Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Anchor_GoBack_GoBackSAML is setup on ONECount which can support both IDP and SP initiated logins. The main use of this saml is to provide authentication and authorization services for the SP while ONECount being IDP. We are using OPENSAML API to read the login requests and create SAML responses based on the authentication result. This document uses the following abbreviations.

SP (Service Provider) : The system which is having the services the user requests for. The Service provider would just render services based on the authentication information provided by IDP.

IDP (Identity Provider) : The system which manages the user details and the user privileges. The IDP would authenticate user and provide necessary information regarding the user to the SP.

SAML:  Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. This defines the way SP and IDP communication protocols and how to react to requests.

...

SP Initiated login: In this type of login the service provider requests for authentication to the IDP on for the same site. In our setup the example for this is a website login. In SP initiated login the SP needs to create SAML request and send into to ONECount. The ONEcount ONECount then authenticates the user and sends the required details to the SP back as SAML response.

IDP Initiated login: In this type of login the request for authentication would be by made by a partner site or third party site other than SP. In our setup, the example is for ETHOS where a medical publisher acts as partner site and has link to ETHOS websites where we Partner websites link to SP by passing us parameters which service they want to use on SP. We authenticate the user and send required information to SP which is ETHOS in this context. In this type login is initiated by IDP to the SP.DataBase models: we have 2 tables in onecount_super data base as these configurations are common for all the clients. WE populate these tables based on the saml meta data file of service provider and other configurations. The table names are AnchorOLE_LINK2OLE_LINK2 AnchorOLE_LINK3OLE_LINK3 onecount_saml_metadata and AnchorOLE_LINK4OLE_LINK4 AnchorOLE_LINK5OLE_LINK5 AnchorOLE_LINK6OLE_LINK6 onecount_saml_relaystate_mapping and their structure is as follows.
onecount_saml_metadata

...

Column

...

Type

...

Comments

...

entity_id

...

varchar(400)

...

soap_binding

...

text

...

 The SOAP binding of SP which we get in SAML Metadata file.

...

redirect_binding

...

text

...

 The redirect binding of SP which we get in SAML Metadata file.

...

certificate_encryption

...

text

...

 The certificate encryption key of SP which we get in SAML Metadata file.

...

certificate_signature

...

text

...

 The certificate signature key of SP which we get in SAML Metadata file.

...

logout_post_binding

...

text

...

 The logout post binding of SP which we get in SAML Metadata file.

...

logout_redirect_binding

...

text

...

 The logout redirect binding of SP which we get in SAML Metadata file.

...

post_binding

...

text

...

 The post binding of SP which we get in SAML Metadata file.

...

expiry

...

date

...

 The expiry date of metadata of SP which we get in SAML Metadata file.

...

xml_dump

...

longtext

...

 The whole xml metadata as string.

...

saml_id

...

int(11)

...

 Unique primary for this table

...

fields

...

varchar(400)

...

JSON format string of demographic fields of user the SP needs with onecount question ID as key and name the SP wants for this particular question.
Sample : {1:Email,226:Prefix,4:First name,218:Middle name,5:Last name,12:Postal code,98:Degree,234:Profession,242:Specialty,ocid:OCID}

...

client_auth

...

varchar(400)

...

 Client login URL to login page to which we send user for challenge questions when cookies are not found.

...

appkey

...

varchar(200)

...

 The app key for the client which we use to make requests to ONECount API.

...

brand_info

...

varchar(40)

...

 The brand information required for styling the login/lookup page.


...

Column

Type

Comments

saml_relaystate_id

int(11)

 Unique primary key for this table

saml_id

int(11)

Foreign key from onecount_saml_mapping table

relaystate

varchar(400)

Relay state pattern or SP website address sample education.annenberg.net

client_id

int(11)

 Client id of our client

When ever we need a new client to use the saml when we configure these parameters from the metadata file and the conf paramaters they provide they should be good.
Login Mechanism Login Service : The total login process can be divided into 3 parts

  • Login Request
  • Authentication
  • Login Response

Login Request: The login request needs to be a valid saml request.

SP intitiated login: In the case of the SP initiated login ONECount supports Post only HTTP Redirect binding request with the request payload. We read the request by opensaml java api and extract the required parameters for authentication.

