Authentication

Specifying Prefilled Information

362 views August 15, 2017 October 19, 2018 1

Some methods accept prefilled information, which in most cases enables the end user to omit certain steps. For an explanation of which methods and what information, see the section “Supported URL parameters” at Demo Service.

Signicat supports two ways of passing along this information, depending on what your federation agent supports.

Extensions

This is the preferred way of handling prefilled elements. Extensions is an optional element in SAML 2.0 allowing arbitrary information to be passed to the identity provider (see section 3.2.1 of the SAML v2.0 standard). Within the Extensions element, simply specify a signicat:Prefilled element, thusly:

<signicat:Prefilled xmlns:signicat="urn:signicat" Parameter="subject">05054512345</signicat:Prefilled>
Example:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://id.customer.com/gateway/customer/saml2/sso/browser" ID="id-b5f96406-9934-4cc4-a1b3-897ca35aed13" IssueInstant="2014-11-01T22:42:23.584Z" Version="2.0">
    <saml:Issuer>http://login.customer.com/adfs/services/trust</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></samlp:NameIDPolicy>
    <Extensions>
        <signicat:Prefilled xmlns:signicat="urn:signicat" Parameter="subject">05054512345</signicat:Prefilled>
        <signicat:Prefilled xmlns:signicat="urn:signicat" Parameter="phone">11223344</signicat:Prefilled>
    </Extensions>
</samlp:AuthnRequest>

URL modification

Some federation agents do not support Extensions, and some (most notably Shibboleth) do not allow the parameters to be set dynamically. In those cases, Signicat provides a second, somewhat more roundabout way, which is URL modification. With this scheme, you will need to create a new set of metadata for each anticipated parameter.

The scheme does have its limitations:

  • Since you will need to create a new set of metadata for each anticipated parameter, this scheme works best if you have a limited set of parameters to choose from.
  • The scheme will not work with ADFS. ADFS enforces the rule that no more than one endpoint can use the same certificate to sign SAML assertions, and hence, adding the second set of metadata will fail.

Procedure

First, you need to download the appropriate metadata from https://env.signicat.com/gateway/service_name/saml2/metadata. It will look something like this:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:EntityDescriptor entityID="https://preprod.signicat.com/gateway/demo/saml2/metadata">
        <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:KeyDescriptor>
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate><!-- omitted for brevity --></ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://preprod.signicat.com/gateway/demo/saml2/ars/soap" index="0" isDefault="true"></md:ArtifactResolutionService>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod.signicat.com/gateway/demo/saml2/slo/browser"></md:SingleLogoutService>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod.signicat.com/gateway/demo/saml2/slo/browser"></md:SingleLogoutService>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod.signicat.com/gateway/demo/saml2/sso/browser"></md:SingleSignOnService>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod.signicat.com/gateway/demo/saml2/sso/browser"></md:SingleSignOnService>
        </md:IDPSSODescriptor>
    </md:EntityDescriptor>
</md:EntitiesDescriptor>

Create a second set of metadata, modifying the md:SingleSignOnService URLs. Make sure that you modify the entityID as well.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:EntityDescriptor entityID="https://preprod.signicat.com/gateway/demo/saml2/metadata/nordea">
        <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:KeyDescriptor>
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate><!-- omitted for brevity --></ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://preprod.signicat.com/gateway/demo/saml2/ars/soap" index="0" isDefault="true"></md:ArtifactResolutionService>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod.signicat.com/gateway/demo/saml2/slo/browser"></md:SingleLogoutService>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod.signicat.com/gateway/demo/saml2/slo/browser"></md:SingleLogoutService>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://preprod.signicat.com/gateway/demo/saml2/sso/browser?prefilled.bank=nordea"></md:SingleSignOnService>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://preprod.signicat.com/gateway/demo/saml2/sso/browser?prefilled.bank=nordea"></md:SingleSignOnService>
        </md:IDPSSODescriptor>
    </md:EntityDescriptor>
</md:EntitiesDescriptor>

Now add this as an endpoint in your federation agent. It will automatically prefill the value that you specified.

Was this helpful?