Web Service Provider issues <samlp:AuthnRequest> to Identity Provider via Portlet

This is for ECP SSO with a Portlet acting as the client of a web site/service.

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">

  <S:Header>
    <!-- identifies the path back to the WSP so the client can prevent MitM attacks -->
    <paos:Request xmlns:paos="urn:liberty:paos:2003-08"
        responseConsumerURL="https://service.example.com/Shibboleth.sso/SAML2/PAOS"
        service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
        messageID="6c3a4f8b9c2d" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"/>

    <!-- useful properties of the AuthnRequest for the client -->
    <ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
        ProviderName="Example.com Service Provider" IsPassive="1"
        S:mustUnderstand="1" S:actor="http://schemas.xmlsoap.org/soap/actor/next">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://service.example.com/shibboleth</saml:Issuer>
    </ecp:Request>

    <!-- equivalent of the RelayState parameter in a browser-based SSO profile -->
    <ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
        S:mustUnderstand="1" S:actor="http://schemas.xmlsoap.org/soap/actor/next">cookie:afcd145</ecp:RelayState>

  </S:Header>

  <S:Body>
    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
        AssertionConsumerServiceURL="https://service.example.com/Shibboleth.sso/SAML2/PAOS"
        ID="_a02c7e89e77e4871b84349a9db338374" IssueInstant="2008-03-14T17:31:17Z"
        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://service.example.com/shibboleth</saml:Issuer>
      <samlp:NameIDPolicy AllowCreate="1"/>
    </samlp:AuthnRequest>
  </S:Body>

</S:Envelope>

Notes

The <samlp:AuthnRequest> message is relatively ordinary, but is wrapped with additional binding information inside a SOAP envelope, the request half of a SOAP exchange with the Portal/Portlet. The request is carried in an HTTP response, while the subsequent response will be carried by an HTTP request.

The original resource at the WSP will be bound to the RelayState information so that it can be recovered later. In the example, the RelayState is associated with a cookie, which will be set in the HTTP response, so the Portal/Portlet's HTTP client implementation needs to support cookies.

The client in this profile has a few responsibilities for managing and interpreting SOAP header information, chief among them ensuring that the eventual response is only delivered to the location found in the <paos:Request> header.

For the purposes of these examples, assume the following:
  • Identity Provider EntityID
    • https://idp.example.edu/idp/shibboleth
  • Identity Provider Browser SSO Service URL
    • https://idp.example.edu/idp/profile/SAML2/Redirect/SSO

  • Portal Resource URL
    • https://portal.example.edu/
  • Portal EntityID
    • https://portal.example.edu/shibboleth
  • Portal Assertion Consumer Service URL
    • https://portal.example.edu/Shibboleth.sso/SAML2/POST

  • Portlet EntityID
    • https://portal.example.edu/portlet1/shibboleth

  • Web Service Provider Resource URL
    • https://service.example.com/orderstatus
  • Web Service Provider EntityID
    • https://service.example.com/shibboleth
  • Web Service Provider Assertion Consumer Service URL
    • https://service.example.com/Shibboleth.sso/SAML2/PAOS
  • No labels