Sample Login Request: The redirect request needs to have the following query parameters

SAMLREQUEST

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_809707f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0"  IssueInstant="2016-12-08T23:52:45Z" Destination=" https://saml.onecount.net/saml/resources/login " ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL=" https://devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp ">

  <saml:Issuer> https:// devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php</saml:Issuer>

  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>

  <samlp:RequestedAuthnContext Comparison="exact">

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

  </samlp:RequestedAuthnContext>

</samlp:AuthnRequest>


SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1 ,

 RelayState= http:// devel.devslg.net /5345

clientid=780bdb442b04b35f7f1c02c47a7a7537521e46af

Signature

bM441nuRIzAjKeMM8RhegMFjZ4L4xPBHhAfHYqgnYDQnSxC++Qn5IocWuzuBGz7JQmT9C57nxjxgbFIatiqUCQN17aYrLn/mWE09C5mJMYlcV68ibEkbR/JKUQ+2u/N+mSD4/C/QvFvuB6BcJaXaz0h7NwGhHROUte6MoGJKMPE=


IDP Initiated login: In the case of IDP initiated login the partner site needs to have the relay state which is the url of the SP that they want to user to access. They also need to add a query parameter clientid which is used by the onecount ONECount to correctly identify the client- SP pair.Login Mechanism

Sample link

Https://saml.onecount.net/saml/resources/login?RelayState=http://achsstage.dlcdev.com/5345&clientid=780bdb442b04b35f7f1c02c47a7a7537521e46af

Authentication:

The SAML Server relies on cookies for user identification. When the saml receives the login request that looks up the configuration form the database based on entity ID if its SP initiated or relay state and clientid. Then that checks for OCGT cookie. If the cookie is found then that searches the onecount_super database for the ocid of the user form OC_CLIENTS_TOKENS table based on the client id and ocgt value. If an entry is found that means that we are able We look for ONECount cookies and if found we try to identify the user based on the oc_gt cookiethat.
If the cookie is not found or the user could not be identified based on oc_gt and clientid then the contains an invalid cookie, server is unable to accurately identify the user then the saml redirects sends the user to login/lookup page for further authentication.while redirectiong the user the whole url of partner site is URLENCODED and sent as return parameter to login/lookup pagechallenge questions to authenticate themselves. When the user authenticates himself the login server sets the updated cookie we set required cookies for the user which is taken and searched in the database.
When the user is found the server makes a call to ONECount API to retrieve the user information. Once the user information is acquired the saml request is generated.to be used in future and redirects the user to the requested or configured pages on SP. 

            SAML Response:

            The response is generated based on the configuration files using opensaml APIwith the configured user information as attributes in the response. If that is SP initiated login then we have the extra parameter "InResponseTo" send an extra attribute “InResponseTo” in the response which will have the unique request identifier which is used by the service provider to determine their internal stateinitially sent by SP. In the request if the server receives any relay state then SAML server retains that and forwards the relay state without any modification. If it is IDP initiated login then the server will have the SP requested url as the relay state. In our setup we are using URL post binding to send the response to the SP.

Sample response

<saml2p:Response Destination="https:// devel.devslg.net /sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp" ID="_e453dc1c2671bc7a1e7a7f58fe400610be0bf5dd80e8f0e2af264c5c32e7d405" IssueInstant="2016-12-07T18:30:12.708Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.onecount.net/saml/resources/metadata</saml2:Issuer>    <saml2p:Status>        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />    </saml2p:Status>    <saml2:Assertion ID="_64d98f896931e0f8f44d26aaf4146b3c9c8045c6df844f5ea820286879a8830f" IssueInstant="2016-12-07T18:30:12.708Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">        <saml2:Issuer>https://saml.onecount.net/saml/resources/metadata</saml2:Issuer>        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">            <ds:SignedInfo>                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />                <ds:Reference URI="#_64d98f896931e0f8f44d26aaf4146b3c9c8045c6df844f5ea820286879a8830f">                    <ds:Transforms>                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">                            <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />                        </ds:Transform>                    </ds:Transforms>                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />                    <ds:DigestValue>kEHcy+PbvRWUbUDMV1uMHDjkQwA=</ds:DigestValue>                </ds:Reference>            </ds:SignedInfo>            <ds:SignatureValue>S57N2w12bzKrPdxendqACdajE/3GfoaBYpdRJflcPZcv/lPK6xm6lOsgCYmm94AAN7JLW8k0NCBaPatDmkrWPeA/LUsJzC+SIzO9QiFG7TmQmIJXm6cgZ1HzP2iYdOHFLksuJNAM5vLAcFbcKZFzXo8Jn4NnzLGlk2b1ayARwr9U5hunoHkY2B32GZorvERVLg29UsGmUF5vaL3zu+BxLf39Ee6OGi1oiwB4m9xaCtKK2Hp3nqBL0+2fW87UWPn7GMWyJiSkVc21IfzUaVpmXJg/2Bv0ZEi4KWjlZfFMEJRHVV0X1NmG5khtVwQ1ZJYBUbN2M07yQPgh/xF/7CBW0w==</ds:SignatureValue>        </ds:Signature>        <saml2:Subject>            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="Onecount SAML" SPNameQualifier="https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp">Onecount SAML</saml2:NameID>            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">                <saml2:SubjectConfirmationData NotBefore="2016-12-07T18:30:12.708Z" NotOnOrAfter="2016-12-07T19:00:12.708Z" Recipient="https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp" />            </saml2:SubjectConfirmation>        </saml2:Subject>        <saml2:Conditions NotBefore="2016-12-07T18:30:12.708Z" NotOnOrAfter="2016-12-07T19:00:12.708Z">            <saml2:AudienceRestriction>                <saml2:Audience>https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php/default-sp</saml2:Audience>            </saml2:AudienceRestriction>        </saml2:Conditions>        <saml2:AuthnStatement AuthnInstant="2016-12-07T18:30:12.708Z" SessionIndex="_51ed9a81cf54747f8bc674f4e33eba4fa7220d10e5549a25fdccaca7e114e9bb" SessionNotOnOrAfter="2016-12-07T19:00:12.708Z">            <saml2:AuthnContext>                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</saml2:AuthnContextClassRef>            </saml2:AuthnContext>        </saml2:AuthnStatement>        <saml2:AttributeStatement>            <saml2:Attribute Name="Specialty">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NA</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Profession">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">University Cancer Specialists</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Email">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jamiem1985@yahoo.com</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Degree">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NA</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="First name">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Jamie</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Prefix">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NA</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="OCID">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">8249</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Middle name">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NA</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Postal code">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">37923</saml2:AttributeValue>            </saml2:Attribute>            <saml2:Attribute Name="Last name">                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Loveday</saml2:AttributeValue>            </saml2:Attribute>        </saml2:AttributeStatement>    </saml2:Assertion></saml2p:Response>



