[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Tech Overview outstanding issues
On 10/11/06, Tom Scavo <trscavo@gmail.com> wrote: > > I just noticed section 4.1.3 outlines post-artifact, not > redirect-artifact. Let me whip up another example for that specific > use case... > > Btw, did we agree on yesterday's call how to handle the transmission > of the artifact in section 4.1.3? (FWIW, I agree with RSP's inline > comment that the artifact should bound to a redirect.) Sorry for delay. Please find attached three files: saml2-sso-redirect-post.txt saml2-sso-post-artifact.txt saml2-sso-post-artifact2.txt The first two files accompany sections 4.1.2 and 4.1.3, respectively. The third file is a slight variation on the second flow where the artifact is transmitted to the SP via HTTP GET (instead of HTTP POST). Tom Scavo NCSA/University of Illinois
SAML V2.0 Web Browser SSO Profile This is a possible deployment of the SAML V2.0 Web Browser SSO Profile where the service provider (SP) and the identity provider (IdP) use the HTTP Redirect and HTTP POST bindings, respectively. The message flow begins with a request for a secured resource at the SP. 1) Request the target resource at the SP The client requests a target resource at the service provider: https://sp.example.com/myresource The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2--7. 2) Redirect to the Single Sign-on (SSO) Service at the IdP The service provider redirects the client to the Single Sign-on (SSO) Service at the identity provider. A RelayState parameter and a SAMLRequest parameter are appended to the redirect URL. The value of the SAMLRequest parameter is a URL-encoded string constructed from the following request: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="1"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest> Before the <samlp:AuthnRequest> element is URL-encoded and appended to the redirect URL, it is first deflated and base64-encoded (in that order). 3) Request the SSO Service at the IdP The client requests the SSO service at the identity provider: https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request&RelayState=token where token is an opaque reference to state information maintained at the service provider and request is the encoded <samlp:AuthnRequest> element from step 2. The SSO service processes the AuthnRequest (by URL-decoding, base64-decoding and inflating, in that order) and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted). 4) Respond with an HTML form The SSO service validates the request and responds with a document containing an HTML form: <form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLResponse" value="response" /> <input type="hidden" name="RelayState" value="token" /> ... <input type="submit" value="Submit" /> </form> The value of the RelayState parameter has been preserved from step 3. The value of the SAMLResponse parameter is the base64 encoding of the following <samlp:Response> element: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_2" InResponseTo="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:22:05Z" Destination="https://sp.example.com/SAML2/SSO/POST"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_3" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <!-- a POSTed assertion MUST be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="identifier_1" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2004-12-05T09:17:05Z" NotOnOrAfter="2004-12-05T09:27:05Z"> <saml:AudienceRestriction> <saml:Audience>https://sp.example.com/SAML2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2004-12-05T09:22:00Z" SessionIndex="identifier_3"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> 5) Request the Assertion Consumer Service at the SP The client issues a POST request to the assertion consumer service at the service provider: POST /SAML2/SSO/POST HTTP/1.1 Host: sp.example.com Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLResponse=response&RelayState=token where the values of the SAMLResponse and RelayState parameters are taken from the HTML form at step 4. 6) Redirect to the target resource The assertion consumer service processes the response, creates a security context at the service provider and redirects the client to the target resource. 7) Request the target resource at the SP again The client requests the target resource at the service provider (again): https://sp.example.com/myresource 8) Respond with requested resource Since a security context exists, the service provider returns the resource to the client.
SAML V2.0 Web Browser SSO Profile This is a possible deployment of the SAML V2.0 Web Browser SSO Profile where the service provider (SP) and the identity provider (IdP) use the HTTP POST and HTTP Artifact bindings, respectively. A SAML artifact is transmitted to the SP via HTTP POST. The message flow begins with a request for a secured resource at the SP: 1) Request the target resource at the SP The client requests a target resource at the service provider: https://sp.example.com/myresource The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2--9. 2) Respond with an HTML form The service provider responds with a document containing an HTML form: <form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLRequest" value="request" /> <input type="hidden" name="RelayState" value="token" /> ... <input type="submit" value="Submit" /> </form> The RelayState token is an opaque reference to state information maintained at the service provider. The value of the SAMLRequest parameter is the base64 encoding of the following <samlp:AuthnRequest> element: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="1"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest> Before the <samlp:AuthnRequest> element is URL-encoded and inserted into the HTML form, it is first deflated and base64-encoded (in that order). 3) Request the SSO Service at the IdP The client issues a POST request to the SSO service at the identity provider: POST /SAML2/SSO/POST HTTP/1.1 Host: idp.example.org Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLRequest=request&RelayState=token where the values of the SAMLRequest and RelayState parameters are taken from the HTML form at step 2. The SSO service processes the AuthnRequest (by URL-decoding, base64-decoding and inflating, in that order) and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted). 4) Respond with an HTML form The SSO service validates the request and responds with a document containing an HTML form: <form method="post" action="https://sp.example.com/SAML2/SSO/Artifact" ...> <input type="hidden" name="SAMLart" value="artifact" /> <input type="hidden" name="RelayState" value="token" /> ... <input type="submit" value="Submit" /> </form> The value of the RelayState parameter has been preserved from step 3. The value of the SAMLart parameter is a form-encoded Type 0x0004 SAML artifact. 5) Request the Assertion Consumer Service at the SP The client issues a POST request to the assertion consumer service at the service provider: POST /SAML2/SSO/Artifact HTTP/1.1 Host: sp.example.com Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLart=artifact&RelayState=token where the values of the SAMLart and RelayState parameters are taken from the HTML form at step 4. 