Do you mean a AuthnRequest or a LogoutRequest ?
I think that according to the the SAML specs the attributes are to be used only with Assertions.
Maybe you can use the Extension element for that. When using extensions both sides have to agree on the syntax and semantics of data sent this way.
Not sure if PicketLink supports extensions when creating the AuthnRequest, for example. Can you tell more about your use case ?
thank you for the answer. I want to sent the identifier of a SP to IDP. During login process on IDP side a user is checked if he has the right to access the SP based on its identifier. I am not sure, if it is a good idea to add customized attributes in AuthnRequest.
As an alternate solution I am extending the posted form with an additional parameter for my purpose. How do you think about that?
I think it is a option. But the Identity Provider is related with authentication, IMO.
Authorization should be done by an external mechanism or the by the SPs when checking for a role or specific attributes. You can easily block an user if he does not have a specific role/claims (or use the Authorization statements, for example) when trying to access a SP.
However, the SAML specification do not define how to implement the processing logic for authorization decisions. This open our minds to a lot of solutions, like yours for example.
I think all solutions are valid, as long they are simple and follow the specifications
Btw, maybe you can use the AuthnRequest.AssertionConsumerServiceURL to know the SP.
thank you for explaining the basic concept of SAML to me.
The reason why I have not used AuthnRequest.AssertionConsumerServiceURL is that SP may have serveral domains.
Assertions, claims or attributes are all the same thing. SAML was designed to communicate these for whatever purpose you see fit. How you deal with them at the receiving end (the service provider or relying party) is up to that end.
E.g. at authentication time, you may be able to "assert" that someone has the role manager for a a company X that the relying party R does business with. Based on the RP's identity (R is known to the Identity Provider), two assertions/attributes/claims can be added to communicate "role=manager" and "company=X" to the relying party.
More information on how this can be done, dan be found here: https://community.jboss.org/thread/173009