SAML Authentication with Custom Parameters

Usage scenario

The SAML Service provider wishes to pass along additional data with the Authentication Request which could be utilized during the lifetime of the SAML Flow.

For example, you might want to pass along the type of client making the request. You can use this information in the templates to render a different UI.

These values are available within a template via a custom Thymeleaf dialect and exposed via the Session API.

Please refer to the Custom Parameters topic guide for usage.

Onegini Extension

The SAML Service Provider should add an Onegini specific extension to the authentication request. The following XSD is defined for the SAML extension for custom parameters:

<xs:schema elementFormDefault="qualified"
           xmlns:xs="http://www.w3.org/2001/XMLSchema"
           xmlns:oneginicp="urn:com:onegini:saml:CustomParameters"
           targetNamespace="urn:com:onegini:saml:CustomParameters"
           version="1.0">
  <xs:element name="CustomParameters" type="oneginicp:CustomParametersType"/>

  <xs:complexType name="CustomParametersType">
    <xs:sequence>
      <xs:element ref="oneginicp:CustomParameter" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>

  <xs:element name="CustomParameter" type="oneginicp:customParameterType"/>

  <xs:complexType name="customParameterType">
    <xs:sequence>
      <xs:element name="Value" type="xs:simpleType" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Key"/>
  </xs:complexType>
</xs:schema>

SAML Authentication Request

Example request

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://sp/saml/SSO"
                     Destination="https://idp/saml/single-sign-on"
                     ForceAuthn="false"
                     ID="a33dd94jc826a5bc2f3754a1i62707i"
                     IsPassive="false"
                     IssueInstant="2016-02-09T12:40:57.727Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
  <saml2p:RequestedAuthnContext Comparison="exact">
      <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:onegini:names:SAML:2.0:ac:classes:InlineLogin
      </saml2:AuthnContextClassRef>
  </saml2p:RequestedAuthnContext>
  <saml2p:Extensions>
       <oneginicp:CustomParameters 
           xmlns:oneginicp="urn:com:onegini:saml:CustomParameters">
           <oneginicp:CustomParameter 
               Key="appView">
               <oneginicp:Value>mobile</oneginicp:Value>
           </oneginicp:CustomParameter>
       </oneginicp:CustomParameters>
   </saml2p:Extensions>
</saml2p:AuthnRequest>