After IDP login,
IDP will send post call with SAML data to SP end point specified in meta data.
It has two portions,
the only mandatory portion is
subjectName ID like :
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idp.ssocircle.com" SPNameQualifier="https://dev146737.service-now.com" >xyjoey@hotmail.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="SNCa5722d5aa12915d2f4c33648e89979de" NotOnOrAfter="2023-10-25T23:17:35Z" Recipient="https://dev146737.service-now.com/navpage.do" /> </saml:SubjectConfirmation> </saml:Subject>
..........
This porition is used for SP to locate user on its own database and create token etc.
If SP wants to create a seperate user, its better if IDP can send more assetion attributes like :
<saml:AttributeStatement> <saml:Attribute Name="EmailAddress"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >test@hotmail.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="UserID"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >testName</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="FirstName"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="LastName"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >tesssstt</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
so SP can extrate trhough Name="LastName" to provision user
No comments:
Post a Comment