-
Notifications
You must be signed in to change notification settings - Fork 23
SAML2 Response Processing
Response message processing describes how EngineBlock processes a Response it receives from an Identity Provider.
<samlp:Response
ID="ID000"
InResponseTo="InResponseTo0"
Version="Version0"
IssueInstant="2006-05-04T18:13:51.0Z"
Destination="http://www.oxygenxml.com/"
Consent="http://www.oxygenxml.com/">
- ID
- InResponseTo
VersionIssueInstantDestinationConsent
Note that while EB don't use Consent from IdPs, it does always set it for a response to an SP with either:
- urn:oasis:names:tc:SAML:2.0:consent:obtained If EngineBlock has obtained consent during this request
- urn:oasis:names:tc:SAML:2.0:consent:prior If a user has given consent for his data for that SP before
- urn:oasis:names:tc:SAML:2.0:consent:inapplicable When coin:no_consent_required is set for the SP in the Service Registry
<saml:Issuer NameQualifier="NameQualifier0" SPNameQualifier="SPNameQualifier0" Format="http://www.oxygenxml.com/"
SPProvidedID="SPProvidedID0">Issuer0</saml:Issuer>
We use the Issuer value to lookup the settings for the IdP that sent the response. Usage of attributes:
NameQualifierSPNameQualifier-
FormatNote: MUST always be the default (urn:oasis:names:tc:SAML:2.0:nameid-format:entity) SPProvidedID
<ds:Signature Id="ID001">
...
</ds:Signature>
See XML Digital Signature Support.
<samlp:Extensions>
...
</samlp:Extensions>
No extensions are supported, extensions will not be relayed to the IdP but ignored.
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:StatusCode>
<samlp:StatusMessage>StatusMessage0</samlp:StatusMessage>
<samlp:StatusDetail>
...
</samlp:StatusDetail>
</samlp:Status>
EB will check if the top StatusCode Value is urn:oasis:names:tc:SAML:2.0:status:Success, if so it will ignore all other elements. If not so it will trigger an error which the user will see and will report on both the StatusCode value (but NOT the nested codes) and the StatusMessage to administrators.
<saml:EncryptedAssertion>
...
</saml:EncryptedAssertion>
<saml:Assertion Version="2.0" ID="ID032" IssueInstant="2006-05-04T18:13:51.0Z">
Note that we DO NOT Support multiple Assertions. In fact EB will ignore all but the last Assertion.
Usage of attributes:
Version- ID
IssueInstant
<saml:Issuer NameQualifier="NameQualifier1" SPNameQualifier="SPNameQualifier1" Format="http://www.oxygenxml.com/"
SPProvidedID="SPProvidedID1">Issuer1</saml:Issuer>
Note that we do not use the Assertion Issuer, but assume the Response Issuer also issued the Assertion.
<ds:Signature Id="ID033">
...
</ds:Signature>
See XML Digital Signature Support.
<saml:Subject>
<saml:BaseID/>
<saml:EncryptedID/>
<saml:NameID NameQualifier="NameQualifier2" SPNameQualifier="SPNameQualifier2" Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" SPProvidedID="SPProvidedID2">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="http://www.oxygenxml.com/">
<saml:BaseID xsi:type="saml:BaseIDAbstractType" NameQualifier="NameQualifier3" SPNameQualifier="SPNameQualifier3"/>
<saml:SubjectConfirmationData NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z" Recipient="http://www.oxygenxml.com/"
InResponseTo="InResponseTo1" Address="Address0">
<##any>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:BaseID/>
<saml:EncryptedID/>
<saml:NameID NameQualifier="NameQualifier2" SPNameQualifier="SPNameQualifier2" Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" SPProvidedID="SPProvidedID2">[email protected]</saml:NameID>
We only use the NameID. However the NameID from the IdP is NOT used.
On NameID that EB delivers to Service Providers, the use of attributes is as follows:
NameQualifierSPNameQualifierNameQualifier- Format Value depends on the NameIDPolicy, possible values:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent DEFAULT
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified (Deprecated)
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:BaseID />
<saml:EncryptedID />
<saml:NameID />
<saml:SubjectConfirmationData
NotBefore="2006-05-04T18:13:51.0Z"
NotOnOrAfter="2006-05-04T18:13:51.0Z"
Recipient="http://www.oxygenxml.com/"
InResponseTo="InResponseTo1"
Address="Address0">
<##any>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
We always assume the IdP is using the 'bearer' ConfirmationMethod, we don't support specifying of a different Subject ID (with BaseID, EncryptedID or NameID).
Use of the SubjectConfirmationData attributes is as follows:
-
NotBeforeNote: this has been removed in the SAML2 errata - NotOnOrAfter
Note: we check this with a skew of an hour RecipientInResponseToAddress
<saml:Conditions NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z">
<saml:OneTimeUse/>
<saml:ProxyRestriction Count="10">
<saml:Audience>https://jira.surfconext.nl/shibboleth</saml:Audience>
</saml:ProxyRestriction>
<saml:AudienceRestriction>
<saml:Audience>https://jira.surfconext.nl/shibboleth</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
We always check NotBefore and NotOnOrAfter if present, with a skew of 1 hour.
We do not honour OneTimeUse, ProxyRestriction or AudiennceRestriction.
##Advice
<saml:Advice>
...
</saml:Advice>
We do not support (and will not relay) Advice.
<saml:Statement>
...
</saml:Statement>
<saml:AuthzDecisionStatement>
...
</saml:AuthzDecisionStatement>
EB does not support Statement or AuthzDecisionStatement Statements.
<saml:AuthnStatement AuthnInstant="2006-05-04T18:13:51.0Z" SessionIndex="SessionIndex0" SessionNotOnOrAfter="2006-05-04T18:13:51.0Z">
<saml:SubjectLocality Address="Address2" DNSName="DNSName0"/>
<saml:AuthnContext>
<saml:AuthnContextClassRef>http://www.oxygenxml.com/</saml:AuthnContextClassRef>
<saml:AuthnContextDecl>
</saml:AuthnContextDecl>
<saml:AuthenticatingAuthority>http://www.oxygenxml.com/</saml:AuthenticatingAuthority>
<saml:AuthenticatingAuthority>http://www.oxygenxml.com/</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
Note that all we do with the AuthnStatement is verify the SessionNotOnOrAfter if present.
saml:AttributeStatement>
<saml:EncryptedAttribute>
...
</saml:EncryptedAttribute>
<saml:Attribute Name="Name0" NameFormat="http://www.oxygenxml.com/" FriendlyName="FriendlyName0">
<saml:AttributeValue>
</saml:AttributeValue>
<saml:AttributeValue>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
We do NOT support EncryptedAttribute. On Attribute elements the usage of attributes is as follows:
- Name
-
NameFormatNote: this MUST always be urn:oasis:names:tc:SAML:2.0:attrname-format:uri FriendlyName
AttributeValue elements MAY contain XML, but it is recommended they do NOT contain binary data.
An example of a Response with all features: Response.xml
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol file:/Users/boy/Documents/SAML%20specs/XSDs/saml-2.0-os-xsd/saml-schema-protocol-2.0.xsd"
ID="ID000"
InResponseTo="InResponseTo0"
Version="Version0"
IssueInstant="2006-05-04T18:13:51.0Z"
Destination="http://www.oxygenxml.com/"
Consent="http://www.oxygenxml.com/">
<saml:Issuer NameQualifier="NameQualifier0" SPNameQualifier="SPNameQualifier0" Format="http://www.oxygenxml.com/"
SPProvidedID="SPProvidedID0">Issuer0</saml:Issuer>
<ds:Signature Id="ID001">
...
</ds:Signature>
<samlp:Extensions>
...
</samlp:Extensions>
<samlp:Status>
<samlp:StatusCode Value="http://www.oxygenxml.com/"></samlp:StatusCode>
<samlp:StatusMessage>StatusMessage0</samlp:StatusMessage>
<samlp:StatusDetail>
...
</samlp:StatusDetail>
</samlp:Status>
<saml:EncryptedAssertion>
...
</saml:EncryptedAssertion>
<saml:Assertion Version="Version1" ID="ID032" IssueInstant="2006-05-04T18:13:51.0Z">
<saml:Issuer NameQualifier="NameQualifier1" SPNameQualifier="SPNameQualifier1" Format="http://www.oxygenxml.com/"
SPProvidedID="SPProvidedID1">Issuer1</saml:Issuer>
<ds:Signature Id="ID033">
...
</ds:Signature>
<saml:Subject>
<saml:BaseID xsi:type="saml:BaseIDAbstractType" NameQualifier="NameQualifier2" SPNameQualifier="SPNameQualifier2"/>
<saml:SubjectConfirmation Method="http://www.oxygenxml.com/">
<saml:BaseID xsi:type="saml:BaseIDAbstractType" NameQualifier="NameQualifier3" SPNameQualifier="SPNameQualifier3"/>
<saml:SubjectConfirmationData NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z" Recipient="http://www.oxygenxml.com/"
InResponseTo="InResponseTo1" Address="Address0">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
<saml:SubjectConfirmation Method="http://www.oxygenxml.com/">
<saml:NameID NameQualifier="NameQualifier4" SPNameQualifier="SPNameQualifier4" Format="http://www.oxygenxml.com/"
SPProvidedID="SPProvidedID2">NameID0</saml:NameID>
<saml:SubjectConfirmationData NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z" Recipient="http://www.oxygenxml.com/"
InResponseTo="InResponseTo2" Address="Address1">
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z">
<saml:OneTimeUse/>
<saml:Condition xsi:type="saml:AudienceRestrictionType">
<saml:Audience>http://www.oxygenxml.com/</saml:Audience>
<saml:Audience>http://www.oxygenxml.com/</saml:Audience>
</saml:Condition>
</saml:Conditions>
<saml:Advice>
...
</saml:Advice>
<saml:AttributeStatement>
<saml:EncryptedAttribute>
...
</saml:EncryptedAttribute>
<saml:Attribute Name="Name0" NameFormat="http://www.oxygenxml.com/" FriendlyName="FriendlyName0">
<saml:AttributeValue>
</saml:AttributeValue>
<saml:AttributeValue>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:Statement>
...
</saml:Statement>
</saml:Assertion>
</samlp:Response>