Basic Privilege Profile 1.2 and OIOSAML 3.0

In order to build a BPP claim that meets requirements of the Basic Privilege Profile 1.2 and OIOSAML 3.0, you can use the scripting claim transformation.

  • On the claim transformation list, you need to create a scripting claim transformation: transformations-scripting-bpp
  • Enter a name and other general settings transformations-scripting-bpp-general
  • Enter C# script to build a BPP claim: transformations-scripting-bpp-settings
  • Save the scripting transformation.
  • Apply this transformation to a connection.
  • Perform a login. If the logged in user has all the claims used in your script which are needed to build the BPP claim, the resulting token will have the "dk:gov:saml:attribute:Privileges_intermediate" claim.

In base64-encoded format: transformations-scripting-bpp-settings

In plain-text format: transformations-scripting-bpp-conditions

Below is a sample script with some hard-coded claim types and values. You can customize it to fit your specific setup as needed.


// constants

const string claimType = "dk:gov:saml:attribute:Privileges_intermediate";

const string claimValueTemplate = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><bpp:PrivilegeList xmlns:bpp=\"http://itst.dk/oiosaml/basic_privilege_profile\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">{0}</bpp:PrivilegeList>";

const string privilegeGroupTemplate = "<PrivilegeGroup Scope=\"{0}\"><Privilege>{1}</Privilege>{2}</PrivilegeGroup>";

const string constraintTemplate = "<Constraint Name=\"{0}\">{1}</Constraint>";

// start building the

StringBuilder privilegeList = new StringBuilder();

// a BPP claim contains a list of privileges
// add a privilege with a hard-coded value

privilegeList.AppendFormat(privilegeGroupTemplate, "urn:dk:gov:saml:cvrNumberIdentifier:12345678", "http://organisation.test.dk/roles/usersystemrole/withDR/1", string.Empty);

// add a privilege + constraints with hard-coded values
string constraint = string.Format(constraintTemplate, "http://organisation.test.dk/constraints/KLE-NEW", "1")
	+ string.Format(constraintTemplate, "http://organisation.test.dk/constraints/Sensitivity", "High");
privilegeList.AppendFormat(privilegeGroupTemplate, "urn:dk:gov:saml:cvrNumberIdentifier:12345678", "http://organisation.test.dk/roles/usersystemrole/withDR/2", constraint);

// add a privilege + constraints with values from the claimsPrincipal
// assuming that the claims exist and has single value. If you aren't sure if they exist, add more checks.

// use GetClaim(claimType) to get a single claim value.
// When a claim has multiple values, you can use ClaimsPrincipal.Claims.Where(c => c.Type == claimType).Select(c => c.Value);

var cvr = GetClaim("urn:cvr");
var privilege = GetClaim("urn:privilege");
var constraintName = GetClaim("urn:privilege:constraint:name");
var constraintValue = GetClaim("urn:privilege:constraint:value");

constraint = string.Format(constraintTemplate, constraintName, constraintValue);

privilegeList.AppendFormat(privilegeGroupTemplate, cvr, privilege, constraint);

// finally, create a BPP claim and add it to the principal
string bppClaimValue = string.Format(claimValueTemplate, privilegeList.ToString());
string encodedClaimValue = Convert.ToBase64String(Encoding.UTF8.GetBytes(bppClaimValue));
Issue(claimType, encodedClaimValue);