Example SAML authentication exchange:
- User goes to https://www.hathitrust.org, selects Login and chooses their home institution
- We redirect to the SingleSignOnService listed in the identity provider metadata, for example (for Michigan) https://shibboleth.umich.edu/idp/profile/SAML2/Redirect/SSO, and append the SAML request base64 encoded in the parameter "SAMLRequest". (There are some other options for the exact protocol here as well)
The SAML DevTools Extension for Chrome can be helpful in debugging whether or not everything is working as expected.
The SAML request we generate looks like
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://babel.hathitrust.org/Shibboleth.sso/SAML2/POST"
Destination="https://shibboleth.somewhere.edu/idp/profile/SAML2/Redirect/SSO"
ID="_e2fb4168b983714a4ba6c76b060edb37"
IssueInstant="2020-09-30T19:37:02Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.hathitrust.org/shibboleth-sp
</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="1"/>
</samlp:AuthnRequest>- The user authenticates with their identity provider; the identity provider POSTs a response to the provided AssertionConsumerServiceURL. An example response might look like this:
<?xml
version="1.0"
encoding="UTF-8"?>
<saml2p:Response
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://babel.hathitrust.org/Shibboleth.sso/SAML2/POST"
ID="_b6252e83aad9c7af567f586a3c4275bc"
InResponseTo="_e2fb4168b983714a4ba6c76b060edb37"
IssueInstant="2020-09-30T19:37:29.534Z"
Version="2.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://shibboleth.somewhere.edu/idp/shibboleth
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_b6252e83aad9c7af567f586a3c4275bc">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue><!-- elided --></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
<!-- elided -->
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<!-- elided -->
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_452812230292ac6fb800cf7e00f6956a"
IssueInstant="2020-09-30T19:37:29.534Z"
Version="2.0">
<saml2:Issuer>https://shibboleth.somewhere.edu/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://shibboleth.somewhere.edu/idp/shibboleth"
SPNameQualifier="http://www.hathitrust.org/shibboleth-sp"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
a2FXdm1TSVdDaXQxTQo=
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="203.0.113.55"
InResponseTo="_e2fb4168b983714a4ba6c76b060edb37"
NotOnOrAfter="2020-09-30T19:42:29.564Z"
Recipient="https://babel.hathitrust.org/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2020-09-30T19:37:29.534Z"
NotOnOrAfter="2020-09-30T19:42:29.534Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://www.hathitrust.org/shibboleth-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2020-09-30T19:37:28.999Z"
SessionIndex="_221d165a869bc9806b687bb20e91c898">
<saml2:SubjectLocality
Address="203.0.113.55"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://shibboleth.somewhere.edu/idp/shibboleth"
SPNameQualifier="http://www.hathitrust.org/shibboleth-sp">
a2FXdm1TSVdDaXQxTQo=
</saml2:NameID>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">[email protected]
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="eduPersonScopedAffiliation"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">[email protected]
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>The service provider validates this response and allows or denies access based on the provided attributes.