Hi, We are building our system with internal SP and external IDP. How should the IDP pass security role information to the SP? Specifically, in tomcat web.xml, we have
<security-role> <role-name>Role1</role-name> </security-role>
currently the IDP will send back the following part in the SAML message:
<saml:AttributeStatement> <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE"> <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Role1</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
But it seems that Role1 as a group attribute cannot be accepted by the SP and set as a security-role.
So my question is: what should the saml message look like to pass the security-role information?
Thanks in advance.
Ran
Log in to post a comment.
Hi,
We are building our system with internal SP and external IDP. How should the IDP pass security role information to the SP? Specifically, in tomcat web.xml, we have
<security-role>
<role-name>Role1</role-name>
</security-role>
currently the IDP will send back the following part in the SAML message:
<saml:AttributeStatement>
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE">
<saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Role1</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
But it seems that Role1 as a group attribute cannot be accepted by the SP and set as a security-role.
So my question is: what should the saml message look like to pass the security-role information?
Thanks in advance.
Ran