6) Request the Artifact Resolution Service at the IdP The assertion consumer service dereferences the artifact by sending a SAML ArtifactResolve message to the artifact resolution service at the identity provider: <samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_2" Version="2.0" IssueInstant="2004-12-05T09:22:04Z" Destination="https://idp.example.org/SAML2/ArtifactResolution"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> <!-- an ArtifactResolve message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Artifact>artifact</samlp:Artifact> </samlp:ArtifactResolve> where the value of the <samlp:Artifact> element is the SAML artifact transmitted at step 5. 7) Respond with a SAML Assertion The artifact resolution service at the identity provider returns a SAML ArtifactResponse message (containing an <samlp:Response> element) to the assertion consumer service at the service provider: <samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_3" InResponseTo="identifier_2" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <!-- an ArtifactResponse message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_4" InResponseTo="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:22:05Z" Destination="https://sp.example.com/SAML2/SSO/Artifact"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_5" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <!-- a Subject element is required --> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> user@mail.example.org </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="identifier_1" Recipient="https://sp.example.com/SAML2/SSO/Artifact" NotOnOrAfter="2004-12-05T09:27:05Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2004-12-05T09:17:05Z" NotOnOrAfter="2004-12-05T09:27:05Z"> <saml:AudienceRestriction> <saml:Audience>https://sp.example.com/SAML2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2004-12-05T09:22:00Z" SessionIndex="identifier_5"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> </samlp:ArtifactResponse> 8) Redirect to the target resource The assertion consumer service processes the response, creates a security context at the service provider and redirects the client to the target resource. 9) Request the target resource at the SP again The client requests the target resource at the service provider (again): https://sp.example.com/myresource 10) Respond with the requested resource Since a security context exists, the service provider returns the resource to the client.
SAML V2.0 Web Browser SSO Profile This is a possible deployment of the SAML V2.0 Web Browser SSO Profile where the service provider (SP) and the identity provider (IdP) use the HTTP POST and HTTP Artifact bindings, respectively. A SAML artifact is transmitted to the SP via HTTP GET. The message flow begins with a request for a secured resource at the SP: 1) Request the target resource at the SP The client requests a target resource at the service provider: https://sp.example.com/myresource The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2--9. 2) Respond with an HTML form The service provider responds with a document containing an HTML form: <form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLRequest" value="request" /> <input type="hidden" name="RelayState" value="token" /> ... <input type="submit" value="Submit" /> </form> The RelayState token is an opaque reference to state information maintained at the service provider. The value of the SAMLRequest parameter is the base64 encoding of the following <samlp:AuthnRequest> element: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="1"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest> Before the <samlp:AuthnRequest> element is URL-encoded and inserted into the HTML form, it is first deflated and base64-encoded (in that order). 3) Request the SSO Service at the IdP The client issues a POST request to the SSO service at the identity provider: POST /SAML2/SSO/POST HTTP/1.1 Host: idp.example.org Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLRequest=request&RelayState=token where the values of the SAMLRequest and RelayState parameters are taken from the HTML form at step 2. The SSO service processes the AuthnRequest (by URL-decoding, base64-decoding and inflating, in that order) and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted). 4) Redirect to the Assertion Consumer Service The SSO service at the identity provider redirects the client to the assertion consumer service at the service provider. The previous RelayState parameter and a SAMLart parameter are appended to the redirect URL. 5) Request the Assertion Consumer Service at the SP The client requests the assertion consumer service at the service provider: https://sp.example.com/SAML2/SSO/Artifact?SAMLart=artifact&RelayState=token where token is the token value from step 3 and artifact is the SAML artifact issued at step 4. 6) Request the Artifact Resolution Service at the IdP The assertion consumer service dereferences the artifact by sending a SAML ArtifactResolve message to the artifact resolution service at the identity provider: <samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_2" Version="2.0" IssueInstant="2004-12-05T09:22:04Z" Destination="https://idp.example.org/SAML2/ArtifactResolution"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> <!-- an ArtifactResolve message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Artifact>artifact</samlp:Artifact> </samlp:ArtifactResolve> where the value of the <samlp:Artifact> element is the SAML artifact transmitted at step 5. 7) Respond with a SAML Assertion The artifact resolution service at the identity provider returns a SAML ArtifactResponse message (containing an <samlp:Response> element) to the assertion consumer service at the service provider: <samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_3" InResponseTo="identifier_2" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <!-- an ArtifactResponse message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_4" InResponseTo="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:22:05Z" Destination="https://sp.example.com/SAML2/SSO/Artifact"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_5" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <!-- a Subject element is required --> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> user@mail.example.org </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="identifier_1" Recipient="https://sp.example.com/SAML2/SSO/Artifact" NotOnOrAfter="2004-12-05T09:27:05Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2004-12-05T09:17:05Z" NotOnOrAfter="2004-12-05T09:27:05Z"> <saml:AudienceRestriction> <saml:Audience>https://sp.example.com/SAML2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2004-12-05T09:22:00Z" SessionIndex="identifier_5"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> </samlp:ArtifactResponse> 8) Redirect to the target resource The assertion consumer service processes the response, creates a security context at the service provider and redirects the client to the target resource. 9) Request the target resource at the SP again The client requests the target resource at the service provider (again): https://sp.example.com/myresource 10) Respond with the requested resource Since a security context exists, the service provider returns the resource to the client.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]