Looking for feedback on a first SAML implementation.

Posted by morgancodes on Stack Overflow See other posts from Stack Overflow or by morgancodes
Published on 2008-12-21T19:37:50Z Indexed on 2010/04/08 17:23 UTC
Read the original article Hit count: 622

Filed under:

saml

Hello,

I've been tasked with designing a very simple SSO (single sign-on) process. My employer has specified that it should be implimented in SAML. I'd like to create messages that are absolutely as simple as possible while confirming to the SAML spec.

I'd be really grateful if some of you would look at my request and response messages and tell me if they make sense for my purpose, if they include anything that doesn't need to be there, and if they are missing anything that does need to be there.

Addionally, I'd like to know where in the response I should put additional information about the subject; in particular, the subject's email address.

The interaction needs to work as follows:

1) User requests service from service provider at this point, the service provider knows nothing about the user. 2) Service provider requests authentication for user from identity provider 3) User is authenticated/registered by identity provider 4) Identity provider responds to Service provider with authentication success message, PLUS user's email address.

Here's what I think the request should be:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="abc" 
IssueInstant="1970-01-01T00:00:00.000Z" 
Version="2.0"
AssertionConsumerServiceURL="http://www.IdentityProvider.com/loginPage">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    http://www.serviceprovider.com
    </saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">3f7b3dcf-1674-4ecd-92c8-1544f346baf8</saml:NameID>
    </saml:Subject>

Here's what I think the response should be:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://www.serviceprovider.com/desitnationURL" ID="123" IssueInstant="2008-11-21T17:13:42.872Z" Version="2.0">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">3f7b3dcf-1674-4ecd-92c8-1544f346baf8</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser">
                <saml:SubjectConfirmationData InResponseTo="abc"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2008-11-21T17:13:42.899Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

So, again, my questions are:

1) Is this a valid SAML interaction?

2) Can either the request or response xml be simplified?

3) Where in the response should I put the subject's email address?

I really apprecaite your help. Thanks so much!

-Morgan

Developer IT