SAML 2.0 Assertion request
Question
How do you use SAML 2.0 for redirecting a user from website A to website B? Once the user finishes his activity at website B, he should come back to website A , based on results from website B, he should be able to proceed on website A for further activity.
I am also confused with the idea of Service Provider(SP) and Identity Provider(IP). Will website A be a service provider or identity provider and similarly for website B?
My background in SAML 2.0 is literally zero and I am reading documents to understand how to create SAML 2.0 assertion. I am trying to implement this in java.
Does anyone have any good starting primer for understanding SAML 2.0 ?
<?xml version="1.0" encoding="UTF-8"?>
-<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2013-04-12T15:43:42.389Z" ID="413be1b7-ac2d-4324-a359-998935f11a66">
-<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
-<saml2:Assertion Version="2.0" IssueInstant="2013-04-19T20:16:07.090Z" ID="SamlAssertion-25171a8736ed098dde8659e5ba250b5f" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ffx-ffe-w7-15.cgiabccompany.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">test</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"><saml2:NameID>CN=ffx-ffe-w7-15.cgiabccompany.com, OU=ffx, OU=ffe, O=cgifederal, L=Herndon, ST=VA, C=US</saml2:NameID></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotOnOrAfter="2013-04-19T20:21:08.437Z" NotBefore="2013-04-19T20:14:08.437Z"/>
<saml2:AttributeStatement>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="State Exchange Code">
<saml2:AttributeValue>MD0</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="User Type">
<saml2:AttributeValue>Consumer</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="ABC Company User ID">
<saml2:AttributeValue>john.doe@email.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Transfer Type">
<saml2:AttributeValue>Direct Service</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Keep Alive URL">
<saml2:AttributeValue>https://www.mycompany.com/extendsession.jsp</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="First Name">
<saml2:AttributeValue>JOHN</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Middle Name">
<saml2:AttributeValue>FISCHER</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Last Name">
<saml2:AttributeValue>DOE</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="City Name">
<saml2:AttributeValue>PEORIA</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="State">
<saml2:AttributeValue>IL</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Zip Code">
<saml2:AttributeValue>20190</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement SessionNotOnOrAfter="2013-04-12T15:43:42.328Z" SessionIndex="session#1" AuthnInstant="2013-04-12T15:43:42.328Z"><saml2:SubjectLocality DNSName="2.175.111.190" Address="1234 Fishy LN, PEORIA, IL 20190"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
1 answers
solution1
1 ACCPTED 2013-09-14 10:26:07
A typical scenario for this is SAML WEB SSO with artifact bindig.
- Website A(SP) sees that the user does not have an authenticated session.
- The SP redirects the user to website B(IDP) with a SAML AutnRequest as an URL parameter.
- The IDP authenticates the user and redirects it back to the SP with an artifact in URL parmeter.
- The SP exchanges the Artifact for an Assertion over SOAP using a ArtifactResolveRequest to the IDP.
The Assertion is the evidence of the user being authenticated and can contain information about the user that the IDP has stored. For example uid.
In the scenario your talking about, the website A is the SP and website B the IDP. The SP is the entity wanting a user authenticated, IDP(IDentity Provider) is the entity providing authentication.
SAML SSO is achieved using many products, for example OpenAM Shibboleth. If you want to build SAML into your software you can use libraries like OpenSAML or Spring SAML module.
My book, A Guide to OpenSAML , gives a good introduction SAML and the OpenSAML library.
Other relevant reading is The SAML technical overview and these post on my blogg .
Need help? Ask me a question on the blogg. Need a lot of help? I'm a consultant for hire.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.