SAML 2.0 Assertion request

Question

How do you use SAML 2.0 for redirecting a user from website A to website B? Once the user finishes his activity at website B, he should come back to website A , based on results from website B, he should be able to proceed on website A for further activity.

I am also confused with the idea of Service Provider(SP) and Identity Provider(IP). Will website A be a service provider or identity provider and similarly for website B?

My background in SAML 2.0 is literally zero and I am reading documents to understand how to create SAML 2.0 assertion. I am trying to implement this in java.

Does anyone have any good starting primer for understanding SAML 2.0 ?

<?xml version="1.0" encoding="UTF-8"?>
-<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2013-04-12T15:43:42.389Z" ID="413be1b7-ac2d-4324-a359-998935f11a66">
  -<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
  -<saml2:Assertion Version="2.0" IssueInstant="2013-04-19T20:16:07.090Z" ID="SamlAssertion-25171a8736ed098dde8659e5ba250b5f" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ffx-ffe-w7-15.cgiabccompany.com</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="">test</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"><saml2:NameID>CN=ffx-ffe-w7-15.cgiabccompany.com, OU=ffx, OU=ffe, O=cgifederal, L=Herndon, ST=VA, C=US</saml2:NameID></saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotOnOrAfter="2013-04-19T20:21:08.437Z" NotBefore="2013-04-19T20:14:08.437Z"/>
    <saml2:AttributeStatement>
        <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="State Exchange Code"> 
        <saml2:AttributeValue>MD0</saml2:AttributeValue>  
    </saml2:Attribute>               
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="User Type">
    <saml2:AttributeValue>Consumer</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="ABC Company User ID">
    <saml2:AttributeValue>john.doe@email.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Transfer Type">
    <saml2:AttributeValue>Direct Service</saml2:AttributeValue> 
    </saml2:Attribute>        
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Keep Alive URL">
    <saml2:AttributeValue>https://www.mycompany.com/extendsession.jsp</saml2:AttributeValue>
    </saml2:Attribute>        
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="First Name">
    <saml2:AttributeValue>JOHN</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Middle Name">
    <saml2:AttributeValue>FISCHER</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Last Name">
    <saml2:AttributeValue>DOE</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="City Name">
    <saml2:AttributeValue>PEORIA</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="State">
    <saml2:AttributeValue>IL</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="Zip Code">
    <saml2:AttributeValue>20190</saml2:AttributeValue>
    </saml2:Attribute>
 </saml2:AttributeStatement>
 <saml2:AuthnStatement SessionNotOnOrAfter="2013-04-12T15:43:42.328Z" SessionIndex="session#1" AuthnInstant="2013-04-12T15:43:42.328Z"><saml2:SubjectLocality DNSName="2.175.111.190" Address="1234 Fishy LN, PEORIA, IL 20190"/>
   <saml2:AuthnContext>
   <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password   
   </saml2:AuthnContextClassRef>
   </saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Stefan Rasmusson · Accepted Answer · 2021-08-17T10:37:09.347

1

A typical scenario for this is SAML WEB SSO with artifact bindig.

Website A(SP) sees that the user does not have an authenticated session.
The SP redirects the user to website B(IDP) with a SAML AutnRequest as an URL parameter.
The IDP authenticates the user and redirects it back to the SP with an artifact in URL parmeter.
The SP exchanges the Artifact for an Assertion over SOAP using a ArtifactResolveRequest to the IDP.

The Assertion is the evidence of the user being authenticated and can contain information about the user that the IDP has stored. For example uid.

In the scenario your talking about, the website A is the SP and website B the IDP. The SP is the entity wanting a user authenticated, IDP(IDentity Provider) is the entity providing authentication.

SAML SSO is achieved using many products, for example OpenAM Shibboleth. If you want to build SAML into your software you can use libraries like OpenSAML or Spring SAML module.

My book, A Guide to OpenSAML, gives a good introduction SAML and the OpenSAML library.

Other relevant reading is The SAML technical overview and these post on my blogg.

Need help? Ask me a question on the blogg. Need a lot of help? I'm a consultant for hire.

edited Aug 17 '21 at 10:37

answered Sep 14 '13 at 10:26

Stefan Rasmusson

5,445
3
21
48

If an assertion statement is wrapped in a response, what do you call it? Assertion or a response. Basically Website B is providing me that pattern and I am supposed to send them an assertion statement from my system(Website A) to get validated. – yogsma Sep 16 '13 at 13:58
Is you sending them this a part of the normal login procedure or just for testing. It sound strange that you would need to send them this for a normal login. As this is not a part of SAML it hard to say for sure, but I would assume you should send them the assertion – Stefan Rasmusson Sep 16 '13 at 18:26
Well it will be part of login process once I finish coding. Basically, users will login to Website A and will input some information and then will be redirected to Website B with some basic info. I have put SAML assertion format which website B wants us to send them to. – yogsma Sep 16 '13 at 19:02
Ok, do you think the answer answered you question? – Stefan Rasmusson Sep 17 '13 at 06:16
Your answer has helped me understand SAML. I trying to understand how I can implement it in my system. I posted SAML pattern which website B has provided for website A(my website) to redirect. – yogsma Sep 17 '13 at 14:27
How do you do Idp-initiated single sign on POST binding? – yogsma Sep 18 '13 at 02:20
This is of topic from the original question. Please mark this as answered if you think it answered the original question and create a new one for the "Idp-initiated single sign on" question – Stefan Rasmusson Sep 18 '13 at 07:23

SAML 2.0 Assertion request

1 Answers1