saml-dev message

Subject: Re: [saml-dev] Anyone have actual message exchange XML instance samples they're willing to share?
From: Tom Scavo <trscavo@gmail.com>
To: "Philpott, Robert" <rphilpott@rsasecurity.com>
Date: Thu, 6 Jan 2005 17:14:18 -0500
This is a possible implementation of the SAML 2.0 Web Browser SSO
Profile where both the service provider (SP) and the identity provider
(IdP) use the HTTP Artifact binding.  The message flow begins with a
request for a secured resource at the SP.

1) The client requests a target resource at the SP:

  https://sp.org/myresource

The SP performs a security check on behalf of the target resource.  If
a valid security context at the SP already exists, skip steps 2--11.

2) The SP redirects the client to the single sign-on (SSO) service at
the IdP.  A RelayState parameter and a SAMLart parameter are appended
to the redirect URL.

3) The client requests the SSO service at the IdP:

  https://idp.org/SAML2/SSO/Artifact?RelayState=token&SAMLart=artifact

where token is an opaque reference to state information maintained at
the SP and artifact is a SAML artifact.

4) The SSO service dereferences the artifact by sending a SAML
ArtifactResolve message to the artifact resolution service at the SP:

  <samlp:ArtifactResolve
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:21:58Z"
    Destination="https://sp.org/SAML2/ArtifactResolution";>
    <saml:Issuer>https://idp.org/SAML2</saml:Issuer>
    <!-- an ArtifactResolve message SHOULD be signed -->
    <ds:Signature 
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
    <samlp:Artifact>artifact</samlp:Artifact>
  </samlp:ArtifactResolve>

where the value of the <samlp:Artifact> element is the SAML artifact at step 3.

5) The artifact resolution service at the SP returns a SAML
ArtifactResponse message (containing an <samlp:AuthnRequest> element)
to the SSO service at the IdP:

  <samlp:ArtifactResponse
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="identifier_2"
    InResponseTo="identifier_1"
    Version="2.0"
    IssueInstant="2004-12-05T09:21:59Z"
    Destination="https://idp.org/SAML2/SSO/Artifact";>
    <saml:Issuer>https://sp.org/SAML2</saml:Issuer>
    <!-- an ArtifactResponse message SHOULD be signed -->
    <ds:Signature 
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
    <samlp:Status>
      <samlp:StatusCode 
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <samlp:AuthnRequest
      ID="identifier_3"
      Version="2.0"
      IssueInstant="2004-12-05T09:21:59Z"
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
      AssertionConsumerServiceURL="https://sp.org/SAML2/SSO/Artifact";>
      <saml:Issuer>https://sp.org/SAML2</saml:Issuer>
      <samlp:NameIDPolicy 
        AllowCreate="false"  
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
    </samlp:AuthnRequest>
  </samlp:ArtifactResponse>

The SSO service processes the AuthnRequest and performs a security
check.  If the user does not have a valid security context, the IdP
identifies the user (details omitted).

6) The SSO service at the IdP redirects the client to the assertion
consumer service at the SP.  The previous RelayState parameter and a
new SAMLart parameter are appended to the redirect URL.

7) The client requests the assertion consumer service at the SP:

  https://sp.org/SAML2/SSO/Artifact?RelayState=token&SAMLart=artifact

where token is the token value from step 3 and artifact is a new SAML artifact.

8) The assertion consumer service dereferences the artifact by sending
a SAML ArtifactResolve message to the artifact resolution service at
the IdP:

  <samlp:ArtifactResolve
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="identifier_4"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:04Z"
    Destination="https://idp.org/SAML2/ArtifactResolution";>
    <saml:Issuer>https://sp.org/SAML2</saml:Issuer>
    <!-- an ArtifactResolve message SHOULD be signed -->
    <ds:Signature 
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
    <samlp:Artifact>artifact</samlp:Artifact>
  </samlp:ArtifactResolve>

where the value of the <samlp:Artifact> element is the SAML artifact at step 7.

9) The artifact resolution service at the IdP returns a SAML
ArtifactResponse message (containing an <samlp:Response> element) to
the assertion consumer service at the SP:

  <samlp:ArtifactResponse
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="identifier_5"
    InResponseTo="identifier_4"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:05Z"
    Destination="https://sp.org/SAML2/SSO/Artifact";>
    <saml:Issuer>https://idp.org/SAML2</saml:Issuer>
    <!-- an ArtifactResponse message SHOULD be signed -->
    <ds:Signature 
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
    <samlp:Status>
      <samlp:StatusCode 
        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <samlp:Response
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
      ID="identifier_6"
      InResponseTo="identifier_3"
      Version="2.0"
      IssueInstant="2004-12-05T09:22:05Z">
      <saml:Issuer>https://idp.org/SAML2</saml:Issuer>
      <ds:Signature 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>...</ds:Signature>
      <samlp:Status>
        <samlp:StatusCode 
          Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      </samlp:Status>
      <saml:Assertion
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="identifier_7"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:05Z">
        <saml:Issuer>https://idp.org/SAML2</saml:Issuer>
        <!-- a Subject element is required -->
        <saml:Subject>
          <saml:NameID
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
            user@mail.idp.org
          </saml:NameID>
          <saml:SubjectConfirmation
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData
              InResponseTo="identifier_3"
              Recipient="https://sp.org/SAML2/SSO/Artifact";
              NotOnOrAfter="2004-12-05T09:27:05Z"/>
          </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions 
          NotBefore="2004-12-05T09:17:05Z"
          NotOnOrAfter="2004-12-05T09:27:05Z">
          <saml:AudienceRestriction>
            <saml:Audience>https://sp.org/SAML2</saml:Audience>
          </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement 
          AuthnInstant="2004-12-05T09:22:00Z"
          SessionIndex="identifier_7">
          <saml:AuthnContext>
            <saml:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
           </saml:AuthnContextClassRef>
          </saml:AuthnContext>
        </saml:AuthnStatement>
      </saml:Assertion>
    </samlp:Response>
  </samlp:ArtifactResponse>

10) The assertion consumer service processes the response, creates a
security context at the SP and redirects the client to the target
resource.

11) The client requests the target resource at the SP (again):

  https://sp.org/myresource

12) Since a security context exists, the SP returns the resource to the client.