Skip to content

SAML2 Response Processing

Thijs Kinkhorst edited this page Mar 31, 2021 · 2 revisions

Response message processing describes how EngineBlock processes a Response it receives from an Identity Provider.

Response

<samlp:Response
 ID="ID000"
 InResponseTo="InResponseTo0"
 Version="Version0"
 IssueInstant="2006-05-04T18:13:51.0Z"
 Destination="http://www.oxygenxml.com/"
 Consent="http://www.oxygenxml.com/">
  • ID
  • InResponseTo
  • Version
  • IssueInstant
  • Destination
  • Consent

Note that while EB don't use Consent from IdPs, it does always set it for a response to an SP with either:

  • urn:oasis:names:tc:SAML:2.0:consent:obtained If EngineBlock has obtained consent during this request
  • urn:oasis:names:tc:SAML:2.0:consent:prior If a user has given consent for his data for that SP before
  • urn:oasis:names:tc:SAML:2.0:consent:inapplicable When coin:no_consent_required is set for the SP in the Service Registry

Issuer

<saml:Issuer NameQualifier="NameQualifier0" SPNameQualifier="SPNameQualifier0" Format="http://www.oxygenxml.com/"
     SPProvidedID="SPProvidedID0">Issuer0</saml:Issuer>

We use the Issuer value to lookup the settings for the IdP that sent the response. Usage of attributes:

  • NameQualifier
  • SPNameQualifier
  • Format Note: MUST always be the default (urn:oasis:names:tc:SAML:2.0:nameid-format:entity)
  • SPProvidedID

Signature

<ds:Signature Id="ID001">
    ...
</ds:Signature>

See XML Digital Signature Support.

Extensions

<samlp:Extensions>
    ...
</samlp:Extensions>

No extensions are supported, extensions will not be relayed to the IdP but ignored.

Status

<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success">
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
    </samlp:StatusCode>
    <samlp:StatusMessage>StatusMessage0</samlp:StatusMessage>
    <samlp:StatusDetail>
       ...
    </samlp:StatusDetail>
</samlp:Status>

EB will check if the top StatusCode Value is urn:oasis:names:tc:SAML:2.0:status:Success, if so it will ignore all other elements. If not so it will trigger an error which the user will see and will report on both the StatusCode value (but NOT the nested codes) and the StatusMessage to administrators.

EncryptedAssertion

<saml:EncryptedAssertion>
   ...
</saml:EncryptedAssertion>

See XML Encryption Support.

Assertion

<saml:Assertion Version="2.0" ID="ID032" IssueInstant="2006-05-04T18:13:51.0Z">

Note that we DO NOT Support multiple Assertions. In fact EB will ignore all but the last Assertion.

Usage of attributes:

  • Version
  • ID
  • IssueInstant

Assertion Issuer

<saml:Issuer NameQualifier="NameQualifier1" SPNameQualifier="SPNameQualifier1" Format="http://www.oxygenxml.com/"
     SPProvidedID="SPProvidedID1">Issuer1</saml:Issuer>

Note that we do not use the Assertion Issuer, but assume the Response Issuer also issued the Assertion.

Signature

<ds:Signature Id="ID033">
    ...
</ds:Signature>

See XML Digital Signature Support.

Subject

<saml:Subject>
    <saml:BaseID/>
    <saml:EncryptedID/>
    <saml:NameID NameQualifier="NameQualifier2" SPNameQualifier="SPNameQualifier2" Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" SPProvidedID="SPProvidedID2">[email protected]</saml:NameID>
    <saml:SubjectConfirmation Method="http://www.oxygenxml.com/">
        <saml:BaseID xsi:type="saml:BaseIDAbstractType" NameQualifier="NameQualifier3" SPNameQualifier="SPNameQualifier3"/>
        <saml:SubjectConfirmationData NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z" Recipient="http://www.oxygenxml.com/"
             InResponseTo="InResponseTo1" Address="Address0">
             <##any>
        </saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
</saml:Subject>

BaseID, EncryptedID, NameID

<saml:BaseID/>
<saml:EncryptedID/>
<saml:NameID NameQualifier="NameQualifier2" SPNameQualifier="SPNameQualifier2" Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" SPProvidedID="SPProvidedID2">[email protected]</saml:NameID>

We only use the NameID. However the NameID from the IdP is NOT used.

