locked
adding custom xml elements to outgoing samlp:AuthnRequest to our claims provider RRS feed

  • Question

  • Hi all, I looked for my question in this forum but I couldn't find anything which suits my question so it's not there or I am not searching well enough. I hope someone could be of my assistance. So here it is: We are hosting a website which is using ADFS on Windows Server 2012 R2 to authenticate against an external identity provider. Our website sends an authentication request to our ADFS environment which in turn sends an authentication request of the following format to the external IDP, all according to the SAML 2.0 standard:

    <samlp:AuthnRequest
     ID="id-335950a4-0483-410b-b9dd-31bcfcfc471c"
     Version="2.0"
     IssueInstant="2016-04-05T09:24:26.642Z"
     Destination="https://idp.claimsprovider.com/saml/idp/request_authentication"
     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.myorganization.com/adfs/services/trust</Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
    </samlp:AuthnRequest>

    This authentication request is rejected by our IDP. Their SAML specification includes an example request of what an authentication request should look like and an example of what our IDP is expecting is this:

    <samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     ID="_1330416073"
     Version="2.0"
     IssueInstant="2012-02-28T09:01:13Z"
     AssertionConsumerServiceIndex="0"
     ProviderName="provider name">
    <saml:Issuer>http://sp.example.com</saml:Issuer>
    <samlp:RequestedAuthnContext Comparison="minimum">
     <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    It expects two extra attributes in the 'samlp:AuthnRequest' element:

    AssertionConsumerServiceIndex="0"
     ProviderName="provider name"

    It also expects me to include this:

    <samlp:RequestedAuthnContext Comparison="minimum">
     <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext>

    Is there any way I can accomplish this with ADFS? For the AuthContext part it looks like I have to configure the Authentication Context somewhere within the relying party but I cannot find how.


    If you can't learn to do something well, learn to enjoy doing it poorly.





    Tuesday, April 5, 2016 11:26 AM

All replies

  • Same exact problem. Did you manage to solve in some way? Any experts that can help us?

    thanks!

    Wednesday, July 6, 2016 2:57 PM
  • You can set some of these via:

    Set-AdfsClaimsProviderTrust.

    Thursday, July 7, 2016 1:57 AM
  • Any updates?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 11, 2016 2:00 PM