Web Service Provider issues <samlp:AuthnRequest>
to Identity Provider via Portlet
This is for ECP SSO with a Portlet acting as the client of a web site/service.
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> <S:Header> <!-- identifies the path back to the WSP so the client can prevent MitM attacks --> <paos:Request xmlns:paos="urn:liberty:paos:2003-08" responseConsumerURL="https://service.example.com/Shibboleth.sso/SAML2/PAOS" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" messageID="6c3a4f8b9c2d" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"/> <!-- useful properties of the AuthnRequest for the client --> <ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" ProviderName="Example.com Service Provider" IsPassive="1" S:mustUnderstand="1" S:actor="http://schemas.xmlsoap.org/soap/actor/next"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://service.example.com/shibboleth</saml:Issuer> </ecp:Request> <!-- equivalent of the RelayState parameter in a browser-based SSO profile --> <ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:mustUnderstand="1" S:actor="http://schemas.xmlsoap.org/soap/actor/next">cookie:afcd145</ecp:RelayState> </S:Header> <S:Body> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://service.example.com/Shibboleth.sso/SAML2/PAOS" ID="_a02c7e89e77e4871b84349a9db338374" IssueInstant="2008-03-14T17:31:17Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://service.example.com/shibboleth</saml:Issuer> <samlp:NameIDPolicy AllowCreate="1"/> </samlp:AuthnRequest> </S:Body> </S:Envelope>
Notes
The <samlp:AuthnRequest>
message is relatively ordinary, but is wrapped with additional binding information inside a SOAP envelope, the request half of a SOAP exchange with the Portal/Portlet. The request is carried in an HTTP response, while the subsequent response will be carried by an HTTP request.
The original resource at the WSP will be bound to the RelayState information so that it can be recovered later. In the example, the RelayState is associated with a cookie, which will be set in the HTTP response, so the Portal/Portlet's HTTP client implementation needs to support cookies.
The client in this profile has a few responsibilities for managing and interpreting SOAP header information, chief among them ensuring that the eventual response is only delivered to the location found in the <paos:Request>
header.
For the purposes of these examples, assume the following:
- Identity Provider EntityID
https://idp.example.edu/idp/shibboleth
- Identity Provider Browser SSO Service URL
https://idp.example.edu/idp/profile/SAML2/Redirect/SSO
- Portal Resource URL
https://portal.example.edu/
- Portal EntityID
https://portal.example.edu/shibboleth
- Portal Assertion Consumer Service URL
https://portal.example.edu/Shibboleth.sso/SAML2/POST
- Portlet EntityID
https://portal.example.edu/portlet1/shibboleth
- Web Service Provider Resource URL
https://service.example.com/orderstatus
- Web Service Provider EntityID
https://service.example.com/shibboleth
- Web Service Provider Assertion Consumer Service URL
https://service.example.com/Shibboleth.sso/SAML2/PAOS