...
Simply said this message is: "This “This is a request from SP. Please authenticate the user and send the result back to SP"SP”. For more information about the authentication request click here.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<Response Version="2.0" IssueInstant="2013-02-05T08:29:00Z" Destination="https://www.google.com/a/my.uni.nl/acs" InResponseTo="kfcn...lfki"> <Issuer>https://idp.uni.nl/</Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <Assertion Version="2.0" IssueInstant="2013-02-05T08:29:00Z"> <Issuer>https://idp.uni.nl/</Issuer> <Subject> <NameID>alice</NameID> <SubjectConfirmation ...> <SubjectConfirmationData NotOnOrAfter="2013-02-05T08:34:00Z" Recipient="https://www.google.com/a/my.uni.nl/acs" InResponseTo="kfcn...lfki"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2013-02-05T08:28:30Z" NotOnOrAfter="2013-02-05T08:34:00Z"> </Conditions> <AuthnStatement AuthnInstant="2013-02-05T08:29:00Z" SessionNotOnOrAfter="2013-02-05T16:29:00Z > </AuthnStatement> </Assertion> </Response> |
In essence, it means "This “This is a message from idp.uni.nl. I have successfully authenticated a user. This message will expire in a couple of minutes"minutes”.
The message also contains an XML digital signature, proving that the message was sent by idp.uni.nl. The signature was made using a public key algorithm, the public key being embedded in a certificate known to the SP.
...
9. SP verifies the XML signature, checks if the authentication was successful and if the message is not expired. Then it extracts the user's user’s identifier as known to SP (NameID).
If the last step is OK, Alice is logged in, her mailbox is retrieved and she can read her mail.
For another way of describing this flow, see this blog.