Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

More documents

Recommendations

Info

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975• WML Redirect with GET...Contacting IdP. Please wait.........where:This element provides the host name, port number, and path components of the assertion consumer service URL at theservice provider.= ...SAMLArt= ...RelayState=A component MUST contain at least one SAML Artifact. A single RelayState MUST be included if a valuefor the was provided in the . All SAML Artifacts included MUST contain thesame identity provider ID (see Section 3.2.2.2).A component MUST contain at least one SAML Artifact.A form field named RelayState, with the value of that element from the MUST be includedif a value for the was provided in the and the HTTP request is made using aPOST.3.2.2.1.3. Step 7: Accessing the Assertion Consumer ServiceIn step 7, the user agent accesses the assertion consumer service URL at the service provider, with a SAML artifactrepresenting the Principal’s authentication information attached to the URL.3.2.2.2. Artifact FormatThe artifact format includes a mandatory two-byte artifact type code, as follows:976977978979980981SAML_artifactTypeCode:= B64(TypeCode RemainingArtifact):= Byte1Byte2982983The notation B64(TypeCode RemainingArtifact) represents the application of the base64 transformation to thecatenation of the TypeCode and RemainingArtifact. This profile defines an artifact type of type code 0x0003,Liberty Alliance Project26
Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.098498598698798898999099199299399499599699799899910001001100210031004which is REQUIRED (mandatory to implement) for any implementation of the Liberty browser artifact profile. Thisartifact type is defined as follows:TypeCode := 0x0003RemainingArtifact := IdentityProviderSuccinctID AssertionHandleIdentityProviderSuccinctID:= 20-byte_sequenceAssertionHandle := 20-byte_sequenceIdentityProviderSuccinctID is a 20-byte sequence used by the service provider to determine identity provideridentity and location. It is assumed that the service provider will maintain a table of IdentityProviderSuccinctIDvalues as well as the URL (or address) for the corresponding SAML responder at the identity provider. Thisinformation is communicated between the identity provider and service provider out of band. On receiving the SAMLartifact, the service provider determines whether the IdentityProviderSuccinctID belongs to a known identityprovider and, if so, obtains the location before sending a SAML request.Any two identity providers with a common service provider MUST use distinct IdentityProviderSuccinctIDvalues. Construction of AssertionHandle values is governed by the principles that the values SHOULD have nopredictable relationship to the contents of the referenced assertion at the identity provider, and that constructing orguessing the value of a valid, outstanding assertion handle MUST be infeasible.The following rules MUST be followed for the creation of SAML artifacts at identity providers:10051006100710081009101010111012• Each identity provider selects a single identification URL, corresponding to the provider metadata elementProviderID specified in [LibertyMetadata].• The identity provider constructs the IdentityProviderSuccinctID component of the artifact by taking theSHA-1 hash of the identification URL as a 20-byte binary value. Note that the IdentityProviderSuccinctIDvalue, used to construct the artifact, is not encoded in hexadecimal. The AssertionHandle value is constructedfrom a cryptographically strong random or pseudo-random number sequence (see [RFC1750]) generated by theidentity provider. The sequence consists of a value of at least eight bytes. The value should be padded to a totallength of 20 bytes.1013101410151016101710181019102010213.2.3. Liberty Browser POST ProfileThe Liberty browser POST profile allows authentication information to be supplied to an identity provider without theuse of an artifact. Figure 3 diagrams the interactions between parties in the Liberty POST profile. This profile is anadaptation of the "Browser/post profile" for SAML as documented in [SAMLBind11].The following URI-based identifier MUST be used when referencing this specific profile (for example, element of the message):URI: http://projectliberty.org/profiles/brws-postThe Liberty POST profile consists of a series of two interactions, the first between a user agent and an identity provider,and the second directly between the user agent and the service provider.Liberty Alliance Project27
Page 1 and 2: Liberty Alliance Project:Version: 1
Page 3 and 4: Liberty Alliance Project:Liberty ID
Page 25: Liberty Alliance Project:Liberty ID

Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

Create successful ePaper yourself

Delete template?

Save as template?