On this page example SAML 2.0 messages are shown to illustrate how the SURFconext Strong Authentication Gateway uses SAML 2.0 to provide its functionality to Service Providers.
A SP can request authentication at a specific LoA by specifying the LoA in the AuthnRequest. Note that an SP can send an AuthnRequest to the gateway at any time, also when a user is already logged in at the SP. This allows an SP to raise the LoA for a user that is using the service depending on the context, for instance the operation performed by the user at the SP.
The requested LoA is interpreted as a minimum LoA. The SURFconext Strong Authentication gateway:
Assertion.The LoA required by the SP is passed to the SURFconext Strong Authentication gateway in an AuthnContextClassRef element in a RequestedAuthnContext element in the SAML AuthnRequest:
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>http://surfconext.nl/assurance/loa2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext> |
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_ace040cdf97c2efba5aa4d973a32318217b9aaae09"
Version="2.0"
IssueInstant="2014-05-26T06:47:27Z"
Destination="https://sa-gw.surfconext.nl/authentication/single-sign-on"
>
<saml:Issuer>http://test-sp.example.com</saml:Issuer>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>http://surfconext.nl/assurance/loa2</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest> |
Note that All AuthnRequest messages must be signed be the SP using SHA-2. The SP must use the HTTP-REDIRECT binding to submit the request. When using this binding the signature is put in HTTP request parameters, no XML-Signature is used.