Versions Compared

Old Version 9

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

compared with

New Version 10

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
xml
xml
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">

  <S:Header xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:sbf="urn:liberty:sb" xmlns:sb="urn:liberty:sb:2006-08">

    <!-- ID-WSF defined headers -->
    <sbf:Framework version="2.0"/>
    <sb:Sender providerID="https://idp.example.edu/idp/shibboleth"/>

    <!-- WS-Addressing headers with routing information -->
    <wsa:MessageID>uuid:071BCD36-FE77-470D-9AA9-9B5628D0873A</wsa:MessageID>
    <wsa:RelatesTo>uuid:efefefef-aaaa-ffff-cccc-eeeeffffcccc</wsa:RelatesTo>
    <wsa:Action>urn:liberty:ssos:2006-08:Response</wsa:Action>

    <!-- WS-Security header with timestamp -->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsu:Created>2008-03-14T17:25:30Z</wsu:Created>
      </wsu:Timestamp>
    </wsse:Security>

  </S:Header>

  <S:Body>
    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e71fa15519729e9e3adea5d02b2e38af"
        InResponseTo="_a02c7e89e77e4871b84349a9db338374" IssueInstant="2008-03-14T17:25:30Z" Version="2.0">

      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.edu/idp/shibboleth</saml:Issuer>
      <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      </samlp:Status>

      <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
          ID="_682C46C8-198A-436C-9E0F-DBBC155DE415" IssueInstant="2008-03-14T17:25:30Z">

        <saml:Issuer>https://idp.example.edu/idp/shibboleth</saml:Issuer>
        <ds:Signature>...</ds:Signature> <!-- signature elided -->

        <saml:Subject>

          <!-- the identifier is scoped between the IdP and the Portlet -->
          <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
            E8042FB4-4D5B-48C3-8E14-8EDD852790FF
          </saml:NameID>

          <!-- the first confirmation is for the portal -->
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                https://portal.example.edu/shibboleth
            </saml:NameID>
            <saml:SubjectConfirmationData NotOnOrAfter="2008-03-14T17:30:30Z"
                Recipient="http://www.w3.org/2005/08/addressing/role/anonymous"/>
          </saml:SubjectConfirmation>

          <!-- the second confirmation is for the portlet back to the IdP -->
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                https://portal.example.edu/portlet1/shibboleth
            </saml:NameID>
            <saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType"
                xmlns:shib="urn:mace:shibboleth:2.0"
                shib:TransitedProvider="https://portal.example.edu/shibboleth">
              <ds:KeyInfo>...<ds:KeyInfo>
            </saml:SubjectConfirmationData>
          </saml:SubjectConfirmation>

        </saml:Subject>

        <!-- the conditions apply to all uses, and the assertion is scoped to the Portlet and IdP -->
        <saml:Conditions NotBefore="2008-03-14T17:25:30Z" NotOnOrAfter="2008-03-14T18:25:30Z">
          <saml:AudienceRestriction>
            <saml:Audience>https://portal.example.edu/portlet1/shibboleth</saml:Audience>
            <saml:Audience>https://idp.example.edu/idp/shibboleth</saml:Audience>
          </saml:AudienceRestriction>

          <saml:Condition xsi:type="del:DelegationRestrictionType" xmlns:del="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
            <del:Delegate>
              <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
               https://portal.example.edu/shibboleth
              </saml:NameID>
            </del:Delegate>
          </saml:Condition>

        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2008-03-14T17:21:24.781Z" SessionIndex="_682C46C8-198A-436C-9E0F-DBBC155DE414">
          <saml:SubjectLocality Address="192.168.1.1"/>
          <saml:AuthnContext>
            <saml:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
            <saml:AuthnContextClassRef>
          </saml:AuthnContext>
        </saml:AuthnStatement>

        <saml:AttributeStatement>
            ...
        </saml:AttributeStatement>

      </saml:Assertion>

    </samlp:Response>
  </S:Body>

</S:Envelope>

...

The other noteworthy extension is inside the second <saml:SubjectConfirmationData> element holding the confirmation key. In addition to identifying the Portlet as the delegate, we add an attribute produced and consumed only by the IdP that identifies the original delegate, the Portal. This tracks the immediately preceding delegate, which would otherwise appear only in the first confirmation element. The IdP needs this information to produce a <sec:TransitedProviderPath> element in the assertion it gives to the Portlet later, which records the Portal as having been transited. We can use this arbitrary extension at each hop to track the "missing" delegate that we have to add to the transited path in the subsequent step. It needn't be standardized because it's produced and consumed only by the same softwarethe additional condition that identifies the Portal as a delegate, so that the subsequent assertions issued to the Portlets will include the Portal as the first link in the delegation chain.

...

Include Page
ShibuPortal:Example Values
ShibuPortal:Example Values