Identity Provider Issues <samlp:Response> to Portal
The is for standard SAML Browser SSO.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://portal.example.edu/Shibboleth.sso/SAML2/POST" ID="_e71fa15519729e9e3adea5d02b2e38ad"
InResponseTo="_a02c7e89e77e4871b84349a9db338373" IssueInstant="2008-03-14T17:21:24.781Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.edu/idp/shibboleth</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
ID="_682C46C8-198A-436C-9E0F-DBBC155DE413" IssueInstant="2008-03-14T17:21:24.781Z">
<saml:Issuer>https://idp.example.edu/idp/shibboleth</saml:Issuer>
<ds:Signature>...</ds:Signature> <!-- signature elided -->
<saml:Subject>
<!-- the identifier is scoped between the IdP and the Portal -->
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">E8042FB4-4D5B-48C3-8E14-8EDD852790DD</saml:NameID>
<!-- the bearer authorization is for web SSO by the browser to the Portal -->
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Address="192.168.1.1" NotOnOrAfter="2008-03-14T17:26:24Z"
Recipient="https://portal.example.edu/Shibboleth.sso/SAML2/POST"/>
</saml:SubjectConfirmation>
<!-- the HoK authorization is for re-presentation to the IdP by the Portal -->
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://portal.example.edu/shibboleth</saml:NameID>
<saml:SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType">
<ds:KeyInfo>...<ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<!-- the conditions apply to all uses, and the assertion is scoped to both the IdP and Portal -->
<saml:Conditions NotBefore="2008-03-14T17:21:24.781Z" NotOnOrAfter="2008-03-14T18:21:24.781Z">
<saml:AudienceRestriction>
<saml:Audience>https://portal.example.edu/shibboleth</saml:Audience>
<saml:Audience>https://idp.example.edu/idp/shibboleth</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-03-14T17:21:24.781Z" SessionIndex="_682C46C8-198A-436C-9E0F-DBBC155DE413">
<saml:SubjectLocality Address="192.168.1.1"/>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
...
<!-- a pointer to the IdP's SSOS and how to contact it -->
<saml:Attribute Name="urn:liberty:ssos:2006-08" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://idp.example.org/idp/profiles/WSF/SSO</wsa:Address>
<wsa:Metadata xmlns:disco="urn:liberty:disco:2006-08">
<disco:Abstract>ID-WSF Single Sign-On Service</disco:Abstract>
<disco:ServiceType>urn:liberty:ssos:2006-08</disco:ServiceType>
<disco:ProviderID>http://idp.example.org/idp/shibboleth</disco:ProviderID>
<sbf:Framework xmlns:sbf="urn:liberty:sb" version="2.0"/>
<disco:SecurityContext>
<disco:SecurityMechID>urn:liberty:security:2005-02:ClientTLS:peerSAMLV2</disco:SecurityMechID>
<sec:Token xmlns:sec="urn:liberty:security:2006-08" ref="#_682C46C8-198A-436C-9E0F-DBBC155DE413" usage="urn:liberty:security:tokenusage:2006-08:SecurityToken"/>
</disco:SecurityContext>
</wsa:Metadata>
</wsa:EndpointReference>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Notes
Typically the assertion will be encrypted in the response, but for illustrative purposes, it's left unencrypted here.
Note the second <saml:SubjectConfirmation> and <saml:Audience> elements that allow for authentication of the Portal back to the IdP. Typically, the second confirmation will contain the key or certificate of the Portal to tie the assertion to that key.
Obviously the assertion is likely to contain arbitrary attribute information that the Portal or Portlets can consume directly. The example uses a transient <saml:NameID> element for the principal, but this needn't be assumed. It is left unencrypted because the assertion is only shared between the Portal and the IdP.
One of the attributes is not specifically about the user but tells the Portal how it can contact the IdP's IS-WSF Single Sign-On Service using the assertion as an authentication token. The EPR includes the location, the security mechanism, and a pointer to the token to use, in this case the enclosing assertion.
Finally, note the assertion lifetime is set at one hour. The implication is that the assertion is only usable at the IdP for that duration. It has no implications for the lifetime of the user's session with the Portal itself. This period can obviously be set as desired.
For the purposes of these examples, assume the following:
- Identity Provider EntityID
https://idp.example.edu/idp/shibboleth
- Identity Provider Browser SSO Service URL
https://idp.example.edu/idp/profile/SAML2/Redirect/SSO
- Portal Resource URL
https://portal.example.edu/
- Portal EntityID
https://portal.example.edu/shibboleth
- Portal Assertion Consumer Service URL
https://portal.example.edu/Shibboleth.sso/SAML2/POST
- Portlet EntityID
https://portal.example.edu/portlet1/shibboleth
- Web Service Provider Resource URL
https://service.example.com/orderstatus
- Web Service Provider EntityID
https://service.example.com/shibboleth
- Web Service Provider Assertion Consumer Service URL
https://service.example.com/Shibboleth.sso/SAML2/PAOS