stackoom
  简体   繁体   中英

How is the principal identified in the AuthnRequest for SAML 2.0 Web Browser SSO

 原文  2015-09-03 17:12:02       authentication/ single-sign-on/ saml-2.0

Question

I'm new to SAML and having a bit of trouble fully understanding the full SAML2 SSO process.

Specifically, when The Service Provider responds to a resource request with a element, what piece of data in the element identifies the principal (ie the user) to be validated by the identity provider?

For example, there does not appear to be anything to identify the principal in the following AuthnRequest: 

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59"
AssertionConsumerServiceIndex="0">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
  AllowCreate="true"
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>

Does the information identifying the principal get added after the AuthnRequest reaches the browser (maybe from a cookie?), or does information identifying the specific user not get sent to the identity provider at all?

1 answers

solution1
 6 ACCPTED  2015-09-03 17:31:59

The spec says the following on the Authentication Request (SAML Profiles, http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf , section 4.1.4.1):

Note that the service provider MAY include a <Subject> element in the request that names the actual identity about which it wishes to receive an assertion.

This is however rarely used and not widely implemented across different providers/stacks so your mileage may vary. In fact there are deployment profiles that explicitly forbid usage of the <Subject> , eg http://saml2int.org/profile/current/ section 8.2 says:

The <saml2p:AuthnRequest> message MUST NOT contain a <saml2:Subject> element.

The usual interaction is that the Service Provider determines the Identity Provider but not the user. The latter is left to the Identity Provider, both identification and authentication. That is a cleaner interface that avoids potential clashes between the two about identifiers and accounts.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why is this SAML 2.0 AuthnRequest invalid? SAML 2 extensions in AuthnRequest (Keycloak) Securing an API with SAML SSO / OAuth2.0 SSO using saml2.0 in opensaml Unable to SSO login Jenkins SAML 2.0 ADFS integration SAML SSO - received urn:oasis:names:tc:SAML:2.0:status:AuthnFailed error status on saml response from IdP Implementing a SAML SSO in Java Alfresco Community SSO with SAML SAML SSO in cakephp application Angularjs and SSO (SAML2)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM