on 12-20-2023 4:01 PM
Hi,
we are implementing an MDK application deployed on subaccount "A" that consume a OData service deployed on subaccount "B".
The subaccount "A" has a custom IdP that is federated with ADFS. In federation has been inserted a custom assertion attribute.
In other application deployed on subaccount "A" I can see custom assertion attribute.
I want that the service on subaccount "B" reads the custom assertion attributes. To do this I've created, in mobile connectivity, a destination with OAuth2 SAML Bearer Assertion. I've established a trust with this new destination in subaccount "B" and the Authentication is correctly propagated but in the service I can't see the custom assertion attribute.
How can I propagate the assertion attributes?
Let me try to explain it:
The flow is
1. Device MDK app authenticate with Mobile Services xsuaa and get $token_mobile.
2. Mobile Services use the login context in step 1 to generate the saml assertion and use it to call the xsuaa of 'provider services' to get $token_provider
Both $token_mobile and $token_provider does NOT contain the IDP attributes
The IDP attributes are in login context in step 2, and in the generated saml assertion in step 2 too.
3. To prove this, you can call Me service in mobile services like:
curl https://<your mobile app host>/mobileservices/application/<appID>/roleservice/application/<appID>/v2/Me -H "Authorization: Bearer $token_mobile"
4. To prove the saml assertion contains the IDP attributes, you can get the $token_provider to call provider's xsuaa userinfo endpoint:
curl 'https://<your xsuaa domain>.authentication.ap21.hana.ondemand.com/userinfo' -i -X GET -H "Authorization: Bearer $backendtoken"
In order to get $backendtoken, you can use https://httpbin.org/headers as your backend url. This endpoint will respond with all request headers include authorization header, which is $backendtoken in this case.
I tried #3 and #4 and they all contains the IDP attributes. And I did NOT update xs-security.json for mobile services.
Please try #3 and/or #4 and let me know the result.
And do you want to inject SAML attributes in JWT token like $token_mobile or $token_provider?
If you're able to include SAML attributes outside mobile services, please attach the entire xs-security.json and any other configuration steps so that I can find out how to do it in mobile service context.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
11 | |
10 | |
8 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.