SAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples,



Similar documents
OIOIDWS for Healthcare Token Profile for Authentication Tokens

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

VETUMA SAML SAMPLE MESSAGES

Shibboleth Architecture

GFIPM Web Browser User-to-System Profile Version 1.2

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

Standalone SAML Attribute Authority With Shibboleth

Web Services Security: SAML Token Profile 1.1

IAM Application Integration Guide

Design and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security

Web Access Management and Single Sign-On

Security Assertion Markup Language (SAML)

Feide Technical Guide. Technical details for integrating a service into Feide

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Biometric Single Sign-on using SAML Architecture & Design Strategies

Single Sign-On Implementation Guide

Tusker IT Department Tusker IT Architecture

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Web Single Sign-On Authentication using SAML

SAML 2.0 INT SSO Deployment Profile

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Kantara egov and SAML2int comparison

Single Sign on Using SAML

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

Secure Services withapache CXF

Electronic Bank Account Management - EBAM

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

SAML Profile for Privacy-enhanced Federated Identity Management

02267: Software Development of Web Services

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

Digital Evidence Certification Recommendation

SAML 2.0 protocol deployment profile

GCSS-AF SOA and Web Services Infrastructure & Support

Open Source Identity Integration with OpenSSO

Martin Käser. Single Sign-on mit OpenSAML

IBM WebSphere Application Server

How To Make A Multi-Party Communication Secure On A Microsoft Cloud (Minware) System (Plm) (For Free) (Power) (Web) (Netware) (Cloud) (Monetar) (Free) (

Practical Security Evaluation of SAML-based Single Sign-On Solutions

SAML basics A technical introduction to the Security Assertion Markup Language

Brief History of Software

OIO Web SSO Profile V2.0.5

FEDERATED IDENTITY MANAGEMENT:

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

SAML and XACML Overview. Prepared by Abbie Barbir, Nortel Canada April 25, 2006

OIO SAML Profile for Identity Tokens

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

A Signing Proxy for Web Services Security

OSCI-Transport, Version 2.0

Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0

SAML Federated Identity at OASIS

Using XACML and SAML for Authorisation messaging and assertions: XACML and SAML standards overview and usage examples

OIOSAML Rich Client to Browser Scenario Version 1.0

Liberty Technology Tutorial

SAML Single-Sign-On (SSO)

SAML (Security Assertion Markup Language) Security Model for RESTful Web Services

Single Sign-On Implementation Guide

Automatic Penetration Test Tool for Detection of XML Signature Wrapping Attacks in Web Services

Authenticating Distributed Data using Web Services and XML Signatures *

ORACLE TALEO BUSINESS EDITION SINGLE SIGN ON SERVICE PROVIDER REFERENCE GUIDE RELEASE 15.A2

Grid Working Draft - Informational, GWD-I-XXX Network Service Interface (NSI) Working Group (WG) September 1, 2010

Authenticating users through a Security Token Service

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Web Based Single Sign-On and Access Control

Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

WebObjects Web Services Programming Guide. (Legacy)

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

Message Implementation Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Web Services Security Tutorial

Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0

Security and Reliability for Web Services

ebinterface 4.1 The Austrian e-invoice standard

ebinterface 4.0 The Austrian e-invoice standard

Analyzing the Interoperability of WS-Security and WS-ReliableMessaging Implementations

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

igovt logon service Context Mapping Service (icms) Messaging Specification Release 9.6

Access Control in Distributed Systems. Murat Kantarcioglu

Flexible authentication for stateless web services

Server based signature service. Overview

Token specification for Energinet.dk DataHub

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Setting Up Federated Identity with IBM SmartCloud

Encryption, Signing and Compression in Financial Web Services

Developing a Single Sign-On System A Java-based authentication platform aimed at the web.

2.2 Federated Identity Technologies

How To Create A Web Based Identity Management System

Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1

Authentication & Digital Signature

Appendix 1 Technical Requirements

Interoperable, Federated Identity Management Frameworks Across Enterprise Architectures. We can do this.

