SAML Resolve Request Properties

This document describes the "resolveSAMLRequestProperties"-configuration parameter present in most SAML authenticators in PAS 4.7 or higher.

How it works

Adding "resolveSAMLRequestProperties": "true" to your SAML authenticator will parse the SAML request and add properties from the request to the current session so the values may be used to control the authentication flow further. For example, you might want to direct a SAML Request containing a SignMessage-property to a SAMLAuthForSigning authenticator, or respond to a RequestedAuthnContext in the request. Note that these properties only have to be resolved once per authentication flow, so if you resolve the properties at a SAMLDataSave or Dispatch, the values are still accessible in the subsequent authenticators. 

The properties

Currently the following request properties are resolved into the session: 

  • SAMLIssuer (the AuthnRequest issuer)
  • SAMLPrincipalSelection (format: "<attrname1>=<attrvalue1>,<attrname2>=<attrvalue2>")
  • SAMLRequestedAuthnContext (format: "<AuthnContextClassRef1>,<AuthnContextClassRef2>")
  • SAMLForceAuthn 
  • SAMLIsPassive
  • SAMLSignMessage
  • SAMLMimeType (MimeType of the SignMessage, if any)
  • SAMLMustShowSignMessage

Usage examples

The configuration below shows an example usage of "resolveSAMLRequestProperties", where Dispatch is used to switch between three authenticators, depending on the values of the resolved properties. If a SignMessage is present, the SAMLAuthForSigning authenticator is used. If the RequestedAuthnContext contains LoA4, a authentication flow using LoA4 is used. 

    "id" : "mydispatchid",
    "alias" : "mydispatchalias",
    "name" : "Dispatch",
    "configuration" : {
      "idpID" : "myidpid",
      "sendSAMLResponseOnError" : "true",
      "resolveSAMLRequestProperties" : "true",
      "mapping" : [ {
        "expression" : "'SAMLSignMessage') != null",
        "authenticator" : "mySAMLAuthForSigningAuthenticatorAlias"
      }, {
        "expression" : "'SAMLRequestedAuthnContext').indexOf('') != -1",
        "authenticator" : "myLoA4AuthenticatorAlias"
      }, {
        "expression" : "'SAMLRequestedAuthnContext').indexOf('') != -1",
        "authenticator" : "myLoA3AuthenticatorAlias"
      } ]
Click to copy