Layer7 Access Management

Expand all | Collapse all

Is it possible to dynamically display the Service Provider name on the login page in a Partnership Federation configuration? *

  • 1.  Is it possible to dynamically display the Service Provider name on the login page in a Partnership Federation configuration? *

    Posted 03-08-2018 12:14 PM

    We'd like to validate the Service Provider name on our login page/auth scheme for security. Is this possible to do within the SiteMinder FWS configuration, or would we need to have the SP send something unique to identify?

     

    Thanks!



  • 2.  Re: Is it possible to dynamically display the Service Provider name on the login page in a Partnership Federation configuration? *

    Posted 03-12-2018 01:39 PM

    This is possible with some customization.  Assuming this need is for SP-initiated use cases (SPID is controlled by IDP in IDP-initiated), The SP will be sending the SAMLRequest via GET or POST.  This is far easier if GET (redirect binding) is used.  With a GET request. the SAMLRequest will be included as a query parameter, so a customized active login page can capture the SAMLRequest value from the query string, decode it, and extract the SPID from the decoded value.  

    This is more difficult for SP-initiated POST requests since the SAMLRequest parameter is within the POST data which is not available once the user is redirected for authentication.  When a user submits an SP-initiated request via POST, the SAMLRequest data is written to the session store when the user is redirected for authentication.  Upon return to the saml2sso URL after authentication, the SAMLRequest data is retrieved from the session store using the transaction ID that is issued for each new SAML request.  Either the login page would need the ability to retrieve the SAMLRequest from the session store, or the SAMLRequest somehow captured prior to redirecting the user for authentication.