Single Sign On - Custom Implementation

From Displayr
Jump to: navigation, search

Displayr only supports the SP Redirect Request; IdP POST Response SAML 2.0 use case.

Example RelayToken

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_48a9f9af-d5cf-4da3-8185-7feeadd131f7" Version="2.0" IssueInstant="2019-02-22T02:38:11Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://mt.displayr.com/Login/ProcessSamlResponse">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">15eedc3e-ead5-47c8-8424-a98027d91da7</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>

Example SAMLResponse

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_5430406c-7164-481a-812e-031527929bbe" Version="2.0" IssueInstant="2019-02-22T02:45:18.232Z" Destination="http://mt.displayr.com/Login/ProcessSamlResponse" InResponseTo="_8f202708-77ad-47f9-9349-5077960781f4">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/86c4efd3-7f59-4e51-8f64-6d7848dfcaef/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b2945d46-f5f9-47f3-ac21-4dd19a1f928a" IssueInstant="2019-02-22T02:45:18.216Z" Version="2.0">
    <Issuer>https://sts.windows.net/86c4efd3-7f59-4e51-8f64-6d7848dfcaef/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <Reference URI="#_b2945d46-f5f9-47f3-ac21-4dd19a1f928a">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <DigestValue>LqIwL/3pyZe2mIQPxb9C3lcT/i7sU9p2IQaar7I9ONU=</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>Y21DjYsbA0oE6ef1So6aH5sy2Q9K+FUhT8IWFudIABHJUe5+nni6GRUf6HXlZougnaZhZQjUgSNRK/mLpLVT1fEy9D5WpGq4aS0Bogr3FrkPzPDKVVMMYpZWZoqQPd+3wwUXmugNtze2W28or1nil8LXe2qAP+BL+TazsqiacA6VNJhNryKaSAyrMdgjVLONw02uZ/dMUb0i51lcUcDDDYTBJeKxXqswBOR16H5fAh97MhpY27TQshLxVLn/g0itIF/gz8yRQkJLN38nTn6PnZ6UbpwCJwv99/Qv2WIjfW6VsrX0e9Vru93Wyj7Xo2PnpG/SoAdowQ2fTjVZ4lr+zQ==</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>MIIC8DCCAdigAwIBAgIQFRsCueNmH6dLF0CkDs5zIzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xODEyMDMwMTQ4MjVaFw0yMTEyMDMwMTQ4MjVaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx8WKyZTYdJcCB8Yh2Y/cs1U1/DXgNc//Wt9JROTv95j1YEtkLMY1/F2hyBKql9Ypn1i2Zv7d2cQ85GGnVYi3tKiELpgXzc9eebyYholNbAgFO7kL2Zum2gUvHAWXB8qSIisJWTU46fCZ/0VUy8I+/j0S9q2Ats1slK1+rZ7KixOXq/taRMI9f0xo8l5EIpaQiMPw5NdcLLZXwPaYK973+ec3CtuauHHgGHN8jmgvA0LSWBlvzAsjcFLb+TCthQxsCPmws/1P8KRln7RxjJqbeIdt5TslbgmxSJ7pAlsb+8qUPoYRlpwIsERX94kZq/NqwAtgH58ruVDz8zrn8aH8fQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAtIGv9jyjF4wxS8LTxw/tfJi3jOr5Z54DRY3z1oKRtEvz907fIL9oRNhL4L+VsEyi1dGMqFAbysY8z7Pe5f/Za1RwSEVF5RjxHydnckLaguquZwfLGBHtJnCeF2LeAVS1WbWowCNjiOJ9l/q+BCzlXZRTV4S9TrXp33hGYob6owgiz1CflTYIfj6h/yyM80QBaQwa4zNjS4UbgHb+SK+x/YH/BY6SFB9WqqSUbwPTkxGKNxC/A8CX8tpSXlVyXjN2Y7UsDaCkj/TGRSatTqPA6GIKx3AQMAvs/wkla2iHWoQYEn/fN6Mwc10i7M4AevA81unr4TOQQAYtnBQT4DCGs</X509Certificate>
        </X509Data>
      </KeyInfo>
    </Signature>
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">matthew.ta@displayr.com</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="_8f202708-77ad-47f9-9349-5077960781f4" NotOnOrAfter="2019-02-22T02:50:18.216Z" Recipient="http://mt.displayr.com/Login/ProcessSamlResponse"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2019-02-22T02:40:18.216Z" NotOnOrAfter="2019-02-22T03:40:18.216Z">
      <AudienceRestriction>
        <Audience>spn:15eedc3e-ead5-47c8-8424-a98027d91da7</Audience>
      </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
        <AttributeValue>86c4efd3-7f59-4e51-8f64-6d7848dfcaef</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
        <AttributeValue>d0da4e9e-3609-4f53-aaeb-2f3f58478ce2</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
        <AttributeValue>Matthew Ta</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
        <AttributeValue>50cc6b45-af70-4569-9079-d749ed9f7195</AttributeValue>
        <AttributeValue>57fa9d51-dff4-4b27-9d61-63772d2ed949</AttributeValue>
        <AttributeValue>461ee5e9-6499-4f7d-b0ba-735dcc44fdc1</AttributeValue>
        <AttributeValue>11b4175a-a8b9-4ea5-b9b2-697223cc51f5</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
        <AttributeValue>https://sts.windows.net/97fb2e3d-d978-44e1-bb74-0aa0109189b5/</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
        <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids">
        <AttributeValue>62e90394-69f5-4237-9190-012177145e10</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
        <AttributeValue>Matthew</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
        <AttributeValue>Ta</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <AttributeValue>matthew.ta@displayr.com</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
        <AttributeValue>matthew.ta@displayr.com</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Department">
        <AttributeValue>Programming</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Company">
        <AttributeValue>Numbers International Pty Ltd</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Phone number">
        <AttributeValue>+61 123456789</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dname">
        <AttributeValue>Matthew Ta</AttributeValue>
      </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2019-02-22T02:45:18.138Z" SessionIndex="_b2945d46-f5f9-47f3-ac21-4dd19a1f928a">
      <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>

Notes