...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN" Version="2.0" IssueInstant="2016-03-10T15:09:21Z" Destination="https://sa-gw.stepupsurfconext.example.org/gssp/2ndnl/second-factor-only/single-sign-on" AssertionConsumerServiceURL="https://application-gateway.some-organisation.example.org/consume-assertion" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer>https://application-gateway.some-organisation.example.org/metadata</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:some-organisation.example.org:m1234567890</saml:NameID> </saml:Subject> <samlp:RequestedAuthnContext> <saml:AuthnContextClassRef>http://surfconext.nl/assurance/sfo-level2</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
Note that the signature is not visible in the XML of the above request AuthnRequest
: it will be encoded in the HTTP GET parameters according to the specification of the HTTP-Redirect
binding.
...
urn:collab:person:
= fixed prefix.{{urn:mace:terena.org:attribute-def:schacHomeOrganization}}
= value of schacHomeOrganisation attribute of the user; same for all users and will be something like "institution.nl
".{{urn:mace:dir:attribute-def:uid}}
= value ofuid
attribute of the user. Replace any each "@" (at) character in the uid with an "_" (underscore) character.
For the value of last two items: ask the administrator of the IdP .
...
The result of a successful authentication is a SAML Response
. It Note that it does not contain an AttributeStatement
.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ECAokbn0lm7lfVT7THQUl+dSbMrpeyAgiTv0+q16" Version="2.0" IssueInstant="2016-03-10T15:09:25Z" Destination="https://application-gateway.some-organisation.example.org/consume-assertion" InResponseTo="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN" > <saml:Issuer>https://sa-gw.stepupsurfconext.example.orgnl/second-factoryfactor-only/metadata</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN" Version="2.0" IssueInstant="2016-03-10T15:09:25Z" > <saml:Issuer>https://gw.stepup.example.org/second-factory-only/metadata</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_1ROuxGVzJi5bbre6W4woNza82aK41HKjp6aKtw9r"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>YR5JFfJc1JZIKm7Ao3kXtDupEfeMrhKpD9T1lF1z0Lg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:some-organisation.example.org:m1234567890</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2016-03-10T15:14:25Z" Recipient="https://application-gateway.some-organisation.example.org/consume-assertion" InResponseTo="_zQIibz9FKixdlgX8E7bHqE29wfatcgbsPdVn0NN"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2016-03-10T15:09:25Z" /NotOnOrAfter="2016-03-10T15:14:25Z"> </saml<saml:SubjectConfirmation>AudienceRestriction> </saml:Subject> <saml:Conditions NotBefore="2016-03-10T15:09:25Z":Audience>https://application-gateway.some-organisation.example.org/metadata</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement NotOnOrAfterAuthnInstant="2016-03-10T15:1409:25Z"> <saml:AuthnContext> > <saml:AudienceRestriction> <saml:Audience>https://application-gateway.some-organisation.example.org/metadata</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-03-10T15:09:25Z"> <saml:AuthnContext> <saml: <saml:AuthnContextClassRef>http://stepup.example.org/verified-second-factor/level2</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> |
...
When a user cannot be authenticated, the SURFsecureID gateway sends a SAML Response SAMLResponse
to the SP with a non success status:
urn:oasis:names:tc:SAML:2.0:status:Responder
with subcodeurn:oasis:names:tc:SAML:2.0:status:AuthnFailed =
Authentication not successful
Authentication was not successful. This specifically happens when the user cancels the authentication.urn:oasis:names:tc:SAML:2.0:status:Responder
with subcodeurn:oasis:names:tc:SAML:2.0:status:NoAuthnContext =
The user could not be authenticated at the requested level. The user does not have an activated (vetted) token at the requests level.- Other situations can also lead to an error response:
- No AuthnContextClassRef in the AuthnRequest
- No Subject in the AuthnRequest
- Not authorised to authenticate the requested user
Level: authentication strength
...
An example code for using SFO with SimpleSAMLphp can be found at: https://github.com/SURFnet/Stepup-SFO-demo