Modify the AuthnRequest sent by OTDS

garmanno · January 8

Hi,
My goal is to use Italian Public Identity Providers (SPID) to log into Appworks / OTDS with autoprovisioning handler in SAML.

Due to validation problems by IdP I need to modify the AuthnRequest sent by OTDS or customize the SAML handler.

is that possible?

thanks

Sander_Beutick_OT_PS · January 9

You mention 'problems', 'AuthnRequest' and 'SAML handler'

What are the problems and what do you want to modify? the data sent to the IdP?

Questions lead to more questions.

jpluimers · January 9

@garmanno , is this a similar request as made earlier here https://forums.opentext.com/forums/support/discussion/310482/modify-samlmetadata ?

Let me try to get an answer for that.

garmanno · January 9

Hi @jpluimers ,
yes is related to that request. I was advised to ask the forum and here I am.

Hi @Sander_Beutick_OT_PS ,
I am using SAML 2.0 Authentication Handler to authenticate with auto-provisioning at Italian public IdPs.
When I execute the authentication request it fails because the AuthnRequest is not correct for the IdP validator.

this is the AuthnRequest:

specifically the errors I receive are:

in <saml:Issuer> The Format attribute MUST be present
in <saml:Issuer> The Format attribute MUST have a value17
in <saml:Issuer> The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity
in <saml:Issuer> The NameQualifier attribute MUST be present failure
in <saml:Issuer> The NameQualifier attribute MUST have a value

The digest algorithm MUST be one of [http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384

in <AuthnRequestThe> AttributeConsumingServiceIndex attribute MUST be present

in <NameIDPolicy> The AllowCreate attribute MUST not be present

RequestedAuthnContext element MUST be present

I'm looking for a way to modify the AuthnRequest that is sent to the IdP for the connection

thanks again for the help

jpluimers · January 9

@garmanno, I checked with the engineering team and currently it is not possible to customize the AuthnRequest to this extend. It is possible to set some things like the nameid format and XML Signature Algorithm in the Auth Handler parameter configuration UI.

You can create an enhancement request via support.

Does the spid IdP support other mechanisms to integrate besides SAML2, like OAuth?

garmanno · January 9

hi @jpluimers,
thanks for the reply.

they are planning to implement openID, but it is not available yet.

I tried to use the custom rest endpoint and the custom web service, but I didn't understand how to use it even studying the documentation.
any advice?

I'm also thinking of implementing a bridging service using shibboleth

thanks again

jpluimers · January 9

The Custom REST auth handler will call the given URL with values. You can specify how these are passed, via the http header, form or as json. then specify the name - values pairs and where to find the user id in the response after the user is authenticated via this customer rest endpoint.
I haven't used this myself too.

garmanno · January 9

I tried to implement the custom rest, but even enabling it is not shown in the OTDS login2 page.

how do I call it? do I have to change something on the OTDS login2.jsp?

thanks again

jpluimers · January 9

I added a simple custom REST Authenticator authhandler config called 'JOPL Rest', with dummy values and then opened <otds-server/>/otdsws/login. Now this authhandler is shown as a button with 'JOPL Rest' under the username and password fields.

If you enable one of the other authhandlers, f.e. Google OAuth, are you then redirected to Google (which would result in an error)?

garmanno · January 9

Screenshot 2025-01-09 at 21.27.33.png

Screenshot 2025-01-09 at 21.28.35.png

I have 3 handlers activated, but I only see 2.
the saml and openid handlers works...the custom ones don't.

Modify the AuthnRequest sent by OTDS

Answers

Categories