Modify the AuthnRequest sent by OTDS

garmanno · 2025-01-08T17:54:27+00:00

There was an error rendering this rich post.

Hi,
My goal is to use Italian Public Identity Providers (SPID) to log into Appworks / OTDS with autoprovisioning handler in SAML.

Due to validation problems by IdP I need to modify the AuthnRequest sent by OTDS or customize the SAML handler.

is that possible?

thanks

Find more posts tagged with

OTDS

Note:

If there are Accepted Answers, those will be shown by default. You can switch to 'All Replies' by selecting the tab below.

Accepted answers

All comments

Sander_Beutick_OT_PS

You mention 'problems', 'AuthnRequest' and 'SAML handler'

What are the problems and what do you want to modify? the data sent to the IdP?

Questions lead to more questions.

jpluimers

@garmanno , is this a similar request as made earlier here https://forums.opentext.com/forums/support/discussion/310482/modify-samlmetadata ?

Let me try to get an answer for that.

garmanno

Hi @jpluimers ,
yes is related to that request. I was advised to ask the forum and here I am.

Hi @Sander_Beutick_OT_PS ,
I am using SAML 2.0 Authentication Handler to authenticate with auto-provisioning at Italian public IdPs.
When I execute the authentication request it fails because the AuthnRequest is not correct for the IdP validator.

this is the AuthnRequest:

specifically the errors I receive are:

in <saml:Issuer> The Format attribute MUST be present
in <saml:Issuer> The Format attribute MUST have a value17
in <saml:Issuer> The Format attribute MUST be urn:oasis:names:tc:SAML:2.0:nameid-format:entity
in <saml:Issuer> The NameQualifier attribute MUST be present failure
in <saml:Issuer> The NameQualifier attribute MUST have a value

The digest algorithm MUST be one of [http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmlenc#sha384

in <AuthnRequestThe> AttributeConsumingServiceIndex attribute MUST be present

in <NameIDPolicy> The AllowCreate attribute MUST not be present

RequestedAuthnContext element MUST be present

I'm looking for a way to modify the AuthnRequest that is sent to the IdP for the connection

thanks again for the help

jpluimers

@garmanno, I checked with the engineering team and currently it is not possible to customize the AuthnRequest to this extend. It is possible to set some things like the nameid format and XML Signature Algorithm in the Auth Handler parameter configuration UI.

You can create an enhancement request via support.

Does the spid IdP support other mechanisms to integrate besides SAML2, like OAuth?

garmanno

hi @jpluimers,
thanks for the reply.

they are planning to implement openID, but it is not available yet.

I tried to use the custom rest endpoint and the custom web service, but I didn't understand how to use it even studying the documentation.
any advice?

I'm also thinking of implementing a bridging service using shibboleth

thanks again

jpluimers

The Custom REST auth handler will call the given URL with values. You can specify how these are passed, via the http header, form or as json. then specify the name - values pairs and where to find the user id in the response after the user is authenticated via this customer rest endpoint.
I haven't used this myself too.

garmanno

I tried to implement the custom rest, but even enabling it is not shown in the OTDS login2 page.

how do I call it? do I have to change something on the OTDS login2.jsp?

thanks again

jpluimers

I added a simple custom REST Authenticator authhandler config called 'JOPL Rest', with dummy values and then opened <otds-server/>/otdsws/login. Now this authhandler is shown as a button with 'JOPL Rest' under the username and password fields.

If you enable one of the other authhandlers, f.e. Google OAuth, are you then redirected to Google (which would result in an error)?

garmanno

Screenshot 2025-01-09 at 21.27.33.png

Screenshot 2025-01-09 at 21.28.35.png

I have 3 handlers activated, but I only see 2.
the saml and openid handlers works...the custom ones don't.