How to customize AuthnRequest by scripting


Scenario: Any Service Provider -> Identify -> SAML 2.0 Identify Provider
In this login flow, Identify needs to send an AuthnRequest to an Identify Provider. The purpose of this task is to allow a customer to easily customize the AuthnRequest object right after it is created. You can view this as a PostAuthnRequestCreated event.

In this demonstration, we will use ADFS as Identity Provider

1

The AuthnRequest object that is highlighted above is the target we need to customize by scripting. Assume that we already set up a SAML 2.0 Protocol Connection for Service Provider and a SAML SignOn Authentication for ADFS in Identify Web Administration—Connections.

Click on ADFS Local to open the edit connection page, and then scroll to the bottom.

3

 

There is an AuthnRequest object customization text box that we can input our customization script to modify the AuthnRequest object right after it is sent to  Identity Provider. At first, let this text box empty and perform a SignOn action:

97010380444d06b5095f1fd49270a8ac

and then capture the SAMLRequest parameter and decode it.

4

Now let's go back to edit the ADFS Local connection and adjust the AssertionConsumerServiceIndex property.

5

6

Save & Close and make a SignOn action again like below:

97010380444d06b5095f1fd49270a8ac

and see what is sent to ADFS Local. As what you see, the AuthnRequest has one more attribute, AssertionConsumerServiceIndex, and its value is 1.

7

Try to adjust the ProtocolBinding property.

8

And this is the result:

9

Available AuthnRequest properties that could be customized are as follows:

e14889b7d35d3abf4272bff864f37c2e[1]