...
To start a SFO the SP must send a SAML 2.0 AuthnRequest to the SFO endpoint of the SURFsecureID Gateway. This request mustMUST:
- use the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectbinding - be signed using the
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256algorithm (XML signatures cannot be used). - include a
RequestedAuthnContextwith anAuthnContextClassRefwith the URN for one of the defined levelsdefined authentication levels for the SURFsecureID environment that your are using. - include the SURFconext identifier of the user in the
Subjectelement as aNameID(withFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",see description ofAuthnRequestin https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, line 2001).
Note that SFO uses a different SingleSignOn Location and AuthnConext identifiers as compared with standard authentication.a different AuthnConext identifier that a standard authentication to SURFsecureID. See SURFsecureID Metadata for Service Providers. Below is an example SAML 2.0 SFO AuthnRequest request for the production environment:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN"
Version="2.0" IssueInstant="2016-03-10T15:09:21Z"
Destination="https://gw.stepup.example.org/gssp/2nd-factor-only/single-sign-on"
AssertionConsumerServiceURL="https://application-gateway.some-organisation.example.org/consume-assertion"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://application-gateway.some-organisation.example.org/metadata</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:some-organisation.example.org:m1234567890</saml:NameID>
</saml:Subject>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>http://stepup.example.org/verified-second-factor/surfconext.nl/assurance/sfo-level2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest> |
The Note that the signature is not visible in the XML of the above request: it will be encoded in HTTP GET parameters according to the specification of the HTTP-Redirect binding.
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo