Versions Compared

Old Version 2

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 3

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SAML IdP Proxy

A SAML IdP Proxy is a bridge or gateway between a federation of SAML IdPs and a federation of SAML SPs:

...

  1. A browser client requests a web resource protected by a SAML SP (SP0). If a security context for the principal already exists at SP0, skip to step 14.
  2. The client is redirected to the IdP component of the IdP Proxy (IdP0), which is protected by the SP component of the IdP Proxy (SP1).
  3. The client makes a SAML Shibboleth. AuthnRequest to the SSO service at IdP0. If a security context for the principal already exists at IdP0, skip to step 10.
  4. The AuthnRequest is cached and the client is redirected to the terminal IdP (IdP1).
  5. The client makes a SAML Shibboleth. AuthnRequest to the SSO service at IdP1. If a security context for the principal does not exist, IdP1 identifies the principal (details omitted).
  6. IdP1 updates its security context for this principal, issues one or more assertions, and returns a response to the client.
  7. The client submits the response to the assertion consumer service at SP1. The assertion consumer service validates the assertions in the response.
  8. SP1 updates its security context for this principal and redirects the client to IdP0.
  9. The client makes a SAML Shibboleth. AuthnRequest to IdP0, the same Shibboleth. AuthnRequest made at step 3.
  10. IdP0 updates its security context for this principal, issues a single assertion, and returns a response to the client. The response may also contains contain the assertions issued by IdP1 at step 6.
  11. The client submits the response to the assertion consumer service at SP0. The assertion consumer service validates the assertions in the response.
  12. SP0 updates its security context for this principal and redirects the client to the resource.
  13. The client requests the resource, the same request issued at step 1.
  14. The resource makes an access control decision based on the security context for this principal and returns the resource to the client.

...

Assuming SP1 exposes the assertions it receives from IdP1, the IdP Proxy formulates the following assertion at step 10:

Code Block
<!-- SAML1 assertion issued by IdP0 to SP0 -->
<saml:Assertion ...>
  <saml:Conditions ...>...</saml:Conditions>
  <saml:Advice>
	 <!-- nested assertion issued by IdP1 to SP1 -->
	 <saml:Assertion ...>
		<saml:Conditions ...>...</saml:Conditions>
		<saml:AuthenticationStatement ...>
		  <!-- the subject that authenticated to IdP1 -->
		  <saml:Subject>...</saml:Subject>
		  ...
		</saml:AuthenticationStatement>
		<saml:AttributeStatement>
		  <saml:Subject>...</saml:Subject>
		  ...
		</saml:AttributeStatement>
	 </saml:Assertion>
  </saml:Advice>
  <saml:AuthenticationStatement ...>
	 <!-- the subject that (indirectly) authenticated to IdP0 -->
	 <saml:Subject>...</saml:Subject>
	 ...
  </saml:AuthenticationStatement>
  <saml:AttributeStatement>
	 <saml:Subject>...</saml:Subject>
	 ...
  </saml:AttributeStatement>
</saml:Assertion>

...