saml-dev message

Subject: Re: [saml-dev] Anyone have actual message exchange XML instance samples they're willing to share?
From: Tom Scavo <trscavo@gmail.com>
To: "Philpott, Robert" <rphilpott@rsasecurity.com>
Date: Thu, 6 Jan 2005 17:12:26 -0500
This is a possible implementation of the SAML 2.0 Web Browser SSO
Profile where the service provider (SP) and the identity provider
(IdP) use the HTTP Redirect and HTTP POST bindings, respectively.  The
message flow begins with a request for a secured resource at the SP.

1) The client requests a target resource at the SP:

  https://sp.org/myresource

The SP performs a security check on behalf of the target resource.  If
a valid security context at the SP already exists, skip steps 2--7.

2) The SP redirects the client to the single sign-on (SSO) service at
the IdP.  A RelayState parameter and a SAMLRequest parameter are
appended to the redirect URL.  The value of the SAMLRequest parameter
is a URL-encoded string constructed from the following request:

  <samlp:AuthnRequest
    ID="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:21:59Z"
    AssertionConsumerServiceIndex="1">
    <saml:Issuer>https://sp.org/SAML2</saml:Issuer>
    <samlp:NameIDPolicy 
      AllowCreate="true"  
      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient"/>
  </samlp:AuthnRequest>

Before the <samlp:AuthnRequest> element is URL-encoded and appended to
the redirect URL, it is deflated and base64-encoded (in that order).

3) The client requests the SSO service at the IdP:

  https://idp.org/SAML2/SSO/Redirect?RelayState=token&SAMLRequest=request

where token is an opaque reference to state information maintained at
the SP and request is the encoded <samlp:AuthnRequest> element from
step 2.  The SSO service processes the AuthnRequest (URL-decode,
base64-decode and inflate, in that order) and performs a security
check.  If the user does not have a valid security context, the IdP
identifies the user (details omitted).

4) The SSO service validates the request and responds with a document
containing an HTML form:

  <form method="post" action="https://sp.org/SAML2/SSO/POST"; ...>
    <input type="hidden" name="RelayState" value="token" />
    <input type="hidden" name="SAMLResponse" value="response" />
    ...
    <input type="submit" value="Submit" />
  </form>

The value of the RelayState parameter has been preserved from step 3. 
The value of the SAMLResponse parameter is the base64 encoding of the
following <samlp:Response> element:

  <samlp:Response
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="identifier_2"
    InResponseTo="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:05Z"
    Destination="https://sp.org/SAML2/SSO/POST";>
    <saml:Issuer>https://idp.org/SAML2</saml:Issuer>
    <!-- a POSTed response MUST be signed -->
    <ds:Signature 
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
    <samlp:Status>
      <samlp:StatusCode 
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="identifier_3"
      Version="2.0"
      IssueInstant="2004-12-05T09:22:05Z">
      <saml:Issuer>https://idp.org/SAML2</saml:Issuer>
      <!-- a Subject element is required -->
      <saml:Subject>
        <saml:NameID
          Format="urn:oasis:names:tc:SAML:1.1:nameid-format:transient">
          3f7b3dcf-1674-4ecd-92c8-1544f346baf8
        </saml:NameID>
        <saml:SubjectConfirmation
          Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData
            InResponseTo="identifier_1"
            Recipient="https://sp.org/SAML2/SSO/POST";
            NotOnOrAfter="2004-12-05T09:27:05Z"/>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions 
        NotBefore="2004-12-05T09:17:05Z"
        NotOnOrAfter="2004-12-05T09:27:05Z">
        <saml:AudienceRestriction>
          <saml:Audience>https://sp.org/SAML2</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement 
        AuthnInstant="2004-12-05T09:22:00Z"
        SessionIndex="identifier_3">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
         </saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </samlp:Response>

5) The client issues a POST request to the assertion consumer service at the SP.

6) The assertion consumer service processes the response, creates a
security context at the SP and redirects the client to the target
resource.

7) The client requests the target resource at the SP (again):

  https://sp.org/myresource

8) Since a security context exists, the SP returns the resource to the client.