SAML idp attribute not supported

Derek_Phillips · July 5, 2023, 9:52pm

Hello,

We have set up a SAML IdP in our gateway for Single Sign On. When loading a session from a browser, I am able to watch the general handshaking via a SAML-tracer. After all the automatic redirects and authentication succeeds, a IdP Session Cookie is created, and dropped into the browser Web Dev Tools/Stroage/Cookies. I can then see the cookie being used in the Perspective Session in a Gateway keepalive call back every few seconds.

My goal is to use this cookie in system.net.httpClient GET calls. My IT department and I could only think to possibly pass this cookie as a IdP attribute in the IdP Response Data. Problem is, it looks like the IdP attribute is not support for SAML, even if we can stuff the desired cookie as an attribute.

So my question is, is there a different way to get the cookie into the session using SAML SSO, because it is being used by the Session for the KeepAlive? Maybe we could use system.net.httpClient to create a new auth Session, but then that is not using the SSO that was already established. Seems like we will need to user to still put in credentials at the start of a session by pinging a URL, redirect to the IdP, have the user re-enter their credentials, and then looking at the cookie manager.

If that is what we have to do, it seems like there is no point to set up SSO with SAML? (For our use case). Probably should just do an Active Directory sign in and pass the log in credentials to system.net.httpClient GET call also?

Thanks,
-Derek-

nicholas.robinson · July 6, 2023, 1:48am

@Derek_Phillips you do not want to use any sort of personal credential for app authentication. You need something that is for app use like a service account, API token, mTLS, etc.

You may try to think about how you could make the call without doing what you are thinking you need to do.

On the topic of getting an attribute field from the SAML response, if you have a field configured on your IDP connection, and it is in the response, you can address to that field similar to this:

{idp-attributes://saml:Attribute[@Name='adgroups']}

Basically what you are saying is that in the user attribute mapping there are only these options:

ID, username, first name, last name, email, roles

If you had one of those fields that you don't need, you could pass your desired value in that way. For example user name and first/last name is a bit redundant. If you wanted to get it in any other way, basically you're looking at a module.

Again, the recommendation is to not use personal credentials for app authentication. Find another way.

Rgds,

Nick