Skip to main content

Configuring WSO2 Identity Server to return Attribute Profile claims in SAML SSO Response

Configuring SAML SSO for an external Service Provider with WSO2 Identity Server is probably one of the most common use cases I heard from my day 1 at WSO2.

Setting up is quite easy, Just follow the docs here.

Now let me start from there, what if someone wants to retrieve certain claims of a user in the SAML Response. How easy is it to configure that?

Well, Let me show you :)

Step 1

Assuming that you have setup a Service Provider in Identity Server by following the docs, you should have a configuration like the one below,



The most important part of this config is the "Enable Attribute Profile" tick, that allows you to get a set of pre-configured claims in the SAML response. Be sure to have it ticked.

Step 2

 Now your are done with Step 1, In Step 2 you simply configure the claims that you want to be returned in the SAML response. To do this,

Go to the "Claim Configuration" section of the service provider,


Now click on "Add Claim URI" and select the claims that you want to be returned,



Step 3

This is the most important step according to me. Doing this right will save a lot of time scratching your head and hating your life. :)




Just make sure that the claims you configured are filled out in the user profile :)
You can go to user profile by navigating to Users and Roles -->  List --> Users


Now you are done with the configurations. Time to get into action. I tried this using the travelocity sample that ships with IS. You can use your own sample.


At the end of the SAML SSO flow, we should end up with a SAML Response that includes the requested claims of the user. You can find a sample Response below. Pay attention to the AttributeStatement section.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="http://localhost:8080/travelocity.com/home.jsp" ID="_03e9e7b4edc91c5dd1bcfb75b72d845b" InResponseTo="lhlohefjlfaonknijcjnipgdenkocehhhpgcnbdl" IssueInstant="2016-09-02T17:24:37.136Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#_03e9e7b4edc91c5dd1bcfb75b72d845b">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>zCkIm6Ie2MveEpA03BiDPiJSfWU=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>GuWf2IP6JtYaHSdRVqLNUuKsfyNPMHXydh4BJROiWYTe/eQ/6nzyFBVwGuwkKjK9TursumbpxOE4kHf5ZuM8WRL1iUjvKRKT5mtpNwgYdGt2NTdDoVnNAL7em43Lw2c9vnYLVKsurdE3AuMmSmaSSBRqhJc34SM4/WhhXponBQk=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_fe2af7a470b2c48202017a12a49ae190" IssueInstant="2016-09-02T17:24:37.138Z" Version="2.0">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#_fe2af7a470b2c48202017a12a49ae190">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>fSSj1u/v33gH5c9KcJlmxP3YP4k=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>CVymQUk0hpwslzGJP0dSKLHuuAGZuqKcGIXkkQK+hNiXt58Qzk8fzr1TitRkBAvZOQ9MCM4Xl3DdaWnHziSl6UvoQgRXBupcyoyYD76XQCoVQpADbviDq3IDFvnnR+tM3ctiKebjPLzOlcOJb4YculK/Gan9hi/VDreCcxBUDHw=</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@wso2.com</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="lhlohefjlfaonknijcjnipgdenkocehhhpgcnbdl" NotOnOrAfter="2016-09-02T17:29:37.136Z" Recipient="http://localhost:8080/travelocity.com/home.jsp"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2016-09-02T17:24:37.138Z" NotOnOrAfter="2016-09-02T17:29:37.136Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>travelocity.com</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2016-09-02T17:24:37.143Z" SessionIndex="a5dca970-a8c5-4d9c-a522-9c7556f0db39">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="http://wso2.org/claims/country" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Sri Lanka</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin@wso2.com</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://wso2.org/claims/lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin_lastname</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>




Comments

  1. John WadeOctober 12, 2016 at 7:56 PM

    All this is well and great, but what if the SP requires attributes in a NameFormat other than "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" For example, Shiboleth uses: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Possible or not?

    ReplyDelete

Post a Comment

Popular posts from this blog

OAuth - Playing Ping Pong for Authorization

You probably would have heard the word OAuth more than a few times. Ever wondered what that is? do we use that at all?. Guess what we make use of OAuth almost everyday.I got the opportunity to learn about OAuth during my time at WSO2 Identity Server team. Here's the first step of conquering OAuth :) What Exactly is OAuth? Let me start with OAuth,  OAuth solves the problem of allowing third party entities( eg: applications) to access a resource owner's protected resources without actually giving away your valuable credentials like passwords.  Let's think of it this way. You have a facebook account(Assuming you have one :P) which is your protected resource and you are the resource owner . Now you get a little high and decide to try out one of these fancy Facebook apps that finds your soul mate. The app now becomes the third party application which requires access to read out your friend list from your profile which is the protected resource. Suppose you don't ...
5 comments
Read more

Configuring a MySQL database as a secondary user store for WSO2 Identity Server

It's been almost a week since I joined WSO2. I am now part of the WSO2 Identity Server team :) So my adventures from now on will revolve around the Identity Management area and security stuff. We are currently on our way to release Identity Server 5.2.0 beta. During alpha testing, I learnt several basics that I thought worth making a note of. Hence, this post as both a note to myself and anyone starts off with WSO2 Identity Server. A user store is basically where WSO2 IS stores all information about users such as username, password, roles etc.WSO2 Identity Server comes with a built-in LDAP-based primary user store out of the box. This is true for other WSO2 products as well. However, you also have the option of configuring any JDBC database,external LDAP or an Active Directory as the secondary user store in WSO2 IS and other products. I will focus on setting up a MySQL database as the secondary user store in WSO2 IS in this post. I will divide the process into to thre...
1 comment
Read more