Portal Issues <samlp:AuthnRequest>
to Identity Provider
This is for standard SAML Browser SSO.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://portal.example.edu/Shibboleth.sso/SAML2/POST" Destination="https://idp.example.edu/idp/profile/SAML2/Redirect/SSO" ID="_a02c7e89e77e4871b84349a9db338373" IssueInstant="2008-03-14T17:21:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://portal.example.edu/shibboleth</saml:Issuer> <samlp:NameIDPolicy AllowCreate="1"/> <!-- identifies the IdP as a secondary "relying party" for the assertion --> <saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:AudienceRestriction> <saml:Audience>https://idp.example.edu/idp/shibboleth</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> </samlp:AuthnRequest>
Notes
The request contains an additional component, a request for an audience condition matching the IdP itself. This can be used as a signal to equip the resulting assertion with the capability to authenticate the Portal to the IdP later.
Alternatively, ID-WSF defines a SAML attribute encoding for what are called "Endpoint References", which identify services (such as the IdP's Single Sign-On services) and can reference the enclosing assertion as a security token for accessing those services. The Portal could include a request for such an attribute in its metadata.
For the purposes of these examples, assume the following:
- Identity Provider EntityID
https://idp.example.edu/idp/shibboleth
- Identity Provider Browser SSO Service URL
https://idp.example.edu/idp/profile/SAML2/Redirect/SSO
- Portal Resource URL
https://portal.example.edu/
- Portal EntityID
https://portal.example.edu/shibboleth
- Portal Assertion Consumer Service URL
https://portal.example.edu/Shibboleth.sso/SAML2/POST
- Portlet EntityID
https://portal.example.edu/portlet1/shibboleth
- Web Service Provider Resource URL
https://service.example.com/orderstatus
- Web Service Provider EntityID
https://service.example.com/shibboleth
- Web Service Provider Assertion Consumer Service URL
https://service.example.com/Shibboleth.sso/SAML2/PAOS