You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Identity Provider Issues <samlp:Response> to Portal

This is the SOAP response to the Portal with the assertion it will hand off to the Portlet.

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">

  <S:Header xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:sbf="urn:liberty:sb" xmlns:sb="urn:liberty:sb:2006-08">

    <!-- ID-WSF defined headers -->
    <sbf:Framework version="2.0"/>
    <sb:Sender providerID="https://idp.example.edu/idp/shibboleth"/>

    <!-- WS-Addressing headers with routing information -->
    <wsa:MessageID>uuid:071BCD36-FE77-470D-9AA9-9B5628D0873A</wsa:MessageID>
    <wsa:RelatesTo>uuid:efefefef-aaaa-ffff-cccc-eeeeffffcccc</wsa:RelatesTo>
    <wsa:Action>urn:liberty:ssos:2006-08:Response</wsa:Action>

    <!-- WS-Security header with timestamp -->
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsu:Created>2008-03-14T17:25:30Z</wsu:Created>
      </wsu:Timestamp>
    </wsse:Security>

  </S:Header>

  <S:Body>
    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e71fa15519729e9e3adea5d02b2e38af"
        InResponseTo="_a02c7e89e77e4871b84349a9db338374" IssueInstant="2008-03-14T17:25:30Z" Version="2.0">

      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.edu/idp/shibboleth</saml:Issuer>
      <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      </samlp:Status>

      <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
          ID="_682C46C8-198A-436C-9E0F-DBBC155DE415" IssueInstant="2008-03-14T17:25:30Z">

        <saml:Issuer>https://idp.example.edu/idp/shibboleth</saml:Issuer>
        <ds:Signature>...</ds:Signature> <!-- signature elided -->

        <saml:Subject>

          <!-- the identifier is scoped between the IdP and the Portlet -->
          <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
            E8042FB4-4D5B-48C3-8E14-8EDD852790FF
          </saml:NameID>

          <!-- the first confirmation is for the portal -->
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                https://portal.example.edu/shibboleth
            </saml:NameID>
            <saml:SubjectConfirmationData NotOnOrAfter="2008-03-14T17:30:30Z"
                Recipient="http://www.w3.org/2005/08/addressing/role/anonymous"/>
          </saml:SubjectConfirmation>

          <!-- the second confirmation is for the portlet back to the IdP -->
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
                https://portal.example.edu/portlet1/shibboleth
            </saml:NameID>
            <saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType"
                xmlns:shib="urn:mace:shibboleth:2.0"
                shib:TransitedProvider="https://portal.example.edu/shibboleth">
              <ds:KeyInfo>...<ds:KeyInfo>
            </saml:SubjectConfirmationData>
          </saml:SubjectConfirmation>

        </saml:Subject>

        <!-- the conditions apply to all uses, and the assertion is scoped to the Portlet and IdP -->
        <saml:Conditions NotBefore="2008-03-14T17:25:30Z" NotOnOrAfter="2008-03-14T18:25:30Z">
          <saml:AudienceRestriction>
            <saml:Audience>https://portal.example.edu/portlet1/shibboleth</saml:Audience>
            <saml:Audience>https://idp.example.edu/idp/shibboleth</saml:Audience>
          </saml:AudienceRestriction>
        </saml:Conditions>

        <saml:AuthnStatement AuthnInstant="2008-03-14T17:21:24.781Z" SessionIndex="_682C46C8-198A-436C-9E0F-DBBC155DE414">
          <saml:SubjectLocality Address="192.168.1.1"/>
          <saml:AuthnContext>
            <saml:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
            <saml:AuthnContextClassRef>
          </saml:AuthnContext>
        </saml:AuthnStatement>

        <saml:AttributeStatement>
            ...
        </saml:AttributeStatement>

      </saml:Assertion>

    </samlp:Response>
  </S:Body>

</S:Envelope>

Notes

The token returned in this step is really intended to be used by the Portlet in subsequent SSO operations with services to authenticate to the IdP as the user.

To model the hand-off between the Portal, which is asking for the assertion, and the Portlet, I'm using a "bearer" confirmation method that identifies the Recipient (the allowed delivery location) as the WS-Addressing anonymous URL, which implies "self". This is the best way I can think of to limit the bearer semantic to the local hand-off, without compromising the security between the Portlet and the IdP. Essentially, nothing should accept such a bearer assertion other than the Portlet itself (because we code it to do so).

The other noteworthy extension is inside the second <saml:SubjectConfirmationData> element holding the confirmation key. In addition to identifying the Portlet as the delegate, we add an attribute produced and consumed only by the IdP that identifies the original delegate, the Portal. This tracks the immediately preceding delegate, which would otherwise appear only in the first confirmation element. The IdP needs this information to produce a <sec:TransitedProviderPath> element in the assertion it gives to the Portlet later, which records the Portal as having been transited. We can use this arbitrary extension at each hop to track the "missing" delegate that we have to add to the transited path in the subsequent step. It needn't be standardized because it's produced and consumed only by the same software.


For the purposes of these examples, assume the following:
  • Identity Provider EntityID
    • https://idp.example.edu/idp/shibboleth
  • Identity Provider Browser SSO Service URL
    • https://idp.example.edu/idp/profile/SAML2/Redirect/SSO

  • Portal Resource URL
    • https://portal.example.edu/
  • Portal EntityID
    • https://portal.example.edu/shibboleth
  • Portal Assertion Consumer Service URL
    • https://portal.example.edu/Shibboleth.sso/SAML2/POST

  • Portlet EntityID
    • https://portal.example.edu/portlet1/shibboleth

  • Web Service Provider Resource URL
    • https://service.example.com/orderstatus
  • Web Service Provider EntityID
    • https://service.example.com/shibboleth
  • Web Service Provider Assertion Consumer Service URL
    • https://service.example.com/Shibboleth.sso/SAML2/PAOS
  • No labels