Idea Details

SiteMinder: modify the SAML request

Last activity 20 days ago
Justin Linnan's profile image
11-06-2019 11:45 AM

From Larry at UTC: 

To provide a seamless SSO experience when users click the ‘Login with Azure’ button, we have to include a SAML hint to bypass the Microsoft login screen (we’ve done with other apps like EmpowerU and Mattermost).  Here is the article on what needs to be done in the SAML request:

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Using-Azure-AD-to-land-users-on-their-custom-login-page-from/ba-p/243900

 

When we looked into this 2 years ago with 12.52, it didn’t seem to be possible to modify the SAML request in Siteminder.  Do you know if this is possible in 12.8?  Should we open a case with CA support?

Justin (HCL Proj Mgr) received the following responses hence the Enhancement Request/Idea creation here.

10/15 Support to JL: I do not think anything changed since 12.52 when it comes to SAML config not utilization . I am not aware of any API that allows you to Modify the SAMLRequest itself , we do have the assertion generator plugin and the assertion consumer one but these cannot be used to customize the SAMLRequest  Let me roll the same by the DEV Team and see what they Say, I will let you know

10/17 Support to JL: Sent the same to our DEV team and below what we got: "We don't support the requested feature even in 12.8 also." So nothing changed even in the newer Release , please let me know if anything else is needed.


Comments

20 days ago

The following email was shared w/Herb:

Some reading for those nights where it’s difficult to fall asleep.  In a nutshell, This is Microsoft’s recommendation to avoid a domain discovery pop up when the user is already logged into Azure/O365.  The highlighted lines in the below example are what would be needed to indicate to the Microsoft where the user would exist in Azure.  Then the normal prompt is skipped.

 

This goes beyond the “RelayState” suggestion as this is not a deep-linking use cae.  It’s a way to let Azure know where to look for the user – which Azure Domain.  It needs to be included in the AuthRequest of the SAML assertion.  The available SDK options (Assertion Generator Plugin) does not allow changes to this part of the assertion.  So, the request it to either allow SDK changes to update the AuthnRequest OR provide a configuration method for the IDP to  include these optional values.

 

I hope this clarifies the request for product management.

 

SAML AuthN requests differ from WS-Fed or OIDC in that the request parameters aren’t transmitted over query string. Instead they need to be specified in a request XML document that is base64 encoded to create the SAML AuthN request. To include the hint, you should use the Scoping XML node, and include a single entry IDPEntry under the IDPList (at this time, only the first IDPEntry node is used by Azure AD). Here’s an example of what the request would look like with “contoso.com” as the domain name hint:

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="iddeb9381bc15e4fd6a253b97205d47c6f" Version="2.0" IssueInstant="2015-02-26T18:57:06.4772751Z" IsPassive="false" AssertionConsumerServiceURL="https://www.authnauthz.com/saml/inboundauthnresponse" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<saml:Issuer>https://www.authnauthz.com</saml:Issuer>

<samlp:Scoping>

<samlp:IDPList>

<samlp:IDPEntry ProviderID="https://contoso.com" Name=”contoso.com”/>

</samlp:IDPList>

</samlp:Scoping>

</samlp:AuthnRequest>

 

 

Please review https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Using-Azure-AD-to-land-users-on-their-custom-login-page-from/ba-p/243900 for more details.

 

Thanks,

Brian

11-06-2019 11:59 AM

I do not see a drop down box for SSO or SiteMinder in the category filter.