[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Tech Overview outstanding issues
On 10/6/06, Tom Scavo <trscavo@gmail.com> wrote:
> On 9/29/06, Eve L. Maler <Eve.Maler@sun.com> wrote:
> >
> > Tom, thanks for offering a detailed code example! I think an
> > SP-initiated SSO flow would be most common and most welcome. I
> > might also reprise it somewhat in the introductory material, unless
> > people think that having two examples for similar stuff that differ
> > only in unimportant details is useful.
>
> Attached is an SSO flow with hand-crafted example code...
Another SSO flow with example code is attached. Comments are appreciated.
Tom Scavo
NCSA/University of Illinois
-----------------------------------------------------
SAML V2.0 Web Browser SSO Profile
This is a possible deployment of the SAML V2.0 Web Browser SSO Profile
where both the service provider (SP) and the identity provider (IdP)
use the HTTP Artifact binding. The message flow begins with a request
for a secured resource at the SP.
1) Request the target resource at the SP
The client requests a target resource at the service provider:
https://sp.org/myresource
The service provider performs a security check on behalf of the target
resource. If a valid security context at the service provider already
exists, skip steps 2--11.
2) Redirect to the Single Sign-on (SSO) Service at the IdP
The service provider redirects the client to the single sign-on (SSO)
service at the identity provider. A RelayState parameter and a
SAMLart parameter are appended to the redirect URL.
3) Request the SSO Service at the IdP
The client requests the SSO service at the identity provider:
https://idp.org/SAML2/SSO/Artifact?SAMLart=artifact&RelayState=token
where token is an opaque reference to state information maintained at
the service provider and artifact is a SAML artifact.
4) Request the Artifact Resolution Service at the SP
The SSO service dereferences the artifact by sending a SAML
ArtifactResolve message to the artifact resolution service at the
service provider:
<samlp:ArtifactResolve
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:58Z"
Destination="https://sp.org/SAML2/ArtifactResolution";>
<saml:Issuer>https://idp.org/SAML2</saml:Issuer>
<!-- an ArtifactResolve message SHOULD be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
<samlp:Artifact>artifact</samlp:Artifact>
</samlp:ArtifactResolve>
where the value of the <samlp:Artifact> element is the SAML artifact at step 3.
5) Respond with a SAML AuthnRequest
The artifact resolution service at the service provider returns a SAML
ArtifactResponse message (containing an <samlp:AuthnRequest> element)
to the SSO service at the identity provider:
<samlp:ArtifactResponse
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
Destination="https://idp.org/SAML2/SSO/Artifact";>
<saml:Issuer>https://sp.org/SAML2</saml:Issuer>
<!-- an ArtifactResponse message SHOULD be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<samlp:AuthnRequest
ID="identifier_3"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
AssertionConsumerServiceURL="https://sp.org/SAML2/SSO/Artifact";>
<saml:Issuer>https://sp.org/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="false"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>
</samlp:ArtifactResponse>
The SSO service processes the AuthnRequest and performs a security
check. If the user does not have a valid security context, the
identity provider identifies the user (details omitted).
6) Redirect to the Assertion Consumer Service
The SSO service at the identity provider redirects the client to the
assertion consumer service at the service provider. The previous
RelayState parameter and a new SAMLart parameter are appended to the
redirect URL.
7) Request the Assertion Consumer Service at the SP
The client requests the assertion consumer service at the service provider:
https://sp.org/SAML2/SSO/Artifact?SAMLart=artifact&RelayState=token
where token is the token value from step 3 and artifact is a new SAML artifact.
8) Request the Artifact Resolution Service at the IdP
The assertion consumer service dereferences the artifact by sending a
SAML ArtifactResolve message to the artifact resolution service at the
identity provider:
<samlp:ArtifactResolve
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="identifier_4"
Version="2.0"
IssueInstant="2004-12-05T09:22:04Z"
Destination="https://idp.org/SAML2/ArtifactResolution";>
<saml:Issuer>https://sp.org/SAML2</saml:Issuer>
<!-- an ArtifactResolve message SHOULD be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
<samlp:Artifact>artifact</samlp:Artifact>
</samlp:ArtifactResolve>
where the value of the <samlp:Artifact> element is the SAML artifact at step 7.
9) Respond with a SAML Assertion
The artifact resolution service at the identity provider returns a
SAML ArtifactResponse message (containing an <samlp:Response> element)
to the assertion consumer service at the service provider:
<samlp:ArtifactResponse
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="identifier_5"
InResponseTo="identifier_4"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z"
Destination="https://sp.org/SAML2/SSO/Artifact";>
<saml:Issuer>https://idp.org/SAML2</saml:Issuer>
<!-- an ArtifactResponse message SHOULD be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<samlp:Response
ID="identifier_6"
InResponseTo="identifier_3"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_7"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.org/SAML2</saml:Issuer>
<!-- a Subject element is required -->
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
user@mail.idp.org
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="identifier_3"
Recipient="https://sp.org/SAML2/SSO/Artifact";
NotOnOrAfter="2004-12-05T09:27:05Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05Z"
NotOnOrAfter="2004-12-05T09:27:05Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp.org/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00Z"
SessionIndex="identifier_7">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
</samlp:ArtifactResponse>
10) Redirect to the target resource
The assertion consumer service processes the response, creates a
security context at the service provider and redirects the client to
the target resource.
11) Request the target resource at the SP again
The client requests the target resource at the service provider (again):
https://sp.org/myresource
12) Respond with the requested resource
Since a security context exists, the service provider returns the
resource to the client.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]