On NameID that EB delivers to Service Providers, the use of attributes is as follows:

  • NameQualifier
  • SPNameQualifier
  • NameQualifier
  • Format Value depends on the NameIDPolicy, possible values:
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent DEFAULT
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified (Deprecated)

SubjectConfirmation

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:BaseID />
    <saml:EncryptedID />
    <saml:NameID />
    <saml:SubjectConfirmationData
      NotBefore="2006-05-04T18:13:51.0Z"
      NotOnOrAfter="2006-05-04T18:13:51.0Z"
      Recipient="http://www.oxygenxml.com/"
      InResponseTo="InResponseTo1"
      Address="Address0">
         <##any>
    </saml:SubjectConfirmationData>
</saml:SubjectConfirmation>

We always assume the IdP is using the 'bearer' ConfirmationMethod, we don't support specifying of a different Subject ID (with BaseID, EncryptedID or NameID). Use of the SubjectConfirmationData attributes is as follows:

  • NotBefore Note: this has been removed in the SAML2 errata
  • NotOnOrAfter Note: we check this with a skew of an hour
  • Recipient
  • InResponseTo
  • Address

Conditions

<saml:Conditions NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z">
    <saml:OneTimeUse/>
    <saml:ProxyRestriction Count="10">
        <saml:Audience>https://jira.surfconext.nl/shibboleth</saml:Audience>
    </saml:ProxyRestriction>
    <saml:AudienceRestriction>
        <saml:Audience>https://jira.surfconext.nl/shibboleth</saml:Audience>
    </saml:AudienceRestriction>
</saml:Conditions>

We always check NotBefore and NotOnOrAfter if present, with a skew of 1 hour. We do not honour OneTimeUse, ProxyRestriction or AudiennceRestriction.

##Advice

<saml:Advice>
    ...
</saml:Advice>

We do not support (and will not relay) Advice.

Statements

<saml:Statement>
    ...
</saml:Statement>
<saml:AuthzDecisionStatement>
    ...
</saml:AuthzDecisionStatement>

EB does not support Statement or AuthzDecisionStatement Statements.

AuthnStatement

<saml:AuthnStatement AuthnInstant="2006-05-04T18:13:51.0Z" SessionIndex="SessionIndex0" SessionNotOnOrAfter="2006-05-04T18:13:51.0Z">
    <saml:SubjectLocality Address="Address2" DNSName="DNSName0"/>
    <saml:AuthnContext>
        <saml:AuthnContextClassRef>http://www.oxygenxml.com/</saml:AuthnContextClassRef>
        <saml:AuthnContextDecl>
        </saml:AuthnContextDecl>
        <saml:AuthenticatingAuthority>http://www.oxygenxml.com/</saml:AuthenticatingAuthority>
        <saml:AuthenticatingAuthority>http://www.oxygenxml.com/</saml:AuthenticatingAuthority>
    </saml:AuthnContext>
</saml:AuthnStatement>

Note that all we do with the AuthnStatement is verify the SessionNotOnOrAfter if present.

AttributeStatement

saml:AttributeStatement>
    <saml:EncryptedAttribute>
        ...
    </saml:EncryptedAttribute>
    <saml:Attribute Name="Name0" NameFormat="http://www.oxygenxml.com/" FriendlyName="FriendlyName0">
        <saml:AttributeValue>
        </saml:AttributeValue>
        <saml:AttributeValue>
        </saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

We do NOT support EncryptedAttribute. On Attribute elements the usage of attributes is as follows:

  • Name
  • NameFormat Note: this MUST always be urn:oasis:names:tc:SAML:2.0:attrname-format:uri
  • FriendlyName

AttributeValue elements MAY contain XML, but it is recommended they do NOT contain binary data.

