On this page example SAML 2.0 messages are shown to illustrate how the SURFconext Strong Authentication Gateway uses SAML 2.0 to provide its functionality to Service Providers.
A SP can request authentication at a specific LoA by specifying the LoA in the AuthnRequest
. Note that an SP can send an AuthnRequest
to the gateway at any time, also when a user is already logged in at the SP. This allows an SP to raise the LoA for a user that is using the service depending on the context, for instance the operation performed by the user at the SP.
The requested LoA is interpreted as a minimum LoA. The SURFconext Strong Authentication gateway:
Assertion
.The LoA required by the SP is passed to the SURFconext Strong Authentication gateway in an AuthnContextClassRef
element in a RequestedAuthnContext
element in the SAML AuthnRequest
:
<samlp:RequestedAuthnContext> <saml:AuthnContextClassRef>http://surfconext.nl/assurance/loa2</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> |
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ace040cdf97c2efba5aa4d973a32318217b9aaae09" Version="2.0" IssueInstant="2014-05-26T06:47:27Z" Destination="https://sa-gw.surfconext.nl/authentication/single-sign-on" > <saml:Issuer>http://test-sp.example.com</saml:Issuer> <samlp:RequestedAuthnContext> <saml:AuthnContextClassRef>http://surfconext.nl/assurance/loa2</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
Note that All AuthnRequest messages must be signed be the SP using SHA-2. The SP must use the HTTP-REDIRECT
binding to submit the request. When using this binding the signature is put in HTTP request parameters, no XML-Signature is used.