Menu
I'm new to SAML and having a bit of trouble fully understanding the full SAML2 SSO process.
Specifically, when The Service Provider responds to a resource request with a element, what piece of data in the element identifies the principal (i.e. the user) to be validated by the identity provider?
For example, there does not appear to be anything to identify the principal in the following AuthnRequest:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59"
AssertionConsumerServiceIndex="0">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
Does the information identifying the principal get added after the AuthnRequest reaches the browser (maybe from a cookie?), or does information identifying the specific user not get sent to the identity provider at all?
438
asked Sep 03 '15 17:09
SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.
Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standard for authentication and authorizing between multiple parties. SAML is an open protocol that give users the single sign-on (SSO) experience for applications. The other adopted open standard is OAuth and OpenID.
The URLs that are used for partner-to-partner communication, such as the exchange of requests, in SAML 2.0 federations are referred to collectively as endpoint URLs . They can also be individually referred to by the name of the protocol and binding or service that they are related to.
This field is frequently referred to as the "Entity ID" or "Audience URI" by vendors. It can technically be any string of data up to 1024 characters long but is usually in the form of a URL that contains the Service Provider's name within, and is often simply the same URL as the ACS.
The spec says the following on the Authentication Request (SAML Profiles, http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, section 4.1.4.1):
Note that the service provider MAY include a
<Subject>element in the request that names the actual identity about which it wishes to receive an assertion.
This is however rarely used and not widely implemented across different providers/stacks so your mileage may vary. In fact there are deployment profiles that explicitly forbid usage of the <Subject>, e.g. http://saml2int.org/profile/current/ section 8.2 says:
The
<saml2p:AuthnRequest>message MUST NOT contain a<saml2:Subject>element.
The usual interaction is that the Service Provider determines the Identity Provider but not the user. The latter is left to the Identity Provider, both identification and authentication. That is a cleaner interface that avoids potential clashes between the two about identifiers and accounts.
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