Full example

An example of a Response with all features: Response.xml

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol file:/Users/boy/Documents/SAML%20specs/XSDs/saml-2.0-os-xsd/saml-schema-protocol-2.0.xsd"
 ID="ID000"
 InResponseTo="InResponseTo0"
 Version="Version0"
 IssueInstant="2006-05-04T18:13:51.0Z"
 Destination="http://www.oxygenxml.com/"
 Consent="http://www.oxygenxml.com/">
    <saml:Issuer NameQualifier="NameQualifier0" SPNameQualifier="SPNameQualifier0" Format="http://www.oxygenxml.com/"
         SPProvidedID="SPProvidedID0">Issuer0</saml:Issuer>
    <ds:Signature Id="ID001">
        ...
    </ds:Signature>
    <samlp:Extensions>
        ...
    </samlp:Extensions>
    <samlp:Status>
        <samlp:StatusCode Value="http://www.oxygenxml.com/"></samlp:StatusCode>
        <samlp:StatusMessage>StatusMessage0</samlp:StatusMessage>
        <samlp:StatusDetail>
           ...
        </samlp:StatusDetail>
    </samlp:Status>
    <saml:EncryptedAssertion>
       ...
    </saml:EncryptedAssertion>
    <saml:Assertion Version="Version1" ID="ID032" IssueInstant="2006-05-04T18:13:51.0Z">
        <saml:Issuer NameQualifier="NameQualifier1" SPNameQualifier="SPNameQualifier1" Format="http://www.oxygenxml.com/"
             SPProvidedID="SPProvidedID1">Issuer1</saml:Issuer>
        <ds:Signature Id="ID033">
            ...
        </ds:Signature>
        <saml:Subject>
            <saml:BaseID xsi:type="saml:BaseIDAbstractType" NameQualifier="NameQualifier2" SPNameQualifier="SPNameQualifier2"/>
            <saml:SubjectConfirmation Method="http://www.oxygenxml.com/">
                <saml:BaseID xsi:type="saml:BaseIDAbstractType" NameQualifier="NameQualifier3" SPNameQualifier="SPNameQualifier3"/>
                <saml:SubjectConfirmationData NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z" Recipient="http://www.oxygenxml.com/"
                     InResponseTo="InResponseTo1" Address="Address0">
                </saml:SubjectConfirmationData>
            </saml:SubjectConfirmation>
            <saml:SubjectConfirmation Method="http://www.oxygenxml.com/">
                <saml:NameID NameQualifier="NameQualifier4" SPNameQualifier="SPNameQualifier4" Format="http://www.oxygenxml.com/"
                     SPProvidedID="SPProvidedID2">NameID0</saml:NameID>
                <saml:SubjectConfirmationData NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z" Recipient="http://www.oxygenxml.com/"
                     InResponseTo="InResponseTo2" Address="Address1">
                </saml:SubjectConfirmationData>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2006-05-04T18:13:51.0Z" NotOnOrAfter="2006-05-04T18:13:51.0Z">
            <saml:OneTimeUse/>
            <saml:Condition xsi:type="saml:AudienceRestrictionType">
                <saml:Audience>http://www.oxygenxml.com/</saml:Audience>
                <saml:Audience>http://www.oxygenxml.com/</saml:Audience>
            </saml:Condition>
        </saml:Conditions>
        <saml:Advice>
            ...
        </saml:Advice>
        <saml:AttributeStatement>
            <saml:EncryptedAttribute>
                ...
            </saml:EncryptedAttribute>
            <saml:Attribute Name="Name0" NameFormat="http://www.oxygenxml.com/" FriendlyName="FriendlyName0">
                <saml:AttributeValue>
                </saml:AttributeValue>
                <saml:AttributeValue>
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
        <saml:Statement>
            ...
        </saml:Statement>
    </saml:Assertion>
</samlp:Response>