Actions
Feature #9607
open
Add SAML 2.0 support in Lavoisier
Status:
New
Priority:
Normal
Assigned To:
-
Category:
Adaptors
Target version:
-
Start date:
04/01/2015
Due date:
% Done:
0%
Estimated time:
Description
- at least for EGI SSO system and EduGain
Updated by
Updated by Schwarz Lionel over 9 years ago
- Category set to Adaptors
Implement a ServiceProvider in SAML2 authenticator in redirect mode or XHTML POST mode
Redirect mode¶
- browser request Lavoisier https://lavoisierHost/lavoisier/view
- Lavoisier sends back 302 with redirect to https://identityProvider/SAML2/SSO/Redirect?SAMLRequest=<base64>&RelayState=ViewURL with <base64> of:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59" AssertionConsumerServiceIndex="0"> <saml:Issuer>https://identityProvider/SAML2</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest> - browser requests https://identityProvider/SAML2/SSO/Redirect?SAMLRequest=<base64>&RelayState=ViewURL
- User authenticates
- IdentityProvider sends back redirect 302 to Lavoisier serviceProvider: https://lavoisierHost/SAML2/SSO/Redirect?SAMLResponse=<base64>&RelayState=ViewURL with <base64> of:
<samlp:Response> <saml:Issuer>https://identityProvider/SAML2</saml:Issuer> <samlp:Status><samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status> <saml:Assertion> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> ... </saml:Subject> ... </saml:Assertion> </samlp:Response> - Browser requests https://lavoisierHost/SAML2/SSO/Redirect?SAMLResponse=<base64>&RelayState=ViewURL
- Lavoisier processes response and internally routes to ViewURL
XHTML POST mode¶
- browser request Lavoisier https://lavoisierHost/lavoisier/view
- Lavoisier sends back 200 with XHTML POST:
<form method="post" action="https://identityProvider/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLRequest" value="''request''" /> <input type="hidden" name="RelayState" value="''token''" /> ... <input type="submit" value="Submit" /> </form>
with 'request' is <base64> of <samlp:AuthnRequest> (see above) - browser requests https://identityProvider/SAML2/SSO/POST
POST /SAML2/SSO/POST HTTP/1.1 Host: identityProvider Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLRequest=request&RelayState=ViewURL
- User authenticates
- IdentityProvider sends back 200 with XHTML Post:
<form method="post" action="https://lavoisierHost/SAML2/SSO/POST" ...> <input type="hidden" name="SAMLResponse" value="''response''" /> <input type="hidden" name="RelayState" value="''token''" /> ... <input type="submit" value="Submit" /> </form>
with 'response' is <base64> of <samlp:AuthnResponse> (see above) - browser requests https://lavoisierHost/SAML2/SSO/POST:
POST /SAML2/SSO/POST HTTP/1.1 Host: lavoisierHost Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLResponse=response&RelayState=ViewURL
- Lavoisier processes response and internally routes to ViewURL
Note: to make the browser automatically POST to IdentityProvider, include the following javascript into the XHTML:
window.onload = function () { document.forms[0].submit(); }
Note2: This mode allows to send/receive larger messages than redirect but it requires the authenticator to send data (the POST form) along with the 200 code. Probably we should modify interfaces.
Actions