Reputation: 329
How is the principal identified in the AuthnRequest for SAML 2.0 Web Browser SSO
I'm new to SAML and having a bit of trouble fully understanding the full SAML2 SSO process.
Specifically, when The Service Provider responds to a resource request with a element, what piece of data in the element identifies the principal (i.e. the user) to be validated by the identity provider?
For example, there does not appear to be anything to identify the principal in the following AuthnRequest:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59"
AssertionConsumerServiceIndex="0">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
Does the information identifying the principal get added after the AuthnRequest reaches the browser (maybe from a cookie?), or does information identifying the specific user not get sent to the identity provider at all?
Upvotes: 6
Views: 4239
Answers (1)
Reputation: 53888
The spec says the following on the Authentication Request (SAML Profiles, http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, section 4.1.4.1):
Note that the service provider MAY include a
<Subject>element in the request that names the actual identity about which it wishes to receive an assertion.
This is however rarely used and not widely implemented across different providers/stacks so your mileage may vary. In fact there are deployment profiles that explicitly forbid usage of the <Subject>, e.g. http://saml2int.org/profile/current/ section 8.2 says:
The
<saml2p:AuthnRequest>message MUST NOT contain a<saml2:Subject>element.
The usual interaction is that the Service Provider determines the Identity Provider but not the user. The latter is left to the Identity Provider, both identification and authentication. That is a cleaner interface that avoids potential clashes between the two about identifiers and accounts.
Upvotes: 10
Related Questions
- SAML 2.0 Response and the KeyInfo element
- SAML SSO how does it work?
- sp initiated saml sso authentication
- How does the saml IDP / SP work with auth0?
- SSO - SAML request
- What SAML bindings should I support as a web SSO Service Provider? How is the authenticated user!s info passed back to me?
- How does SAML solve SSO?
- Saml Authentication Request Protocol Id
- How to determine authorization rights after a login via SAML SSO
- How the IdP know the name of the variable that contain the authnRequest