SAML 2.0 Information
Here is some further relevant information on the SAML 2.0 protocol.

Choosing SAML 2.0 Bindings

The Signicat Identity Broker supports three different mechanisms, known as bindings, to exchange messages:
  1. 1.
    Redirect Binding: This binding is most suitable for sending SAML Requests from your service to the Signicat Identity Broker. Since there is a maximum message size, it is not suitable for sending SAML Responses back from the Signicat Identity Broker to your service.
  2. 2.
    POST Binding: This binding is suitable for sending SAML Requests from your service to the Signicat Identity Broker, and SAML Responses from the Signicat Identity Broker to your service.
  3. 3.
    Artifact Binding: This binding is suitable for sending any SAML message via a machine-to-machine backchannel. To make this binding work, the service provider and the Signicat Identity Broker must be able to communicate directly. This could mean that firewalls, proxy servers, and/or client certificates need to be configured on your side, which makes setting up and debugging this binding more difficult. We therefore advise against using this binding if possible.
Our recommended setup is that you use Redirect Binding to send SAML Requests to the Signicat Identity Broker, and POST Binding to receive SAML Responses from the Signicat Identity Broker.
In case you opt for the SAML Artifact binding to receive responses, please be aware that this means that your service will have to be able to autonomously connect to the Signicat Identity Broker via a backchannel, so that it can retrieve the response from the Signicat Identity Broker. A commonly occurring problem is that the service provider’s firewall blocks the outgoing traffic to the Signicat Identity Broker, and hence the service cannot retrieve the response. Please take this into account when troubleshooting your connection to the Signicat Identity Broker via the SAML Artifact binding.

SAML 2.0 Metadata

In SAML 2.0, metadata is exchanged between components (service providers, the Signicat Identity Broker, and identity providers) to configure how to connect and exchange messages between them. The metadata basically contains the following information:
  • Which URLs to send SAML messages to.
  • Which bindings to use for exchanging messages.
  • Which certificates can be used for checking digital signatures against, to guarantee that the messages come from the appropriate party.
  • What algorithms will be used for calculating digital signatures.
SAML 2.0 metadata is stored as a (signed) XML file in a particular format. You can find the specifications online.
The Signicat SAML 2.0 Adapter can automatically create metadata for you, see Signicat SAML 2.0 Adapter. Most SAML 2.0 enabled third party software can automatically generate the metadata as well. If you choose to implement the SAML 2.0 protocol yourself, you may however need to construct metadata by hand.

Example

1
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
2
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
3
ID="configuration id"
4
entityID="Entity id">
5
<ds:Signature>
6
<ds:SignedInfo>
7
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
8
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
9
<ds:Reference URI="">
10
<ds:Transforms>
11
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
12
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
13
</ds:Transforms>
14
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>I+hg07X8GD583Py/OhOI7iSaLbUzL7n9yCgVcpdMSsg=</ds:DigestValue>
15
</ds:Reference>
16
</ds:SignedInfo>
17
<ds:SignatureValue>base64 signature value</ds:SignatureValue>
18
<ds:KeyInfo>
19
<ds:KeyName>signing key name</ds:KeyName>
20
</ds:KeyInfo>
21
</ds:Signature>
22
<md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
23
<md:KeyDescriptor use="signing">
24
<ds:KeyInfo>
25
<ds:KeyName>signing certificate key name</ds:KeyName>
26
<ds:X509Data>
27
<ds:X509Certificate>signing certificate</ds:X509Certificate>
28
</ds:X509Data>
29
</ds:KeyInfo>
30
</md:KeyDescriptor>
31
<md:KeyDescriptor use="encryption">
32
<ds:KeyInfo>
33
<ds:KeyName>encryption certificate key name</ds:KeyName>
34
<ds:X509Data>
35
<ds:X509Certificate>encryption certificate</ds:X509Certificate>
36
</ds:X509Data>
37
</ds:KeyInfo>
38
</md:KeyDescriptor>
39
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
40
Location="ARS endpoint"
41
index="0"
42
isDefault="true/false"/>
43
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
44
Location="logout endpoint"/>
45
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
46
Location="login endpoint"
47
index="1"
48
isDefault="true/false"/>
49
</md:SPSSODescriptor>
50
<md:Organization>
51
<md:OrganizationName xml:lang="en">Organization name</md:OrganizationName>
52
<md:OrganizationDisplayName xml:lang="en">Organization display anme</md:OrganizationDisplayName>
53
<md:OrganizationURL xml:lang="en">Website url</md:OrganizationURL>
54
</md:Organization>
55
<md:ContactPerson contactType="administrative">
56
<md:EmailAddress>support email</md:EmailAddress>
57
<md:TelephoneNumber>support phone no.</md:TelephoneNumber>
58
</md:ContactPerson>
59
</md:EntityDescriptor>
60
Copied!

