Portlet Forwards <samlp:Response> to Web Service Provider
This is the ECP SSO step between the Portlet and the web site/service.
| Code Block |
|---|
|
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<paos:Response refToMessageID="6c3a4f8b9c2d"
S:actor="http://schemas.xmlsoap.org/soap/actor/next/" S:mustUnderstand="1"/>
<!-- equivalent of the RelayState parameter in a browser-based SSO profile -->
<ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
S:mustUnderstand="1" S:actor="http://schemas.xmlsoap.org/soap/actor/next">cookie:afcd145</ecp:RelayState>
</S:Header>
<S:Body>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://service.example.com/Shibboleth.sso/SAML2/PAOS" ID="_e71fa15519729e9e3adea5d02b2e38ae"
InResponseTo="_a02c7e89e77e4871b84349a9db338374" IssueInstant="2008-03-14T17:31:24.781Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.edu/idp/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
ID="_682C46C8-198A-436C-9E0F-DBBC155DE414" IssueInstant="2008-03-14T17:31:24.781Z">
<saml:Issuer>https://idp.example.edu/idp/shibboleth</saml:Issuer>
<ds:Signature>...</ds:Signature> <!-- signature elided -->
<saml:Subject>
<!-- the identifier is scoped between the IdP and the WSP -->
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
E8042FB4-4D5B-48C3-8E14-8EDD852790EE
</saml:NameID>
<!-- the bearer authorization is for web SSO by the Portal to the WSP -->
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://portal.example.edu/shibboleth
</saml:NameID>
<saml:SubjectConfirmationData Address="192.168.10.10" NotOnOrAfter="2008-03-14T17:36:24Z"
Recipient="https://service.example.com/Shibboleth.sso/SAML2/PAOS"/>
</saml:SubjectConfirmation>
</saml:Subject>
<!-- the conditions apply to all uses, and the assertion is scoped to the WSP -->
<saml:Conditions NotBefore="2008-03-14T17:31:24.781Z" NotOnOrAfter="2008-03-14T18:31:24.781Z">
<saml:AudienceRestriction>
<saml:Audience>https://service.example.com/shibboleth</saml:Audience>
</saml:AudienceRestriction>
<saml:Condition xsi:type="del:DelegationRestrictionType" xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
<del:Delegate>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://portal.example.edu/shibboleth
</saml:NameID>
</del:Delegate>
</saml:Condition>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-03-14T17:21:24.781Z" SessionIndex="_682C46C8-198A-436C-9E0F-DBBC155DE414">
<saml:SubjectLocality Address="192.168.1.1"/>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
<saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
</S:Body>
</S:Envelope>
|
Notes
The <samlp:Response> message from the IdP is wrapped with additional binding information inside a SOAP envelope, the response half of a SOAP exchange, carried in an HTTP response.
The Portlet is responsible for creating the <paos:Response> header to correlate the request from the WSP. The original resource at the WSP is recovered from the RelayState header, which is copied from the WSP's request to the response.
| Include Page |
|---|
| ShibuPortal:Example Values |
|---|
| ShibuPortal:Example Values |
|---|
|