• Created by Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888), last modified on Mon 05 Dec 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

SAML 2.0 (Security Assertion Markup Language) is the protocol that makes Single sign on possible: being able to authenticate only once to your home university (Identity Provider) and then login to the applications of all Service Providers without having to type in again a password.

Basically, the procedure is as follows:

  1. The SP sends a SAML message to the IP, asking to authenticate the user.
  2. The IP asks for username and password (other ways of authentication can also be used).
  3. If correct, the IP sends back a SAML authentication response stating that the user has logged in successfully, together with a proof that the message was sent by the IP.

To have an idea how SAML functions, you could download the Firefox plugin SAML tracer. It adds a viewer window, decoding and showing SAML messages.

Example

Below an example with Google Apps as SP, My University as IP and Alice as student:

  1. When Alice wants to read her mail, she goes to a webpage like https://mail.google.com/a/my-university.nl.
  2. For a federated Google Apps domain, Google will redirect the browser to the IP for authentication (step 3). The URL that the user is redirected to might look like (abbreviated):

 

https://idp.uni.nl/sso?SAMLRequest=fVLLTuswEN0j8Q...c%3D

 

Embedded in this redirect message is a SAML authentication request message. This message is compressed (to save space in the URL) and encoded (because some characters are not allowed in URLs). Aside from the encoding and compression, the SAML message could look like this (simplified):

 

<AuthnRequest ID="kfcn...lfki"
 Version="2.0"
 IssueInstant="2013-02-05T08:28:50Z"
 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 ProviderName="google.com"
 AssertionConsumerServiceURL="https://www.google.com/a/uni.nl/acs"
>
 <Issuer>google.com</Issuer>
 <NameIDPolicy AllowCreate="true"
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
 />
</AuthnRequest>

In plain English, this message more or less reads "this is a request from Google. Please authenticate the user sending this message, and send the result back to Google".

Simply said this message is: "This is a request from Google. Please authenticate the user sending this message and send the result back to Google".

  1. When the IP receives this message and decides to grant Google's request, it will authenticate Alice by asking her to enter her credentials.

After successful authentication, Alice's browser is sent back to Google at the AssertionConsumerService URL (step 6). A SAML protocol message is piggybacking along carrying a SAML authentication response. Decoded, the message looks like this (simplified):

<Response
 Version="2.0"
 IssueInstant="2013-02-05T08:29:00Z"
 Destination="https://www.google.com/a/my.uni.nl/acs"
 InResponseTo="kfcn...lfki">
 <Issuer>https://idp.uni.nl/</Issuer>
 <Status>
 <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
 </Status>
 <Assertion Version="2.0" IssueInstant="2013-02-05T08:29:00Z">
 <Issuer>https://idp.uni.nl/</Issuer>
 <Subject>
 <NameID>alice</NameID>
 <SubjectConfirmation ...>
 <SubjectConfirmationData
 NotOnOrAfter="2013-02-05T08:34:00Z"
 Recipient="https://www.google.com/a/my.uni.nl/acs"
 InResponseTo="kfcn...lfki"/>
 </SubjectConfirmation>
 </Subject>
 <Conditions
 NotBefore="2013-02-05T08:28:30Z"
 NotOnOrAfter="2013-02-05T08:34:00Z">
 </Conditions>
 <AuthnStatement
 AuthnInstant="2013-02-05T08:29:00Z"
 SessionNotOnOrAfter="2013-02-05T16:29:00Z >
 </AuthnStatement>
 </Assertion>
</Response>

In essence, it means "This is a message from idp.uni.nl. I have successfully authenticated a user called 'alice'. This message will expire in a couple of minutes".

Deleted from the message above (for brevety) is an XML digital signature, proving that the message was sent by idp.uni.nl, and that the message was not tampered with along the way. This signature was made using a public key algorithm, the public key being embedded in a certificate known to Google.

When Google receives the SAML authentication response message, it verifies the XML signature (step 7), checks if authentication was successful and the message is not expired and then extracts the user's identifier as known to Google (NameID, "alice" in the example).

If everything is OK, Alice is logged in (step 8), her mailbox is retrieved and she can read her mail.


  • No labels