Portlet Forwards <samlp:Response>
to Web Service Provider
This is the ECP SSO step between the Portlet and the web site/service.
Code Block |
---|
|
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<paos:Response refToMessageID="6c3a4f8b9c2d"
S:actor="http://schemas.xmlsoap.org/soap/actor/next/" S:mustUnderstand="1"/>
<!-- equivalent of the RelayState parameter in a browser-based SSO profile -->
<ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
S:mustUnderstand="1" S:actor="http://schemas.xmlsoap.org/soap/actor/next">cookie:afcd145</ecp:RelayState>
</S:Header>
<S:Body>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://service.example.com/Shibboleth.sso/SAML2/PAOS" ID="_e71fa15519729e9e3adea5d02b2e38ae"
InResponseTo="_a02c7e89e77e4871b84349a9db338374" IssueInstant="2008-03-14T17:31:24.781Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.edu/idp/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
ID="_682C46C8-198A-436C-9E0F-DBBC155DE414" IssueInstant="2008-03-14T17:31:24.781Z">
<saml:Issuer>https://idp.example.edu/idp/shibboleth</saml:Issuer>
<ds:Signature>...</ds:Signature> <!-- signature elided -->
<saml:Subject>
<!-- the identifier is scoped between the IdP and the WSP -->
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
E8042FB4-4D5B-48C3-8E14-8EDD852790EE
</saml:NameID>
<!-- the bearer authorization is for web SSO by the Portal to the WSP -->
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://portal.example.edu/shibboleth
</saml:NameID>
<saml:SubjectConfirmationData Address="192.168.10.10" NotOnOrAfter="2008-03-14T17:36:24Z"
Recipient="https://service.example.com/Shibboleth.sso/SAML2/PAOS"/>
</saml:SubjectConfirmation>
</saml:Subject>
<!-- the conditions apply to all uses, and the assertion is scoped to the WSP -->
<saml:Conditions NotBefore="2008-03-14T17:31:24.781Z" NotOnOrAfter="2008-03-14T18:31:24.781Z">
<saml:AudienceRestriction>
<saml:Audience>https://service.example.com/shibboleth</saml:Audience>
</saml:AudienceRestriction>
<saml:Condition xsi:type="del:DelegationRestrictionType" xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
<del:Delegate>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://portal.example.edu/shibboleth
</saml:NameID>
</del:Delegate>
</saml:Condition>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-03-14T17:21:24.781Z" SessionIndex="_682C46C8-198A-436C-9E0F-DBBC155DE414">
<saml:SubjectLocality Address="192.168.1.1"/>
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
<saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
</S:Body>
</S:Envelope>
|
Notes
The <samlp:Response> message from the IdP is wrapped with additional binding information inside a SOAP envelope, the response half of a SOAP exchange, carried in an HTTP response.
The Portlet is responsible for creating the <paos:Response>
header to correlate the request from the WSP. The original resource at the WSP is recovered from the RelayState header, which is copied from the WSP's request to the response.
Include Page |
---|
| ShibuPortal:Example Values |
---|
| ShibuPortal:Example Values |
---|
|