ComponentSpace

Forums



Whitelisting SAML attribute scopes for IDP


Whitelisting SAML attribute scopes for IDP

Author
Message
cdimitroulas
cdimitroulas
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 9, Visits: 117
Hello,

I'm wondering whether the Component Space library does any validation/verification of the scope of SAML attributes that are sent from an IDP or whether this is intended to be done separately?

I'm referring to the scopes that are mentioned in an IDP's shibmd:Scope tags in the metadata.

As part of registering our SP for Open Athens they have asked us to whitelist some scopes for one of their test IDPs and it wasn't clear how to achieve this with Component Space.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We don't validate SAML attribute values. Therefore, by default, all scopes are whitelisted.

Scopes were introduced relatively recently through the SAML V2.0 Subject Identifier Attributes Profile Version specification and the Shibboleth SAML metadata extensions. We don't believe their use is widespread.

At this stage, validating of scopes is the responsibility of the application. We simply return the complete SAML attribute value (eg [email protected]) to the application.



Regards
ComponentSpace Development
cdimitroulas
cdimitroulas
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 9, Visits: 117
Thank you for confirming
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
cdimitroulas
cdimitroulas
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 9, Visits: 117
One follow-up question which is related to scopes. When we import metadata using `ImportUrlAsync`, the IDP's metadata is parsed into an ComponentSpace.Saml2.Configuration.PartnerIdentityProviderConfiguration object. Where can I find the data from the shibmd:Scope tags within these objects?

In order to do the scope verification I would need to store the list of valid scopes for each IDP as part of their metadata that we save into the DB so that it can be retrieved later and used during the scope verification process.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The shibmd:Scope is a Shibboleth extension and not part of the SAML specification. We don't include it in the PartnerIdentityProviderConfiguration when importing the metadata. You would have to retrieve this information directly from the metadata.

This would mean the application would download the metadata so it can access the scope. You would then call the IMetadataToConfiguration.Import(XmlElement) or IMetadataToConfiguration.Import(EntityDescriptor) method instead of IMetadataToConfiguration.ImportUrlAsync to import the SAML configuration.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search