Skip to content

SAML2 AuthnRequest Processing

Jump to bottom Edit New page
Kars Hamelink edited this page Feb 12, 2024 · 3 revisions

AuthnRequest message processing describes how EngineBlock processes a AuthnRequest it receives from a Service Provider.

For reference:

crossed out text indicates that the attribute is present in the SAML2 specification, but Engineblock does not utilize these attributes.

AuthnRequest

<samlp:AuthnRequest
 ForceAuthn="false"
 IsPassive="false"
 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 AssertionConsumerServiceIndex="1"
 AssertionConsumerServiceURL="https://example.edu/ACS1"
 AttributeConsumingServiceIndex="1"
 ProviderName="ServiceProvider DisplayName"
 ID="ID000"
 Version="2.0"
 IssueInstant="2006-05-04T18:13:51.0Z"
 Destination="https://engine.surfconext.nl/authentication/single-sign-on"
 Consent="urn:oasis:names:tc:SAML:2.0:consent:inapplicable">

Issuer

<saml:Issuer
  NameQualifier="NameQualifier0"
  SPNameQualifier="SPNameQualifier0"
  Format="http://www.oxygenxml.com/"
  SPProvidedID="SPProvidedID0">Issuer0</saml:Issuer>

We use the Issuer value to lookup the settings for the SP that (allegedly) sent the request.

Usage of attributes:

  • NameQualifier
  • SPNameQualifier
  • Format Note: MUST always be the default (urn:oasis:names:tc:SAML:2.0:nameid-format:entity)
  • SPProvidedID

Signature

<ds:Signature Id="ID001">
    ...
</ds:Signature>

See XML Digital Signature Support.

Extensions

<samlp:Extensions>
     ...
</samlp:Extensions>

No extensions are supported, extensions will not be relayed to the IdP but ignored.

Subject

<saml:Subject>
     ...
</saml:Subject>

Subject requests are unsupported and will not be relayed to the IdP but ignored.

NameIDPolicy

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="SPNameQualifier1" AllowCreate="false"/>
  • Format Note: If you did not specify a fixed NameIDFormat (in the Service Registry) the SP can specify the format it wants:
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent DEFAULT
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified (Deprecated)
  • SPNameQualifier
  • AllowCreate Note: AllowCreate will always be true

Conditions

<saml:Conditions NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z">
    ...
</saml:Conditions>

Conditions on the resulting Response are unsupported and not relayed to the IdP, but ignored.

RequestedAuthnContext

<samlp:RequestedAuthnContext Comparison="exact">
    ...
</samlp:RequestedAuthnContext>

Requests for a specific Authentication Context are not relayed to the IdP but ignored, unless in Manage the value "transparant_authn_context" is set for the IdP/SP combination in question.

Scoping

<samlp:Scoping ProxyCount="50">
    <samlp:IDPList>
        <samlp:IDPEntry ProviderID="http://www.oxygenxml.com/" Name="Name0" Loc="http://www.oxygenxml.com/"/>
        <samlp:IDPEntry ProviderID="http://www.oxygenxml.com/" Name="Name1" Loc="http://www.oxygenxml.com/"/>
        <samlp:GetComplete>http://www.oxygenxml.com/</samlp:GetComplete>
    </samlp:IDPList>
    <samlp:RequesterID>http://www.oxygenxml.com/</samlp:RequesterID>
    <samlp:RequesterID>http://www.oxygenxml.com/</samlp:RequesterID>
</samlp:Scoping>

EngineBlock will honor Scoping, with the following restrictions:

  • ProxyCount will be honored, if no ProxyCount is provided a value of 10 is set.
  • ProviderID MUST be an Entity ID
  • samlp:IDPEntryLoc is NOT supported
  • samlp:IDPEntryName is NOT supported
  • GetComplete is NOT supported
  • RequesterIDs will be passed along and OpenConext-engine will be added.

Full example

Below is an example of an AuthnRequest that uses ALL the features:

AuthnRequest.xml

<samlp:AuthnRequest
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd"
 ForceAuthn="false"
 IsPassive="false"
 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 AssertionConsumerServiceIndex="1"
 AssertionConsumerServiceURL="https://example.edu/ACS1"
 AttributeConsumingServiceIndex="1"
 ProviderName="ServiceProvider DisplayName"
 ID="ID000"
 Version="2.0"
 IssueInstant="2006-05-04T18:13:51.0Z"
 Destination="https://engine.surfconext.nl/authentication/single-sign-on"
 Consent="urn:oasis:names:tc:SAML:2.0:consent:inapplicable">
    <saml:Issuer
      NameQualifier="NameQualifier0"
      SPNameQualifier="SPNameQualifier0"
      Format="http://www.oxygenxml.com/"
      SPProvidedID="SPProvidedID0">Issuer0</saml:Issuer>
    <ds:Signature Id="ID001">
        ...
    </ds:Signature>
    <samlp:Extensions>
         ...
    </samlp:Extensions>
    <saml:Subject>
         ...
    </saml:Subject>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="SPNameQualifier1" AllowCreate="false"/>
    <saml:Conditions NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z">
        ...
    </saml:Conditions>
    <samlp:RequestedAuthnContext Comparison="exact">
        ...
    </samlp:RequestedAuthnContext>
    <samlp:Scoping ProxyCount="50">
        <samlp:IDPList>
            <samlp:IDPEntry ProviderID="http://www.oxygenxml.com/" Name="Name0" Loc="http://www.oxygenxml.com/"/>
            <samlp:IDPEntry ProviderID="http://www.oxygenxml.com/" Name="Name1" Loc="http://www.oxygenxml.com/"/>
            <samlp:GetComplete>http://www.oxygenxml.com/</samlp:GetComplete>
        </samlp:IDPList>
        <samlp:RequesterID>http://www.oxygenxml.com/</samlp:RequesterID>
        <samlp:RequesterID>http://www.oxygenxml.com/</samlp:RequesterID>
    </samlp:Scoping>
</samlp:AuthnRequest>
Add a custom footer
Add a custom sidebar
Clone this wiki locally