Feature #9607
open
Develop SAML authenticator
Implement a ServiceProvider in SAML2 authenticator in redirect mode or XHTML POST mode
Redirect mode¶
XHTML POST mode¶
- browser request Lavoisier https://lavoisierHost/lavoisier/view
- Lavoisier sends back 200 with XHTML POST:
<form method="post" action="https://identityProvider/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLRequest" value="''request''" />
<input type="hidden" name="RelayState" value="''token''" />
...
<input type="submit" value="Submit" />
</form>
with 'request' is <base64> of <samlp:AuthnRequest> (see above)
- browser requests https://identityProvider/SAML2/SSO/POST
POST /SAML2/SSO/POST HTTP/1.1
Host: identityProvider
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLRequest=request&RelayState=ViewURL
- User authenticates
- IdentityProvider sends back 200 with XHTML Post:
<form method="post" action="https://lavoisierHost/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLResponse" value="''response''" />
<input type="hidden" name="RelayState" value="''token''" />
...
<input type="submit" value="Submit" />
</form>
with 'response' is <base64> of <samlp:AuthnResponse> (see above)
- browser requests https://lavoisierHost/SAML2/SSO/POST:
POST /SAML2/SSO/POST HTTP/1.1
Host: lavoisierHost
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLResponse=response&RelayState=ViewURL
- Lavoisier processes response and internally routes to ViewURL
Note: to make the browser automatically POST to IdentityProvider, include the following javascript into the XHTML:
window.onload = function () { document.forms[0].submit(); }
Note2: This mode allows to send/receive larger messages than redirect but it requires the authenticator to send data (the POST form) along with the 200 code. Probably we should modify interfaces.
Also available in: Atom
PDF
Updated by 
Updated by