By: Simon Hill user 25 Sep 2018 at 3:53 a.m. CDT

5 Responses
Simon Hill gravatar
When issuing a SAML AuthnRequest to an external IdP, I need to include scoping information within the request, something like this: ``` <samlp:Scoping> <samlp:IDPList> <samlp:IDPEntry ProviderID="someproviderid> </samlp:IDPList> </samlp:Scoping> ``` But the 'passport-saml-config.json' configuration file doesn't seem to include this option. The documentation ( mentions a property called `additionalAuthorizeParams` which is 'a dictionary of additional query parameters which can be added in order to 'authorize' requests' . Your 'Inbound-SAML-Demo' code ( has an example of this file with the line: `"additionalAuthorizeParams": "{ providerId: 'test' }",` Which looks promising, but when I add this to my own configuration, although the json validates and the metadata is created, there is no change in the AuthnRequests which Gluu issues, no scoping information is included. Have I missed something, or is there extra configuration required? thanks, Simon.

By Jose Gonzalez staff 25 Sep 2018 at 12:11 p.m. CDT

Jose Gonzalez gravatar
Simon, did you receive my response to your problem in the former ticket you opened? Did you get the email notification? Otherwise, I'll have to retype...

By Simon Hill user 26 Sep 2018 at 11:24 a.m. CDT

Simon Hill gravatar
No, the previous ticket was deleted somehow. (not by me) Can you re-send?

By Jose Gonzalez staff 26 Sep 2018 at 2:30 p.m. CDT

Jose Gonzalez gravatar
I was saying that integration with SAML providers is achieved by reusing this project: So basically we are subject to its capabilities. The `additionalAuthorizeParams` is listed in their "Additional SAML behaviors" section of the README but it has to do with appending query params, not altering XML payload. In passport we are setting `additionalAuthorizeParams` of SAML strategy [here]( `objectJSON` refers to the contents of file `/etc/gluu/conf/passport-saml-config.json` that you can find in Gluu server chroot. I was commenting that no one in the past has used this feature, and from what I saw in the code the way this value is being parsed might not be correct. I suggested doing this: - Alter `passport-saml-config.json` so that it looks this way: `"additionalAuthorizeParams": "{ \"providerId\" : \"test\" }",` - Alter `saml.js` so that it reads dictionary data from json string this way: `JSON.parse(objectJSON['additionalAuthorizeParams'])`. This file can be found at `/opt/gluu/node/passport/server/auth/saml.js` - Restarting passport Of course, it only makes sense if your IDP can interpret the additional params this way

By Simon Hill user 01 Oct 2018 at 5:28 a.m. CDT

Simon Hill gravatar
I try to keep an open mind in these things, and not to place too many artificial limits on my own abilities, but I think re-writing `/opt/gluu/node/passport/server/auth/saml.js` to parse the JSON correctly may be one of those cases when I have to tap out... :) Thanks for the response anyway, if this isn't something your product can do right now, I think I'll leave it there. Simon.

By Michael Schwartz staff 01 Oct 2018 at 9:48 a.m. CDT

Michael Schwartz gravatar
This is something we could take on if BT were to get a support contract, but it's out of scope (no pun intended) of what we could do for a POC.