Project

General

Profile

Actions

Feature #9607

open

Add SAML 2.0 support in Lavoisier

Added by L'Orphelin Cyril about 7 years ago. Updated about 7 years ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Adaptors
Target version:
-
Start date:
04/01/2015
Due date:
% Done:

0%

Estimated time:

Description

- at least for EGI SSO system and EduGain

Actions #1

Updated by L'Orphelin Cyril about 7 years ago

Develop SAML authenticator

Actions #2

Updated by Schwarz Lionel about 7 years ago

  • Category set to Adaptors

Implement a ServiceProvider in SAML2 authenticator in redirect mode or XHTML POST mode

Redirect mode

XHTML POST mode

  • browser request Lavoisier https://lavoisierHost/lavoisier/view
  • Lavoisier sends back 200 with XHTML POST:
      <form method="post" action="https://identityProvider/SAML2/SSO/POST" ...>
        <input type="hidden" name="SAMLRequest" value="''request''" />
        <input type="hidden" name="RelayState" value="''token''" />
        ...
        <input type="submit" value="Submit" />
      </form>
    

    with 'request' is <base64> of <samlp:AuthnRequest> (see above)
  • browser requests https://identityProvider/SAML2/SSO/POST
    POST /SAML2/SSO/POST HTTP/1.1
     Host: identityProvider
     Content-Type: application/x-www-form-urlencoded
     Content-Length: nnn
    
     SAMLRequest=request&RelayState=ViewURL
    
  • User authenticates
  • IdentityProvider sends back 200 with XHTML Post:
      <form method="post" action="https://lavoisierHost/SAML2/SSO/POST" ...>
        <input type="hidden" name="SAMLResponse" value="''response''" />
        <input type="hidden" name="RelayState" value="''token''" />
        ...
        <input type="submit" value="Submit" />
      </form>
    

    with 'response' is <base64> of <samlp:AuthnResponse> (see above)
  • browser requests https://lavoisierHost/SAML2/SSO/POST:
    POST /SAML2/SSO/POST HTTP/1.1
     Host: lavoisierHost
     Content-Type: application/x-www-form-urlencoded
     Content-Length: nnn
    
     SAMLResponse=response&RelayState=ViewURL
    
  • Lavoisier processes response and internally routes to ViewURL

Note: to make the browser automatically POST to IdentityProvider, include the following javascript into the XHTML:

window.onload = function () { document.forms[0].submit(); }

Note2: This mode allows to send/receive larger messages than redirect but it requires the authenticator to send data (the POST form) along with the 200 code. Probably we should modify interfaces.

Actions

Also available in: Atom PDF