SAML Example

Everyone can read the specs for a protocol. But real understanding often requires a real world example. I’ve been trying to understand SAML. Here’s a “real” SAML assertion, somewhat modified for public consumption. I’ll annotate:

This is my notebook to myself to understand the document. I’ll update if I find out I’ve written something bogus.

The samlp:Response tag  contains enough information to link the document to the web application flow that triggered off the SAML handshake.  In particular, the Destination attribute points to the (fictional) application that I was trying to get into, and in particular the Sub url that handles singlesign on (SSO):

Destination=”https://appname.younglogic.com/saml/sso”

The issuer does not necessarily have to be the website that the application redirected me to, but in this case it is:

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.younglogic.com/idp/</saml:Issuer>

The signature info has enough information for the consumer to validate the assertion. In particular;

  • it states how the Assertion was trasnformed to a format for signing, CanonicalizationMethod: xml-exc-c14n, as well as the fact that it is using enveloped-signature.
  • It states the Signature Algorithm:rsa-sha1.
  • It has the digest method and value

The next block has the actual signature value.  Since I have modified this document by hand, the signature no longer matches.  Sorry.

I also has the key used to sign the assertion. Obviously, this is not trustworthy in-and-of itself, but it is convenient to see if a document is internally valid.  The essential step beyond that is making sure the Key actually matches a valid signature key for the Issuer.

We have a status code.  Success.  Yay!

 

Below that is the Assertion itself. It is in chatty XML, but it comes down to some information about confirming the assertion, such as

  • Issuer
  • SubjectConfirmation Method>/li>
  • SubjectConfirmationData
  • NotBefore
  • NotOnOrAfter

and then a set of Key Value pairs for the attributes:

Role
User
sn
Young
orgPersonType
Employee
cn
Adam Young
email
adam@younglogic.com

 

Note: to produce the example SAML assertion, I used a Firefox Plugin from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ and hit a local SAML enabled website, then modified the document by hand.

Leave a Reply

Your email address will not be published. Required fields are marked *