my SP metada too with this additional attribute name and format? If yes, how should i do that? Or can something be done with the RelayState parameter?
Any help in this regard would be really appreciated.
Thanks,
Abhilash
Abhilash,
Attributes to be provided to SP are typically configured on the IDP side in a vendor-specific way.
You can configure SSO Circle to send additional attributes by logging in to your account at https://idp.ssocircle.com/sso/UI/Login, select Manage Metadata, press "Add new Service Provider" (first remove the existing one if present) and make sure to check SAML attributes to be sent in AuthnRespose in the section "Attributes send in assertion (optional)". SSO Circle currently only supports attributes FirstName, LastName and EmailAddress.
SP can advertise attributes required to be provided by IDP in its metadata using elements RequestedAttribute. Support for this mechanism may vary among IDP and SP implementations. SAML protocol also allows SP to advise IDP on what attributes to send by including attribute AttributeConsumingServiceIndex in the AuthnRequest, but again this feature is not usually supported. Some custom SAML profiles define custom way to do this using the AuthnRequest's Extensions element.
Cheers,
Vladimir Schafer