Versions Compared

Old Version 11

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 12

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The calling code usually has to run on the same virtual host as the handler, because the handler will generally be returning one or more cookies for the calling code to set on the original client browser. Those cookies are meant for the SP, which means they can only be set by resources running on the same vhost, unless the cookie domain is expanded.

  • Because the SP by default stores off and checks the client address using the cookie later agaist the initial address, you will have to either disable the consistentAddress flag (not advisable) or add the real client's address to a special HTTP header that you then specify the SP should read using the REMOTE_ADDR content setting. Normally this is done via the X-Forwarded-For header.

  • The only security mechanism supported between the calling code and the handler is IP address checking. If non-loopback addresses are allowed, then the network segment in between needs to be secured somehow.

...

Most of the assertion is essentially ignored. The meat of the assertion that is processed are the <NameID> element in the subject, the first <AuthnStatement> element, and all <AttributeStatement> elements. No security checks are performed. The <Issuer> element is used to attempt to locate SAML 2.0 metadata for an IdP, and if that's found, that entity is considered the "source" of the session (for logging, policy, etc.). If not, no such issuer is associated with the session.

Of particular note, the client's actual IP address should be placed into the usual spot in the assertion, inside the authentication statement in the <SubjectLocality> element's Address attribute.

To use the Form POST option, the HTTP request must contain a Content-Type header set to application/x-www-form-urlencoded. The set of parameters supported are as follows:

  • protocol
    • A protocol identifier used for logging purposes, and to acquire metadata for the issuer.
  • issuer
    • An entityID or similar unique identifier for the authentication source. Used to look up metadata, when available. If not, no issuer is associated with the session.
  • address
    • The client's IP address.
  • NameID
    • Used as the primary subject identifier for the session.

...