SessionIndex in AuthnRequest

0
I am looking for a way to tie the SAML request I make to an IDP to the SAML Assertion it sends back. (The reason I need that is detailed in a postscript below since it's a bit involved) I read [here][1] that "If the SessionIndex attribute is present in the query, at leastone element in the set of returned assertions MUST contain aSessionIndex attribute that matches the SessionIndex attribute in the query." I am hoping, but not at all sure, that my SendHttpPost could qualify as a "query" such that if I sent a SessionIndex in the initialpost request to the SAML server, the server would return the SessionIndex back to me. However, I also read the following [here][2]: ". At least one assertion containing an MUST contain a element with at least one element containing a Method of urn:oasis:names:tc:SAML:2.0:cm:bearer. If the identity provider supports the Single Logout profile, defined in Section 4.4, any such authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider." That suggests to me that the SessionIndex's usage is to request logout based on the SessionIndex received upon Login, which would NOT in any way require a tie-back to the original request, only to the SAML Assertion. As such, I am not at all sure if the initial call to the IDP can specify a SessionIndex to be used, and I also don't see any property on the AuthnRequest that will allow me to include a SessionIndex value in my post. Is there a reliable way to use ComponentPro's software to send some kind of identifier to the IDP with myAuthnRequest.SendHttpPost call and get that identifier back in the SAMLAssertion to tie the two together? *postscript:* My goal is to support mobile SSO by using an OAuth2 flow with PKCE in an embedded web browser between my mobile device and my backend web server, then completing a SAML flow from the backend web server and redirecting back into the mobile app from there to secure the communication between mobile devices and my web server. The PKCE part of the communication requires that the initial request be tied to the final reply, which means in turn that I have some key that allows me to identify which SAML request on my end triggered the SAML assertion that I get back from the IDP. [1]: http://blog.sweetxml.org/2008/01/saml-v20-sessionindex-what-and-why.html [2]: https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=755743#bmfa23bd1d-f59e-45d0-b31b-5672e06596c0
edited 4/9/2021 3:13:19 PM
asked 4/2/2021 11:59:25 PM
add a comment

0 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged saml or ask your own question.