...
To start a SFO the SP must send a SAML 2.0 AuthnRequest
to the SFO endpoint of the SURFsecureID Gateway. This request mustMUST:
- use the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
binding - be signed using the
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
algorithm (XML signatures cannot be used). - include a
RequestedAuthnContext
with anAuthnContextClassRef
with the URN for one of the defined levelsdefined authentication levels for the SURFsecureID environment that your are using. - include the SURFconext identifier of the user in the
Subject
element as aNameID
(withFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
see description ofAuthnRequest
in https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2001).
Note that SFO uses a different SingleSignOn
Location
and AuthnConext
identifiers as compared with standard authentication.a different AuthnConext
identifier that a standard authentication to SURFsecureID. See SURFsecureID Metadata for Service Providers. Below is an example SAML 2.0 SFO AuthnRequest request for the production environment:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN" Version="2.0" IssueInstant="2016-03-10T15:09:21Z" Destination="https://gw.stepup.example.org/gssp/2nd-factor-only/single-sign-on" AssertionConsumerServiceURL="https://application-gateway.some-organisation.example.org/consume-assertion" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer>https://application-gateway.some-organisation.example.org/metadata</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:some-organisation.example.org:m1234567890</saml:NameID> </saml:Subject> <samlp:RequestedAuthnContext> <saml:AuthnContextClassRef>http://stepup.example.org/verified-second-factor/surfconext.nl/assurance/sfo-level2</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
The Note that the signature is not visible in the XML of the above request: it will be encoded in HTTP GET parameters according to the specification of the HTTP-Redirect
binding.
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo