IDP-initiated Single Sign-On POST Binding

[Mike Napier]

I'm trying to use simpleSAML to perform the method described on this page.

http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding

I'm acting as the idP and have tested the authentication through it with a test SP and everything is working.

Can someone help me understand how for step 4 of that link I can create the base64 encoded response to post to the SP? Is there an URL for the idP I can call that'll return this? Or can simpleSAML handle the whole exchange and I can send a user to a single URL through simpleSAML that'll authenticate with my idP and post the response to the SP?

Here's my current setup, thanks for any help you can provide :)

saml20-idp-hosted.php

<?php
/**
 * SAML 2.0 IdP configuration for simpleSAMLphp.
 *
 * See: https://rnd.feide.no/content/idp-hosted-metadata-reference
 */
$metadata['__DYNAMIC:1__'] = array(
        /*
         * The hostname of the server (VHOST) that will use this SAML entity.
         *
         * Can be '__DEFAULT__', to use this entry by default.
         */
'host' => '__DEFAULT__',
        /* X.509 key and certificate. Relative to the cert directory. */
        'privatekey' => 'accounts.pem',
        'certificate' => 'accounts.crt',
        'SingleSignOnServiceBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        //'assertion.encryption' => TRUE,
'auth' => 'drupal-userpass',
        'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
        'authproc' => array(
                1 => array(
                        'class' => 'core:AttributeAdd',
                        'ChannelIdentifier' => array('5346')
                ),
                2 => array(
                        'class' => 'core:AttributeAdd',
                        'ChannelName' => array('AE')
                ),
                3 => array(
                        'class' => 'core:AttributeAdd',
                        'Action' => array('CREATE')
                ),
                4 => array(
                        'class' => 'core:AttributeAdd',
                        'Groups' => array('05346-UsersGroup')
                ),
                5 => array(
                        'class' => 'core:AttributeAdd',
                        'ApplicationData' => '',
                ),
        ),

);

 

saml20-sp-remote.php

<?php
/**
 * SAML 2.0 remote SP metadata for simpleSAMLphp.
 *
 * See: http://simplesamlphp.org/docs/trunk/simplesamlphp-reference-sp-remote
 */
/* The following data should be added to metadata/saml20-sp-remote.php. */
/* The following metadata was generated from /home/accounts/simplesamlphp/test.xml on 2013-09-06T18:04:03Z. */
$metadata['urn:saml20:sso:uat:ipipeline'] = array (
  'entityid' => 'urn:saml20:sso:uat:ipipeline',
  'entityDescriptor' => '',
  'name' =>
  array (
    'en-us' => 'iPipeline RP Attribute Set',
  ),
  'description' =>
  array (
    'en-us' => 'This attribute set contains the SAML attributes for our custom SAML plug in.',
  ),
  'OrganizationName' =>
  array (
    'en-us' => 'iPipeline',
  ),
  'OrganizationDisplayName' =>
  array (
    'en-us' => 'iPipeline',
  ),
  'url' =>
  array (
    'en-us' => 'http://www.ipipeline.com',
  ),
  'OrganizationURL' =>
  array (
    'en-us' => 'http://www.ipipeline.com',
  ),
  'contacts' =>
  array (
    0 =>
    array (
      'contactType' => 'support',
      'company' => 'iPipeline',
      'emailAddress' =>
      array (
        0 => 'sup...@example.com',
      ),
      'telephoneNumber' =>
      array (
        0 => '484-348-6555',
      ),
    ),
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://sso-uat.ipipeline.com/sso/ACS',
      'index' => 0,
      'isDefault' => true,
    ),
    1 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
      'Location' => 'https://sso-uat.ipipeline.com/sso/ACS',
      'index' => 1,
      'isDefault' => false,
    ),
    2 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',
      'Location' => 'https://sso-uat.ipipeline.com/sso/ACS',
      'index' => 2,
      'isDefault' => false,
    ),
  ),
  'SingleLogoutService' =>
  array (
  ),
  'attributes' =>
  array (
    0 => 'ChannelName',
    1 => 'CompanyIdentifier',
    2 => 'Action',
    3 => 'Groups',
    4 => 'The attribute will contain the URL to redirect the user to upon timeout.',
    5 => 'ApplicationData',
  ),
  'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
  'validate.authnrequest' => false,
  'saml20.sign.assertion' => false,
  'metarefresh:src' => '/home/accounts/simplesamlphp/test.xml',
);

saml20-idp-remote.php

<?php
/**
 * SAML 2.0 remote IdP metadata for simpleSAMLphp.
 *
 * Remember to remove the IdPs you don't use from this file.
 *
 * See: https://rnd.feide.no/content/idp-remote-metadata-reference
 */
/*
 * Guest IdP. allows users to sign up and register. Great for testing!
 */
/*$metadata['https://openidp.feide.no'] = array(
        'name' => array(
                'en' => 'Feide OpenIdP - guest users',
                'no' => 'Feide Gjestebrukere',
        ),
'description'          => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.',
        'SingleSignOnService'  => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
        'SingleLogoutService'  => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',
        'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
);
*/
$metadata['https://accounts.example.com/saml/saml2/idp/metadata.php'] = array (
  'metadata-set' => 'saml20-idp-remote',
  'entityid' => 'https://accounts.example.com/saml/saml2/idp/metadata.php',
  'SingleSignOnService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://accounts.example.com/saml/saml2/idp/SSOService.php',
    ),
  ),
  'SingleLogoutService' => 'https://accounts.example.com/saml/saml2/idp/SingleLogoutService.php',
  'certData' => '',
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
  'OrganizationName' =>
  array (
    'en' => 'Advisors Excel',
  ),
  'OrganizationDisplayName' =>
  array (
    'en' => 'Advisors Excel',
  ),
  'OrganizationURL' =>
  array (
    'en' => 'http://www.example.com',
  ),
);

[Peter Schober]

* Mike Napier <mike....@advisorsexcel.com> [2013-09-16 22:57]:

> > I'm trying to use simpleSAML to perform the method described on this page.
> > http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding
> >
> > I'm acting as the idP and have tested the authentication through it with a
> > test SP and everything is working.
> > Can someone help me understand how for step 4 of that link I can create
> > the base64 encoded response to post to the SP? Is there an URL for the idP
> > I can call that'll return this? Or can simpleSAML handle the whole exchange
> > and I can send a user to a single URL through simpleSAML that'll
> > authenticate with my idP and post the response to the SP?

The latter:
http://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_4

-peter

[Mike Napier]

Thank you for clearing that up for me, much appreciated!