IdP initiated SSO
Marc Boorshtein
mboorshtein at gmail.com
Thu Feb 7 17:04:29 EST 2013
Here's a working assertion:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="fa211f99a41adcf1d07a81fce09fc0d43ce6da419"
IssueInstant="2013-02-07T22:02:58.160Z"
Version="2.0"
>
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost.localdomain:8443/auth/idp/test</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#fa211f99a41adcf1d07a81fce09fc0d43ce6da419">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml2 saml2p xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>4EXOqwRKWTD8w5v1PwR2LlyZjws=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Yh2HPrAGCWWahNVfSGenq+F5l89r23uKcZFwlsxvdlbziR+1U1UoUt4pVUv/bvP7kzI88Rlgg7MB
kx0uhd8fYwT7VRYkvJYj0+yIyahNe61GYnYrnqKWrlm+900THA4/8O4CoH6tYcTbYvlTPewwjbMi
HyfRf3iKXMYJF0zTQeM=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICsTCCAhqgAwIBAgIGATnVOZ4iMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhWaXJnaW5pYTESMBAGA1UEBxMJQXJsaW5ndG9uMR8wHQYDVQQKExZUcmVtb2xvIFNlY3Vy
aXR5LCBJbmMuMRAwDgYDVQQLEwdUZXN0aW5nMRYwFAYDVQQDEw1pZHAtc2FtbDItc2lnMB4XDTEy
MDkxNzE3MTQ0NloXDTIyMDkxNTE3MTQ0NlowfzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdp
bmlhMRIwEAYDVQQHEwlBcmxpbmd0b24xHzAdBgNVBAoTFlRyZW1vbG8gU2VjdXJpdHksIEluYy4x
EDAOBgNVBAsTB1Rlc3RpbmcxFjAUBgNVBAMTDWlkcC1zYW1sMi1zaWcwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAJIni3hDLjLak7lguCMjDFsHUso8qk+Xde2hveIGr4VIhGi6itWjLrf4XRRp
A3goOTBbm9nTj3iWHskmWm5ly1+OyOzkAxM7+Ws62bL5CfSmQwvVlw/YwaEmOEVAGdzTKcfZm+ju
rMv8Fw6UZ765Fny1I1KA1A1x7rhYpb3J/7t7AgMBAAGjODA2MAwGA1UdEwEB/wQCMAAwDgYDVR0P
AQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4GBAB0jGXs+
phEFdvOtqMP9yGvc0u7JN51ebmZr6aQ9nLrk1+YlsZgMfhzf4I7z+V3d42OOSTnB25O9+PB/z3MU
j7ui0CazW8VKnAzw1Cq9dvkaYqQz3JvTW4GryEC/vkeH/diPA/X1NDQJ2nBUsFxnhIH59XmJKOSh
36loeqE7/Xhc</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="f7f54e02482c3d5297c30d16e83a32eb8f4e4e69a"
IssueInstant="2013-02-07T22:02:58.160Z"
Version="2.0"
>
<saml2:Issuer>https://localhost.localdomain:8443/auth/idp/test</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
NotOnOrAfter="2013-02-07T22:07:58.160Z"
Recipient="https://www.tremolosecurity-test.com/auth/SAML2Auth"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2013-02-07T21:57:58.160Z"
NotOnOrAfter="2013-02-07T22:07:58.160Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://www.tremolosecurity-test.com/auth/SAML2Auth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2013-02-07T22:02:58.160Z"
SessionIndex="f7f54e02482c3d5297c30d16e83a32eb8f4e4e69a"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="uid">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>admin</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
specifically the subject confirmation:
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
NotOnOrAfter="2013-02-07T22:07:58.160Z"
Recipient="https://www.tremolosecurity-test.com/auth/SAML2Auth"
/>
</saml2:SubjectConfirmation>
I've tested this with shib, OIF, Ping, OpenAM, ADFS, ....
On Thu, Feb 7, 2013 at 4:45 PM, Brent Putman <putmanb at georgetown.edu> wrote:
> The NotOnOrAfter is an optional attribute, but I'm not sure whether
> legally it can be present but empty. Semantically it is pointless to do
> that.
>
> But the real problem, as I said in the other message, is that the SAML
> strucgture is just flat out wrong.
>
>
>
>
> On 2/7/13 4:42 PM, Mike Flynn wrote:
>> Thanks, Marc. I asked them to correct that but was not sure if that
>> was the issue based on the message.
>>
>> ------------------------------------------------------------------------
>> *From:* Marc Boorshtein <mboorshtein at gmail.com>
>> *To:* Shib Users <users at shibboleth.net>
>> *Sent:* Thursday, February 7, 2013 1:38 PM
>> *Subject:* Re: IdP initiated SSO
>>
>> NotOnorAfter is blank...
>>
>> On Thu, Feb 7, 2013 at 4:35 PM, Mike Flynn <shibbolethlynda at yahoo.com
>> <mailto:shibbolethlynda at yahoo.com>> wrote:
>> > This is what was sent:
>> >
>> > <saml:SubjectConfirmation
>> > Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
>> > <saml:SubjectConfirmation
>> > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> > <saml:SubjectConfirmationData NotOnOrAfter=""
>> > Recipient="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"/>
>> > </saml:SubjectConfirmation>
>> > </saml:SubjectConfirmation>
>> >
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list