How can I pass attribute as part of saml request?

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z00008U4yCcCAJOkta Classic EngineAuthenticationAnswered2025-09-13T09:01:51.000Z2022-12-06T02:11:45.000Z2022-12-14T18:56:09.000Z

venkatd.41211 (Customer) asked a question.

December 6, 2022 at 2:11 AM

How can I pass attribute as part of saml request?

I am trying to pass dynamic attribute value as part of SAML request so it is included in the SAML response. I am unable see the attribute returned as part of the SAML response.

Sample request and I do not see attribute TestRole_Dynamic included in the SAML response.

<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

ID="test_demo"

Version="2.0"

IssueInstant="2022-12-06T02:09:23Z"

IsPassive="false"

AssertionConsumerServiceURL="https://example.com/saml"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ForceAuthn="false"

>

<samlp:Extensions>

<md:AttributeConsumingService index="0"

xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

>

<md:RequestedAttribute Name="TestRole_Dynamic"

isRequired="true"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

>

<saml:AttributeValue>test_role_name_dyamic</saml:AttributeValue>

</md:RequestedAttribute>

</md:AttributeConsumingService>

</samlp:Extensions>

<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/mytestapp</Issuer>

</samlp:AuthnRequest>

Top Rated Answers

DonF.81354 (Customer)
3 years ago
From what I understand in your question, I believe this article would greatly assist:

How to Define and Configure a Custom SAML Attribute Statement

Once configured, please use the "Preview SAML" button so you can see what that assertion would look like.

Please let me know if that does not help answer your question and I will try to assist again. Thanks!

Expand Post
Selected as Best

All Answers

DonF.81354 (Customer)
3 years ago
From what I understand in your question, I believe this article would greatly assist:

How to Define and Configure a Custom SAML Attribute Statement

Once configured, please use the "Preview SAML" button so you can see what that assertion would look like.

Please let me know if that does not help answer your question and I will try to assist again. Thanks!

Expand Post
Selected as Best
a0n5s (a0n5s)
3 years ago
as @DonF.81354 (Customer) told you can reference that document.
I pass the screenshot.
you can create a custom attribute:TestRole_Dynamic in the profile of this application
Image is not available
and map this attribute with expression or okta attribute.
Image is not available
then in the saml attribute statements reference this attribute value by:
appuser.TestRole_Dynamic
Image is not available
Expand Post
venkatd.41211 (Customer)
3 years ago
Attribute mapping on application page can't be dynamic and we would like to control the attribute value as part of the request so when the SAML assertion happens it passes back the attribute we passed as part of the request.

This is mainly used for is to dynamically assign roles to users based on our application access pattern.

So in short we want to pass the attribute during samlp auth request and receive the same attribute as part of SAML response.

There was some topic here but doesn't work
https://support.okta.com/help/s/question/0D51Y00008W1zkYSAR/inbound-saml-configuration-adding-unwanted-custom-attributes?language=en_US

Example is this
https://lists.oasis-open.org/archives/security-services/201508/msg00001/connectis_protocol_extension_draft.pdf
Expand Post
DonF.81354 (Customer)
3 years ago
Perhaps this does or does not help, but I believe it might after looking over the introduction for this article:

Pass Dynamic Authentication Context

With that being said, @Mihai N. (Okta, Inc.) , do you have any input on this for @venkatd.41211 (Customer) ?

For me, I believe what you are requesting is that the application will make access decisions based on the information provided in the SAML assertions, but I could be wrong. I believe the article(s) here would do that, but I want another opinion to be sure I understand correctly.
Expand Post
- Mihai N. (Okta, Inc.)
  3 years ago
  @venkatd.41211 (Customer) The way I'm reading this, the main goal is to assign roles to users presumably in the downstream app (correct me if I'm wrong) when logging in via Okta SAML SSO.
  This would mainly depend on the downstream app and would be achieved by using the Additional Attribute Statements mentioned in the article provided by Don.
  The requirements being that the app recognises the attribute name + values sent via the SAML assertion. The value can be based on any of the user's pre-existing attributes or you can create a custom attribute in the Okta User Profile using the Profile Editor.
  
  That being said, I'm confused by the need to have the same attribute being passed back. Even if this would be possible, I would assume it would be the app's purview to do so and I'm not aware of any feature in Okta that would consume those values once sent back in the context of SSO where Okta is the IDP.
  
  I'm sure that I'm just misunderstanding the use case. Perhaps, if you could somehow illustrate the use case with some examples, we might be able to provide a better answer.
  Expand Post
a0n5s (a0n5s)
3 years ago
it seems as my feature request:
https://ideas.okta.com/app/#/case/161089

one okta user map to many application users. another is many okta user map to one application user, this is for license share.

Hope Okta can support this feature.
Expand Post

This question is closed.

Recommended content

Forum

How to pass user editable attribute as SAML subject

Forum

How to pass the value of custom attribute in SAML assertion

Forum

Need last 6 characters of a security group name as part df saml assertion in an attribute

Forum

Can you pass group membership as part of the SAML assertion to the SP ?

Loading

How can I pass attribute as part of saml request?