Logout Service:

In the case of logout request the SP needs to send a valid logout request to the URL stated in ONECount MetaData File. So based on the request we send the logout response so that SP can logout the user on their side. But we don’t delete the ONECount cookie as that is not just limited to SAML and has various other applications.

Sample Logout request:


Logout Request

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_21df91a89767879fc0f7df6a1490c6000c81644d" Version="2.0" IssueInstant="2016-12-08T01:13:06Z" Destination="https://saml.onecount.net/saml/resources/logout">

  <saml:Issuer> https:// devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php </saml:Issuer>

  <saml:NameID SPNameQualifier=" https:// devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php " Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>

</samlp:LogoutRequest>


Signature

x3Yq1dQ0S/6iirAPpkEYrDvY5mTqzQ3b1eE+sEmnmYbzDs5YHksRrc7uloHt7xqBcCGlk+ZI2USjKshf//OVRkSr8gZ8qYtth1v69hVpEvUdzhSANyJCOCENN2DhX8kc76Wg+VyR1mzbvbrap0G6lrj9TSuM4wyh68gzJDeTQbs=

SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1 , RelayState=http://sp.example.com/relaystate


Sample LOGOUT Response

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxe335499f-e73b-80bd-60c4-1628984aed4f" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination=" https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-logout.php/default-sp" InResponseTo="_21df91a89767879fc0f7df6a1490c6000c81644d">  <saml:Issuer>https://saml.onecount.net/saml/resources/metadata</saml:Issuer>  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">    <ds:SignedInfo>      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>      <ds:Reference URI="#pfxe335499f-e73b-80bd-60c4-1628984aed4f">        <ds:Transforms>          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>        </ds:Transforms>        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>        <ds:DigestValue>PusFPAn+RUZV+fBvwPffNMOENwE=</ds:DigestValue>      </ds:Reference>    </ds:SignedInfo>    <ds:SignatureValue>UEsyvBbilIQFCYk5i63NKwohkV/RGhVlT+Ajx1XBarFyB8rPCYe6NWnoqbzimKiBZaL2eSINyBLzyFdHqbI+K7qP9rmHJmIC8g5M84GJrpHoaIYJkmLjSMf4APTAiKeuW8dVvcnrrzHb8fFV/2Ob6nWG2+K3ixvH1MWh5R0bGbE=</ds:SignatureValue>    <ds:KeyInfo>      <ds:X509Data>        <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==</ds:X509Certificate>      </ds:X509Data>    </ds:KeyInfo>  </ds:Signature>  <samlp:Status>    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>  </samlp:Status></samlp:LogoutResponse>



SAML Communication setup Process with ONECount:

You need to send SP Metadata file and the fields required to ONECount to install on our side. WE send our Metadata file which defines to which URL you need to post the request and details of our entityID’s etc. Once both sides have added the other side in to their saml setup we can communicate in SAML.

When you are trying to link SP services in IDP initiated login you also need to add a parameter clientid which is a unique hash passed on to you along with the request which enables us to uniquely identify you.

If the server does not receive a valid SAML request the server responds with 500 error You can send the information that you received on the error screen to us in order to determine the fault.

We follow open standards and process using OPENSAML packages to de-serialize and serialize the request/response.

For more information SAML and  valid saml Request  and response attributes you can refer to following documentation from OASIS creators of SAML

http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf