• Created by Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888), last modified on Mon 05 Dec 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

SAML 2.0 (Security Assertion Markup Language) is the protocol that makes single sign on possible. To get an idea how SAML functions, you could download the Firefox plugin SAML tracer. It adds a viewer window, decoding and showing SAML messages.

When a user logs in, this is what basically happens:

  1. The SP sends a message to the IP, asking to authenticate the user.
  2. The IP asks the user for a username and a password.
  3. If correct, the IP sends a authentication response to the SP stating that the user has logged in successfully, together with a proof that the message was sent by the IP.

We will illustrate this with an example:

1. Alice wants to read her mail and goes to a webpage like https://mail.google.com/a/my-university.nl.

2. Google Apps generates a SAML request.

3. Google redirects the browser to the IP for authentication, which may look like this (abbreviated):

 

https://idp.uni.nl/sso?SAMLRequest=fVLLTuswEN0j8Q...c%3D

 

Embedded in it\\the redirection is a SAML authentication request message. This message is compressed (to save space in the URL) and encoded (because some characters are not allowed in URLs). Aside from the encoding and compression, the SAML message could look like this:

 

 
<AuthnRequest ID="kfcn...lfki"
 Version="2.0"
 IssueInstant="2013-02-05T08:28:50Z"
 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 ProviderName="google.com"
 AssertionConsumerServiceURL="https://www.google.com/a/uni.nl/acs"
>
 <Issuer>google.com</Issuer>
 <NameIDPolicy AllowCreate="true"
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
 />
</AuthnRequest>

Simply said this message is: "This is a request from Google. Please authenticate the user and send the result back to Google".

4. The IP receives this message and will authenticate Alice by asking her name and password.

5. After successful authentication, the IP generates a authentication response.

6. The IP sends sends an encoded SAML response to the browser. Decoded, the message looks like this:

<Response
 Version="2.0"
 IssueInstant="2013-02-05T08:29:00Z"
 Destination="https://www.google.com/a/my.uni.nl/acs"
 InResponseTo="kfcn...lfki">
 <Issuer>https://idp.uni.nl/</Issuer>
 <Status>
 <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
 </Status>
 <Assertion Version="2.0" IssueInstant="2013-02-05T08:29:00Z">
 <Issuer>https://idp.uni.nl/</Issuer>
 <Subject>
 <NameID>alice</NameID>
 <SubjectConfirmation ...>
 <SubjectConfirmationData
 NotOnOrAfter="2013-02-05T08:34:00Z"
 Recipient="https://www.google.com/a/my.uni.nl/acs"
 InResponseTo="kfcn...lfki"/>
 </SubjectConfirmation>
 </Subject>
 <Conditions
 NotBefore="2013-02-05T08:28:30Z"
 NotOnOrAfter="2013-02-05T08:34:00Z">
 </Conditions>
 <AuthnStatement
 AuthnInstant="2013-02-05T08:29:00Z"
 SessionNotOnOrAfter="2013-02-05T16:29:00Z >
 </AuthnStatement>
 </Assertion>
</Response>

 

 

In essence, it means "This is a message from idp.uni.nl. I have successfully authenticated a user called 'alice'. This message will expire in a couple of minutes".

Deleted from the message above (for brevety) is an XML digital signature, proving that the message was sent by idp.uni.nl, and that the message was not tampered with along the way. This signature was made using a public key algorithm, the public key being embedded in a certificate known to Google.

When Google receives the SAML authentication response message, it verifies the XML signature (step 7), checks if authentication was successful and the message is not expired and then extracts the user's identifier as known to Google (NameID, "alice" in the example).

If everything is OK, Alice is logged in (step 8), her mailbox is retrieved and she can read her mail.


  • No labels