OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Looking for feedback on a first SAML implimentation.

Hello,

I've been tasked with designing a very simple SSO (single sign-on) process. My employer has specified that it should be implimented in SAML. I'd like to create messages that are absolutely as simple as possible while confirming to the SAML spec.

I'd be really grateful if some of you would look at my request and response messages and tell me if they make sense for my purpose, if they include anything that _doesn't_ need to be there, and if they are missing anything that _does_ need to be there.

Addionally, I'd like to know where in the response I should put additional information about the subject; in particular, the subject's email address.

The interaction needs to work as follows:

1) User requests service from service provider at this point, the service provider knows nothing about the user.
2) Service provider requests authentication for user from identity provider
3) User is authenticated/registered by identity provider
4) Identity provider responds to Service provider with authentication success message, PLUS user's email address.

Here's what I think the request should be:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="abc"
IssueInstant="1970-01-01T00:00:00.000Z"
Version="2.0"
AssertionConsumerServiceURL="http://www.IdentityProvider.com/loginPage">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
       http://www.serviceprovider.com
       </saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">3f7b3dcf-1674-4ecd-92c8-1544f346baf8</saml:NameID>
    </saml:Subject>

Here's what I think the response should be:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://www.serviceprovider.com/desitnationURL" ID="123" IssueInstant="2008-11-21T17:13:42.872Z" Version="2.0">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">3f7b3dcf-1674-4ecd-92c8-1544f346baf8</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser">
                <saml:SubjectConfirmationData InResponseTo="abc"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2008-11-21T17:13:42.899Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

So, again, my questions are:

1) Is this a valid SAML interaction?
2) Can either the request or response xml be simplified?
3) Where in the response should I put the subject's email address?

I really apprecaite your help. Thanks so much!

-Morgan


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]