saml icon indicating copy to clipboard operation
saml copied to clipboard

Published 20 hours ago verified publisher icon crewjam

How do we Parse the XML Response to retrieve specific attributes such as name and email

Open oscarlai1998 opened this issue 4 years ago • 1 comments
trafficstars

Hello, thanks for this useful library. However, due to the lack of examples on the SAML assertion after authentication with the IDP, I'm unsure how to parse the XML response or utilise the response to retrieve certain attribute values from the response such as "name" and "email"

Thanks for reading!

oscarlai1998 avatar May 06 '21 01:05 oscarlai1998

I have a similar issue. I think I am doing something wrong and this is not the right way to access the assertion attributes.

However in this blog post, I found that the function hello there uses a partial extraction from the session attributes, as we can read here: https://github.com/crewjam/saml/blob/0f63febe30197e3289aebc5acbc56176dd542835/samlsp/session.go#L79-L89

It stops at GetAttributes, which effectively maps all the available attributes in the session. Is this the correct way of extracting Assertion attributes?

Edit:

I decoded the JWT token from the session cookies _subspace_sso_session and it turns out everything is there:


{
 aud: "http://192.168.0.4/",
 exp: 1620419458,
 iat: 1620415858,
 iss: "http://192.168.0.4/",
 nbf: 1620415858,
 sub: "[email protected]",
 attr: {
  SessionIndex: [
   "abca530a-d50a-487b-a60f-d88534bb4f69"
  ]
 },
 saml-session: true
}

The method I posted above returns the attr section of the session JWT. How can we access the rest of the token attributes?

Update:

Dumping the session variable, before building the sessionWithAttributes struct shows all the info we need:

logger.Debugf("%+v\n", s)

2021-05-07_19:52:35.29019 time="2021-05-07T19:52:35Z" level=debug msg="{StandardClaims:{Audience:http://192.168.0.4/ ExpiresAt:1620419458 Id: IssuedAt:1620415858 Issuer:http://192.168.0.4/ NotBefore:1620415858 Subject:[email protected]} Attributes:map[SessionIndex:[abca530a-d50a-487b-a60f-d88534bb4f69]] SAMLSession:true}\n"

We have to access these attributes directly from the session, therefore.

Update: With solution

Finally found it.

TLDR:

session, _ := samlSP.Session.GetSession(r)
if session != nil {
  r = r.WithContext(samlsp.ContextWithSession(r.Context(), session))
  jwtSessionClaims, ok := session.(samlsp.JWTSessionClaims)

  if !ok {
    Error(w, fmt.Errorf("Unable to decode session into JWTSessionClaims"))
    return
  }

  email := jwtSessionClaims.Subject
}

where r *http.Request, samlSP := samlsp.New(...)

Explanation: while Session contains all the information we need, it is an interface and must have its properties exposed by explicit methods. However, following https://github.com/crewjam/saml/blob/0f63febe30197e3289aebc5acbc56176dd542835/samlsp/session_jwt.go#L122 Session is an interface for the struct JWTSessionClaims which we CAN access. Therefore we make a type assertion and effectively cast Session into JWTSessionClaims.

gchamon avatar May 07 '21 19:05 gchamon