MACE-Dir SAML Attribute Profiles

Transcription:

> SAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples, Version 1.1 IT- og Telestyrelsen, Center for Serviceorienteret Infrastruktur August 2007

1 Introduction This non-normative document contains a number of examples of XML messages defined in the DK-SAML 2.0 profile. Note that all examples are produced by hand and are thus not generated by a computer program. Therefore, differences may occur in real life deployments. Note further that the examples have been simplified in order to improve readability and clarity. For example, encryption of elements is not shown and long binary values or repeated elements have been shortened etc. Therefore, the examples won t validate directly against the SAML XML schemas published by OASIS.

2 SAML Assertion with OCES Attribute Profile The first example shows an assertion conforming to the OCES Attribute Profile with citizen attributes (without encryption): <saml:assertion ID="idvalue31231231231312" IssueInstant="2001-12-31T12:00:00" Version="2.0" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <saml:issuer>http://someidentityprovider.dk/idpservice</saml:issuer> <ds:signature> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:reference URI="#idvalue31231231231312"> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:digestvalue>tcdvsug6grhyhbzhqfwfzgrxipe=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> x/gypbzmfee85pgd3c1axg4vspb9v9jgcjwcrckrtwps6vdvnccy5rhafpywkf+5 EIYcPzx+pX1h43SmwviCqXRjRtMANWbHLhWAptaK1ywS7gFgsD01qjyen3CP+m3D w6vkhaqledl0byyrizb4kkho4ahnybvxbjwqv5puae4= </ds:signaturevalue> <ds:keyinfo> <ds:x509data> <!-- The Identity Provider's OCES Certificate -->

<ds:x509certificate> MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2l... </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=DK,O=Pølsevognen,CN=Hans Jensen </saml:nameid> <saml:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:subjectconfirmationdata Recipient="http://SomeServiceProvider.dk" NotOnOrAfter="2001-12-31T12:00:00" InResponseTo="Authn_request_identifier_1234567"> </saml:subjectconfirmationdata> </saml:subjectconfirmation> </saml:subject> <saml:conditions> <saml:audiencerestriction> <saml:audience>http://someserviceprovider.dk</saml:audience> </saml:audiencerestriction> </saml:conditions> <saml:authnstatement AuthnInstant="2005-01-31T12:00:00Z" SessionIndex="29393948329"> <saml:authncontext> <saml:authncontextclassref>

urn:oasis:names:tc:saml:2.0:ac:classes:x509 </saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> Statement> <!-- Sur Name Core Attribute --> Name="urn:oid:2.5.4.4" FriendlyName="surName"> Value xsi:type="xs:string"> Jensen <!-- Common Name Core Attribute --> Name="urn:oid:2.5.4.3" FriendlyName="CommonName"> Value xsi:type="xs:string"> Hans Jensen <!-- Uid Core Attribute this is the Subject Serial Number --> Name="urn:oid:0.9.2342.19200300.100.1.1"> Value xsi:type="xs:string">

PID:9802-2002-2-149339142439 <!-- Email Core Attribute --> Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="email"> Value xsi:type="xs:string"> jens@email.dk <!-- Assurance Level Core Attribute --> Name="dk:gov:saml:attribute:AssuranceLevel"> Value xsi:type="xs:string">2 <!-- SpecVer Core Attribute --> Name="dk:gov:saml:attribute:SpecVer"> Value xsi:type="xs:string">dk-saml-2.0

<!-- Now comes attributes from the OCES attribute profile --> <!--- Certificate Serial Number Attribute --> Name="urn:oid:2.5.4.5" FriendlyName="serialNumber"> Value xsi:type="xs:string"> 234-2345-76745-23 <!--- PID Number Attribute --> Name="dk:gov:saml:attribute:PidNumberIdentifier"> Value xsi:type="xs:string"> 9802-2002-2-9142544 <!--- CPR Number Attribute --> Name="dk:gov:saml:attribute:CprNumberIdentifier"> Value xsi:type="xs:string"> 2702681273 </saml:attributestatement> </saml:assertion>

3 Assertion with Persistent Pseudonym The second example shows an assertion with a persistent pseudonym (without encryption): <saml:assertion ID="idvalue31231231231312" IssueInstant="2001-12-31T12:00:00" Version="2.0" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <saml:issuer>http://someidentityprovider.dk/idpservice</saml:issuer> <saml:subject> <!-- Here we have the persistent, opaque identifier --> <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> 005a06e0-ad82-110d-a556-004005b13a2b </saml:nameid> <saml:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:subjectconfirmationdata Recipient="http://SomeServiceProvider.dk" NotOnOrAfter="2001-12-31T12:00:00" InResponseTo="Authn_request_identifier_1234567"> </saml:subjectconfirmationdata> </saml:subjectconfirmation> </saml:subject> <saml:conditions> <saml:audiencerestriction> <saml:audience>http://someserviceprovider.dk</saml:audience> </saml:audiencerestriction> </saml:conditions>

<saml:authnstatement AuthnInstant="2005-01-31T12:00:00Z" SessionIndex="29393948329"> <saml:authncontext> <saml:authncontextclassref> urn:oasis:names:tc:saml:2.0:ac:classes:x509 </saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> Statement> <!-- Assurance Level Core Attribute --> Name="dk:gov:saml:attribute:AssuranceLevel"> Value xsi:type="xs:string">4 <!-- SpecVer Core Attribute --> Name="dk:gov:saml:attribute:SpecVer"> Value xsi:type="xs:string">dk-saml-2.0 </saml:attributestatement> </saml:assertion>

4 Authentication Request Below is shown a signed authentication request sent from a Service Provider: <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="Authn_request_identifier_1234567" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="1"> <saml:issuer>https://www.someserviceprovider.dk/saml2</saml:issuer> <ds:signature> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:reference URI="#Authn_request_identifier_1234567"> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:digestvalue>tcdvsug6grhyhbzhqfwfzgrxipe=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> x/gypbzmfee85pgd3c1axg4vspb9v9jgcjwcrckrtwps6vdvnccy5rhafpywkf+5 EIYcPzx+pX1h43SmwviCqXRjRtMANWbHLhWAptaK1ywS7gFgsD01qjyen3CP+m3D w6vkhaqledl0byyrizb4kkho4ahnybvxbjwqv5puae4= </ds:signaturevalue> <ds:keyinfo>

<ds:x509data> <ds:x509certificate> MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2l... </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> </samlp:authnrequest>

5 Authentication Response Below is shown a signed response to an authentication response. Note that the actual assertion is left out for brevity (examples of assertions can be found earlier in this document): <samlp:response xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="identifier_2" InResponseTo="Authn_request_identifier_1234567" Version="2.0" IssueInstant="2004-12-05T09:22:05Z" Destination="https://www.SomeServiceProvider.dk"> <saml:issuer>http://someidentityprovider.dk/idpservice</saml:issuer> <ds:signature> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:reference URI="#identifier_2"> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelopedsignature"/> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:digestvalue>tcdvsug6grhyhbzhqfwfzgrxipe=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> x/gypbzmfee85pgd3c1axg4vspb9v9jgcjwcrckrtwps6vdvnccy5rhafpywkf+5 EIYcPzx+pX1h43SmwviCqXRjRtMANWbHLhWAptaK1ywS7gFgsD01qjyen3CP+m3D w6vkhaqledl0byyrizb4kkho4ahnybvxbjwqv5puae4=

</ds:signaturevalue> <ds:keyinfo> <ds:x509data> <ds:x509certificate> MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2l... </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <samlp:status> <samlp:statuscode </samlp:status> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> <saml:assertion> <!-- Left out for brevity --> </saml:assertion> </Response>

6 Attribute Query Examples This chapter contains a number of example request / response messages illustrating different scenarios with attribute queries. The examples only show SAML messages conforming to the profile and do not detail the encapsulation in SOAP envelopes. Please note that: Details of XML digital signatures and encryptions have been omitted from the examples for the sake of clarity. Some attribute names have been invented for the examples. These should not be regarded as official identifiers. Further standardization of attributes names should occur within the Danish egovernment sector. 6.1 Requesting one attribute The first example shows a request of a Production Site Number attribute (P-number). The request identifies the Subject via the DN from the OCES certificate and the uid core attribute which contains the subject serial number. Request message: <samlp:attributequery ID="idvalue31231231231312" IssueInstant="2001-12-31T12:00:00" Version="2.0" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-explicit" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <saml:issuer>http://someserviceprovider.dk</saml:issuer> <ds:signature>... </ds:signature> <! - Here is the subject in this case the DN from the OCES certificate -->

<saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=DK,O=Pølsevognen,CN=Hans Jensen </saml:nameid> </saml:subject> <! - Here is the Uid Core Attribute which contains the OCES Subject Serial Number --> Name="urn:oid:0.9.2342.19200300.100.1.1"> Value xsi:type="xs:string"> CVR:20688092-RID:1180636224562 <! - Here is the attribute we request (no value) --> Name="dk:gov:saml:attribute:ProductionSiteNumberIdentifier"> </samlp:attributequery> Response message from the Attribute Service: <samlp:response ID="idvalue31231231231312" IssueInstant="2006-12-31T12:10:00" Version="2.0" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <saml:issuer>http://someattributeservice.dk</saml:issuer> <ds:signature>... </ds:signature> <samlp:status> <samlp:statuscode Value="samlp:Success"/> <samlp:statusmessage>success</samlp:statusmessage> </samlp:status> <! - Here is the subject in this case the DN from the OCES certificate --> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=DK,O=Pølsevognen,CN=Hans Jensen </saml:nameid> </saml:subject> <saml:assertion ID="idvalue131231231312" IssueInstant="2006-12-31T12:12:00" Version="2.0"> <saml:issuer>http://someattributeservice.dk</saml:issuer> <! - Here is the subject in this case the DN from the OCES certificate --> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=DK,O=Pølsevognen,CN=Hans Jensen </saml:nameid> </saml:subject>

<saml:conditions> <saml:audiencerestriction> <saml:audience>http://someserviceprovider.dk</saml:audience> </saml:audiencerestriction> </saml:conditions> Statement> <! - Here is the Uid Core Attribute which contains the Subject serialnumber --> Name="urn:oid:0.9.2342.19200300.100.1.1"> Value xsi:type="xs:string"> CVR:20688092-RID:1180636224562 <! - The returned attribute with the P-Number Identifier --> Name="dk:gov:saml:attribute:ProductionSiteNumberIdentifier"> Value xsi:type="xs:string"> 2739661287 </saml:attributestatement> </saml:assertion> </samlp:response>

6.2 Requesting a set of attributes Multiple attributes can be requested by simply including multiple > elements in the request (one for each requested attribute): <samlp:attributequery ID="idvalue31231231231312" IssueInstant="2001-12-31T12:00:00" Version="2.0" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-explicit" xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <saml:issuer>http://someserviceprovider.dk</saml:issuer> <ds:signature>... </ds:signature> <! - Here is the subject in this case the DN from the OCES certificate --> <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=DK,O=Pølsevognen,CN=Hans Jensen </saml:nameid> </saml:subject> <! - Here is the Uid Core Attribute which contains the Subject serialnumber --> Name="urn:oid:0.9.2342.19200300.100.1.1"> Value xsi:type="xs:string">

CVR:20688092-RID:1180636224562 <! - Here is an attribute we request (no value) --> Name="dk:gov:saml:attribute:ProductionSiteNumberIdentifier"> <! - Here is an attribute we request (no value) --> Name="dk:gov:saml:attribute:IsManager"> <! - Here is an attribute we request (no value) --> Name="dk:gov:saml:attribute:IsAdministrator"> </samlp:attributequery> 6.3 Requesting all attributes All attributes can be requested by omitting > elements from the query. However, an attribute specifying the uid core attribute for identification of the subject can still be included.

6.4 Requester doesn t have access to all attributes When a requester queries for an attribute he is not authorized to receive, the Attribute Service returns a second-level status code being: urn:oasis:names:tc:saml:2.0:status:requestdenied followed by a sequence <StatusDetail> elements describing the reason for not disclosing the attribute:... <samlp:status> <samlp:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <samlp:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"> </samlp:statuscode> <samlp:statusdetail>requested attribute CPR is reserved for government organizations </samlp:statusdetail> <samlp:statuscode/> </samlp:status>... 6.5 Values do not exist for all requested attributes Suppose attributes with names attr_a and attr_b have been requested. Both are recognized by the Attribute Service but the value of attr_a is unknown for this subject. In this situation an empty <AttributeValue> element is returned and the reserved xsi:nil attribute is set:... Statement> Name="attr_A"> Value xsi:nil= true >

Name="attr_B"> Value xsi:type="xs:string">foobar </saml:attributestatement>... <end of examples>

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information