Example of SAML 2.0 Messages

Login Request

1
<samlp:AuthnRequest
2
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
3
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4
AssertionConsumerServiceURL="url for response"
5
AttributeConsumingServiceIndex="service index value"
6
Destination="url of the Signicat Identity Broker"
7
ForceAuthn="true/false"
8
ID="message id"
9
IsPassive="true/false"
10
IssueInstant="issue instant"
11
Version="2.0">
12
<ds:Signature
13
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
14
<ds:SignedInfo>
15
<ds:CanonicalizationMethod
16
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
17
<ds:SignatureMethod
18
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
19
<ds:Reference
20
URI="">
21
<ds:Transforms>
22
<ds:Transform
23
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
24
<ds:Transform
25
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
26
</ds:Transforms>
27
<ds:DigestMethod
28
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
29
<ds:DigestValue>
30
base64 encoded digest value
31
</ds:DigestValue>
32
</ds:Reference>
33
</ds:SignedInfo>
34
<ds:SignatureValue>base64 encoded signature value</ds:SignatureValue>
35
<ds:KeyInfo>
36
<ds:KeyName>name of the signing key</ds:KeyName>
37
</ds:KeyInfo>
38
</ds:Signature>
39
<saml:Issuer>issuer</saml:Issuer>
40
<samlp:RequestedAuthnContext
41
Comparison="minimum">
42
<saml:AuthnContextClassRef>minimal LOA</saml:AuthnContextClassRef>
43
</samlp:RequestedAuthnContext>
44
</samlp:AuthnRequest>
Copied!

Login Response

1
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
2
IssueInstant="2019-02-04T09:21:26Z" Version="2.0"
3
Destination="your endpoint"
4
ID="message id"
5
InResponseTo="message id of login request">
6
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer>
7
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
8
<ds:SignedInfo>
9
<ds:CanonicalizationMethod
10
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
11
<ds:SignatureMethod
12
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
13
<ds:Reference URI="#_0182d143-f204-3584-8a52-3c2aea597d2f">
14
<ds:Transforms>
15
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
16
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
17
<ec:InclusiveNamespaces
18
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
19
PrefixList="xacml-saml"/>
20
</ds:Transform>
21
</ds:Transforms>
22
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>digest value</ds:DigestValue>
23
</ds:Reference>
24
</ds:SignedInfo>
25
<ds:SignatureValue>base64 encoded signature value</ds:SignatureValue>
26
</ds:Signature>
27
<samlp:Status>
28
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
29
</samlp:Status>
30
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
31
Version="2.0" ID="assertion id"
32
IssueInstant="assertion issue instant">
33
<saml:Issuer>assertion issuer</saml:Issuer>
34
<saml:Subject>
35
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
36
NameQualifier="name qualifier">
37
</saml:NameID>
38
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
39
<saml:SubjectConfirmationData
40
NotOnOrAfter="2019-02-04T09:26:26Z"
41
InResponseTo="message id of login request"
42
Recipient="your endpoint">
43
</saml:SubjectConfirmationData>
44
</saml:SubjectConfirmation>
45
</saml:Subject>
46
<saml:Conditions NotBefore="2019-02-04T09:21:26Z" NotOnOrAfter="2019-02-04T09:26:26Z">
47
<saml:AudienceRestriction>
48
<saml:Audience>the idp that responded</saml:Audience>
49
</saml:AudienceRestriction>
50
</saml:Conditions>
51
<saml:AuthnStatement AuthnInstant="2019-02-04T09:21:26Z">
52
<saml:AuthnContext>
53
<saml:AuthnContextClassRef>
54
urn:etoegang:core:assurance-class:loa2
55
</saml:AuthnContextClassRef>
56
<saml:AuthenticatingAuthority>
57
the idp that authenticated the user
58
</saml:AuthenticatingAuthority>
59
</saml:AuthnContext>
60
</saml:AuthnStatement>
61
</saml:Assertion>
62
</samlp:Response>
63
Copied!

Logout Request

1
<samlp:LogoutRequest
2
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
3
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4
IssueInstant="2019-02-04T09:28:54Z"
5
Version="2.0"
6
Destination="idp logout endpoint"
7
ID="message id" >
8
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
9
<ds:SignedInfo>
10
<ds:CanonicalizationMethod
11
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
12
<ds:SignatureMethod
13
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
14
<ds:Reference
15
URI="">
16
<ds:Transforms>
17
<ds:Transform
18
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
19
<ds:Transform
20
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
21
</ds:Transforms>
22
<ds:DigestMethod
23
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
24
<ds:DigestValue>FMCM4CvxJWw6+3ugte2VTy/V+
25
P6RnrA0YVd6cMTNr2s=
26
</ds:DigestValue>
27
</ds:Reference>
28
</ds:SignedInfo>
29
<ds:SignatureValue>base64 value of the signature</ds:SignatureValue>
30
<ds:KeyInfo>
31
<ds:KeyName>name of the key used to sign</ds:KeyName>
32
</ds:KeyInfo>
33
</ds:Signature>
34
<saml:Issuer>issuer</saml:Issuer>
35
<saml:NameID>id of the user that wants to logout</saml:NameID>
36
</samlp:LogoutRequest>
37
Copied!

Logout Response

1
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
2
IssueInstant="2019-02-04T13:16:00Z" Version="2.0"
3
Destination="your logout endpoint"
4
ID="message id"
5
InResponseTo="message id of logout request">
6
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
7
issuer
8
</saml:Issuer>
9
<samlp:Status>
10
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
11
</samlp:Status>
12
</samlp:LogoutResponse>
13
Copied!
Last modified 2mo ago