IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Remove the samlp:Extensions in SAML Message Extension

    Posted Fri May 07, 2021 09:01 AM

    Hi,

    In the connection that we have to a IDP we need to use scoping, for this we use  "SAML Message Extension" in the federation management.
    The issue is that in this cause the scoping is in <samlp:Extensions>, is it possible to set the scoping part without <samlp:Extensions> ?
    The output is like:

    <samlp:Extensions>
  <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
       <samlp:IDPEntry ProviderID="urn:etoegang:EB:00000004000000149000:entities:9009"/> 
    </samlp:IDPList>
  </samlp:Scoping>
</samlp:Extensions>


    It needs to be like:

    <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
       <samlp:IDPEntry ProviderID="urn:etoegang:EB:00000004000000149000:entities:9009"/> 
    </samlp:IDPList>
</samlp:Scoping>


    ------------------------------
    jasper teuben
    ------------------------------


  • 2.  RE: Remove the samlp:Extensions in SAML Message Extension

    Posted Mon May 10, 2021 05:16 AM
    Hi jasper teuben,

    <samlp:Extensions> is part of the SAML2 spec defined optional element to add message extension element, and <Scoping> is another optional element defined in SAML2 spec, it could not be put into <samlp:Extensions>. I think the above requirement is not supported with "SAML Message Extension" in current ISAM.

    Best Regards

    Chen Yongming

    ------------------------------
    Yongming Chen
    ------------------------------

    Original Message


  • 3.  RE: Remove the samlp:Extensions in SAML Message Extension

    Posted Tue May 11, 2021 12:27 AM
    Hi Chen,

    I might understand it wrong but we have <Scoping> with the <samlp:Extensions>, we have created a SAML2_0_EXT Mapping Rule that we use in the federation at "SAML Message Extension" to get the Scoping in. The IDP is has issues with our request because Scoping is within Extensions so I am looking in to a solution for this.

    If there is a other way of doing scoping in ISAM 9.0.7.1 or ISVA 10.0.1.0 please let me know, we have not found it yet.

    ------------------------------
    jasper teuben
    ------------------------------

    Original Message


  • 4.  RE: Remove the samlp:Extensions in SAML Message Extension

    Posted Wed May 12, 2021 03:10 AM
    Hi jasper teuben,

    SAML2_0_EXT Mapping Rule allows adding extension element to SAML message in <samlp:Extensions>, from SAML2 spec, <Scoping> is another optional element different from <samlp:Extensions>, hence SAML2_0_EXT Mapping Rule does not work for <Scoping>. I think this will require RFE to add <Scoping> element into SAML message.

    Best Regards

    Chen Yongming

    ------------------------------
    Yongming Chen
    ------------------------------

    Original Message


  • 5.  RE: Remove the samlp:Extensions in SAML Message Extension

    Posted Fri May 14, 2021 12:09 AM

     There is a RFE open for some time now, because we need to implement this in several Federation I was looking for another way to do this.

     So any suggestions to implement scoping is  good for us 😊.

     

    RFE:
    Headline: ISAM FED: [SAML2_0] pre and post authnrequest mapping rule capability
    ID: 125694



    ------------------------------
    jasper teuben
    ------------------------------

    Original Message