SAML AttributeConsumingServiceIndex in WSO2 Identity Server

WSO2 IS supports SAML Basic Attribute Profile. Required attributes can be requested at the time of Service Provider configuration. The AttributeStatement in the SAML Authentication response will be built with requested attributes. This is enabled with the following configuration in IS.

sp_conf

([1] and [2] links in References contain details on how to configure SAML SSO with WSO2 IS ) SAML SSO service providers registered in IS with attribute profile are given an index (AttributeConsumingServiceIndex).

As per the WSO2 IS current implementation, in order to retrieve the Attribute Statement in SAML response,

> AttributeConsumingServiceIndex in the SAML authentication request and AttributeConsumingServiceIndex given for the Service provider from IS should match.

or

> SAML authentication request sent from service provider should not contain AttributeConsumingServiceIndex data. In this case if you have checked “Include Attributes in Response Always” as shown in sp_conf image above, IS will send back the Attribute Statement in the response.

So if the Service Provider does not let you configure the value of AttributeConsumingServiceIndex in SAML request to match the value given by IS and if you cannot ommit sending AttributeConsumingServiceIndex in the SAML request generated by service provider, even though the authentication is successful, you will not see the Attribute Statement in SAML Response because of the mismatch of Attribute Consuming Service Indexes. In such cases, you can change this value from IS side.

Updating AttributeConsumingServiceIndex in WSO2 IS SP Configuration

For each SAML SSO service provider configured in IS, a file is saved in server registry. You can edit the AttributeConsumingServiceIndex value from this file. Following steps will guide you for that.

  1. Login to IS management console as a user with admin privileges.
  2. Click on Browse under Registry in Main tab.
  3. Navigate to _system → config → repository → identity → SAMLSSO

There is a file for your Service Provider configurations saved under SAMLSSO directory.

4. Click on this file to see the Detailed view.

5. Click “+” in the right corner of Properties tab to view the properties.

Note: If you have configured more than one SAML SSO service providers in IS, you would see multiple files under SAMLSSO directory. You can identify each one by viewing their properties as described in this step.

SP properties 1

You will see a view similar to following.

SP Properties 2

6. As shown in “SP Properties 2” image, click on Edit action for AttributeConsumingServiceIndex and update the value to match the AttributeConsumingServiceIndex value sent in the SAML Authentication Request sent by the Service Provider.

7. Restart IS server.

References

[1] https://docs.wso2.com/display/IS530/Configuring+Inbound+Authentication+for+a+Service+Provider

[2] https://docs.wso2.com/display/IS530/Configuring+SAML2+Web+Single-Sign-On