...
- must use the
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectbinding - must be signed using the
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256algorithm. (Note that theHTTP-Redirectbinding does not use XML Signatures) - must include a
RequestedAuthnContextwith anAuthnContextClassRefwith one of the defined levels. - must include the SURFconext identifier (see below) of the user in the
Subjectelement of theAuthnRequest. (see the description of theAuthnRequestelement in the https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, section 3.4.1, line 2017) as a SAMLNameIDwithFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
The SFO uses a different SingleSignOn Location and different AuthnConext identifiers as the standard authentication.
Example SAML AuthnRequest for SFO
See below for an example AuthnRequest. The signature is not visible in the XML as it will be encoded in HTTP GET parameters according to the specification of the HTTP-Redirect binding.
...
The result of a successful authentication is a SAML Response. The Response does not contain an AttributeStatement as would a Response from a standard authentication.
Example SAML Response
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_ECAokbn0lm7lfVT7THQUl+dSbMrpeyAgiTv0+q16"
Version="2.0"
IssueInstant="2016-03-10T15:09:25Z"
Destination="https://application-gateway.some-organisation.example.org/consume-assertion"
InResponseTo="_zQIibz9FKixdlgX8/E7bHqE29wfatcgbsPdVn0NN"
>
<saml:Issuer>https://gw.stepup.example.org/second-factory-only/metadata</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="_zQIibz9FKixdlgX8/E7bHqE29wfatcgbsPdVn0NN"
Version="2.0"
IssueInstant="2016-03-10T15:09:25Z"
>
<saml:Issuer>https://gw.stepup.example.org/second-factory-only/metadata</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_1ROuxGVzJi5bbre6W4woNza82aK41HKjp6aKtw9r">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>YR5JFfJc1JZIKm7Ao3kXtDupEfeMrhKpD9T1lF1z0Lg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:some-organisation.example.org:m1234567890</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2016-03-10T15:14:25Z"
Recipient="https://application-gateway.some-organisation.example.org/consume-assertion"
InResponseTo="_zQIibz9FKixdlgX8/E7bHqE29wfatcgbsPdVn0NN"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-03-10T15:09:25Z"
NotOnOrAfter="2016-03-10T15:14:25Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://application-gateway.some-organisation.example.org/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-03-10T15:09:25Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>http://stepup.example.org/verified-second-factor/level2</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response> |
...