[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Tech Overview outstanding issues
On 10/6/06, Tom Scavo <trscavo@gmail.com> wrote: > On 9/29/06, Eve L. Maler <Eve.Maler@sun.com> wrote: > > > > Tom, thanks for offering a detailed code example! I think an > > SP-initiated SSO flow would be most common and most welcome. I > > might also reprise it somewhat in the introductory material, unless > > people think that having two examples for similar stuff that differ > > only in unimportant details is useful. > > Attached is an SSO flow with hand-crafted example code... Another SSO flow with example code is attached. Comments are appreciated. Tom Scavo NCSA/University of Illinois ----------------------------------------------------- SAML V2.0 Web Browser SSO Profile This is a possible deployment of the SAML V2.0 Web Browser SSO Profile where both the service provider (SP) and the identity provider (IdP) use the HTTP Artifact binding. The message flow begins with a request for a secured resource at the SP. 1) Request the target resource at the SP The client requests a target resource at the service provider: https://sp.org/myresource The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2--11. 2) Redirect to the Single Sign-on (SSO) Service at the IdP The service provider redirects the client to the single sign-on (SSO) service at the identity provider. A RelayState parameter and a SAMLart parameter are appended to the redirect URL. 3) Request the SSO Service at the IdP The client requests the SSO service at the identity provider: https://idp.org/SAML2/SSO/Artifact?SAMLart=artifact&RelayState=token where token is an opaque reference to state information maintained at the service provider and artifact is a SAML artifact. 4) Request the Artifact Resolution Service at the SP The SSO service dereferences the artifact by sending a SAML ArtifactResolve message to the artifact resolution service at the service provider: <samlp:ArtifactResolve xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:58Z" Destination="https://sp.org/SAML2/ArtifactResolution"> <saml:Issuer>https://idp.org/SAML2</saml:Issuer> <!-- an ArtifactResolve message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Artifact>artifact</samlp:Artifact> </samlp:ArtifactResolve> where the value of the <samlp:Artifact> element is the SAML artifact at step 3. 5) Respond with a SAML AuthnRequest The artifact resolution service at the service provider returns a SAML ArtifactResponse message (containing an <samlp:AuthnRequest> element) to the SSO service at the identity provider: <samlp:ArtifactResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_2" InResponseTo="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" Destination="https://idp.org/SAML2/SSO/Artifact"> <saml:Issuer>https://sp.org/SAML2</saml:Issuer> <!-- an ArtifactResponse message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <samlp:AuthnRequest ID="identifier_3" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" AssertionConsumerServiceURL="https://sp.org/SAML2/SSO/Artifact"> <saml:Issuer>https://sp.org/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> </samlp:AuthnRequest> </samlp:ArtifactResponse> The SSO service processes the AuthnRequest and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted). 6) Redirect to the Assertion Consumer Service The SSO service at the identity provider redirects the client to the assertion consumer service at the service provider. The previous RelayState parameter and a new SAMLart parameter are appended to the redirect URL. 7) Request the Assertion Consumer Service at the SP The client requests the assertion consumer service at the service provider: https://sp.org/SAML2/SSO/Artifact?SAMLart=artifact&RelayState=token where token is the token value from step 3 and artifact is a new SAML artifact. 8) Request the Artifact Resolution Service at the IdP The assertion consumer service dereferences the artifact by sending a SAML ArtifactResolve message to the artifact resolution service at the identity provider: <samlp:ArtifactResolve xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_4" Version="2.0" IssueInstant="2004-12-05T09:22:04Z" Destination="https://idp.org/SAML2/ArtifactResolution"> <saml:Issuer>https://sp.org/SAML2</saml:Issuer> <!-- an ArtifactResolve message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Artifact>artifact</samlp:Artifact> </samlp:ArtifactResolve> where the value of the <samlp:Artifact> element is the SAML artifact at step 7. 9) Respond with a SAML Assertion The artifact resolution service at the identity provider returns a SAML ArtifactResponse message (containing an <samlp:Response> element) to the assertion consumer service at the service provider: <samlp:ArtifactResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="identifier_5" InResponseTo="identifier_4" Version="2.0" IssueInstant="2004-12-05T09:22:05Z" Destination="https://sp.org/SAML2/SSO/Artifact"> <saml:Issuer>https://idp.org/SAML2</saml:Issuer> <!-- an ArtifactResponse message SHOULD be signed --> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <samlp:Response ID="identifier_6" InResponseTo="identifier_3" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <saml:Issuer>https://idp.org/SAML2</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_7" Version="2.0" IssueInstant="2004-12-05T09:22:05Z"> <saml:Issuer>https://idp.org/SAML2</saml:Issuer> <!-- a Subject element is required --> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> user@mail.idp.org </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="identifier_3" Recipient="https://sp.org/SAML2/SSO/Artifact" NotOnOrAfter="2004-12-05T09:27:05Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2004-12-05T09:17:05Z" NotOnOrAfter="2004-12-05T09:27:05Z"> <saml:AudienceRestriction> <saml:Audience>https://sp.org/SAML2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2004-12-05T09:22:00Z" SessionIndex="identifier_7"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> </samlp:ArtifactResponse> 10) Redirect to the target resource The assertion consumer service processes the response, creates a security context at the service provider and redirects the client to the target resource. 11) Request the target resource at the SP again The client requests the target resource at the service provider (again): https://sp.org/myresource 12) Respond with the requested resource Since a security context exists, the service provider returns the resource to the client.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]