...
- use the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
binding - be signed using the
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
algorithm (XML signatures cannot be used). - include a
RequestedAuthnContext
with anAuthnContextClassRef
with one of the defined levels. - include the SURFconext identifier of the user in the
Subject
element as aNameID
(withFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
see description ofAuthnRequest
in https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2001).
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_zQIibz9FKixdlgX8/E7bHqE29wfatcgbsPdVn0NNzQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN" Version="2.0" " IssueInstant="2016-03-10T15:09:21Z" Destination="https://gw.stepup.example.org/gssp/2nd-factor-only/single-sign-on" AssertionConsumerServiceURL="https://application-gateway.some-organisation.example.org/consume-assertion" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > <saml:Issuer>https://application-gateway.some-organisation.example.org/metadata</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:some-organisation.example.org:m1234567890</saml:NameID> </saml:Subject> <samlp:RequestedAuthnContext> <saml:AuthnContextClassRef>http://stepup.example.org/verified-second-factor/level2</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
The signature is not visible in the XML: it will be encoded in HTTP GET parameters according to the specification of the HTTP-Redirect
binding.
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo