Portal Issues <samlp:AuthnRequest> to Identity Provider

This is for standard SAML Browser SSO.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="https://portal.example.edu/Shibboleth.sso/SAML2/POST"
    Destination="https://idp.example.edu/idp/profile/SAML2/Redirect/SSO"
    ID="_a02c7e89e77e4871b84349a9db338373" IssueInstant="2008-03-14T17:21:17Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">

  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.example.edu/shibboleth</saml:Issuer>
  <samlp:NameIDPolicy AllowCreate="1"/>

  <!-- identifies the IdP as a secondary "relying party" for the assertion -->
  <saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:AudienceRestriction>
      <saml:Audience>https://idp.example.edu/idp/shibboleth</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>

</samlp:AuthnRequest>

Notes

The request contains an additional component, a request for an audience condition matching the IdP itself. This can be used as a signal to equip the resulting assertion with the capability to authenticate the Portal to the IdP later.

Alternatively, ID-WSF defines a SAML attribute encoding for what are called "Endpoint References", which identify services (such as the IdP's Single Sign-On services) and can reference the enclosing assertion as a security token for accessing those services. The Portal could include a request for such an attribute in its metadata.

For the purposes of these examples, assume the following:
  • Identity Provider EntityID
    • https://idp.example.edu/idp/shibboleth
  • Identity Provider Browser SSO Service URL
    • https://idp.example.edu/idp/profile/SAML2/Redirect/SSO

  • Portal Resource URL
    • https://portal.example.edu/
  • Portal EntityID
    • https://portal.example.edu/shibboleth
  • Portal Assertion Consumer Service URL
    • https://portal.example.edu/Shibboleth.sso/SAML2/POST

  • Portlet EntityID
    • https://portal.example.edu/portlet1/shibboleth

  • Web Service Provider Resource URL
    • https://service.example.com/orderstatus
  • Web Service Provider EntityID
    • https://service.example.com/shibboleth
  • Web Service Provider Assertion Consumer Service URL
    • https://service.example.com/Shibboleth.sso/SAML2/PAOS
  • No labels