/
Remote Operations Reference

Remote Operations Reference

DRAFT

The is an initial reference to the operations implemented by the Java-based Hub plugins in support of the SP V4 Agents and any future Agents developed by us or third parties.

This material is subject to change but is at alpha/beta level stability at this time. There will be additional operations defined for logout and probably for providing OIDC information flows such as client metadata and key sets.

General DDF Message Format

Input messages are not entirely standardized, but:

  • Currently the Agent identity is not included (it’s in the HTTP layer) but this may change.

  • Not all messages will include an application ID, but many do, and it is always named “application”.

  • All messages MAY include a “txid” member that is simply a correlation ID for Hub logging purposes and is opaque otherwise.

  • If the message includes a forwarded HTTP request, it will be in a structure member called “http” (see below).

Output messages are always a structure with some defined members that may or may not be present, plus any others defined by the operation.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

event

string

Always present, contains “success”, or the error event resulting from a failed operation.

target

unsafe_string

Recovered resource URL acquired from original Agent request or by mapping a supplied state token back into the URL.

cached_auth

string

If present, a value to use as a cached authentication value in a cookie agreed upon OOB (typically JSESSIONID or __Host-JSESSIONID as approproate for the deployed container). It is optional for agents to support or use this.

http

struct

If present, contains an HTTP response to relay back to the user Agent. Not all operations will contain one, but usually if they do, it will be mandatory and expected by the Agent.

All operations are top-level webflows defined at /idp/profile/sp/opname

Unless otherwise specified, all operations MAY return an “event” member as noted above, and a number of standard events exist for invalid input scenarios.

HTTP Remoting

When an HTTP request has to be remoted (in whole or in part), the input will contain a struct member named “http” with the following substructure:

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

scheme

string

Requested scheme (generally https or http)

hostname

unsafe_string

Requested hostname reported by web server

port

integer

Requested port

content_type

string

Value of content type header

body

unsafe_string

Body content. Nominally calling this unsafe and to be handled as bytes, but probably will end up being assumed to be UTF-8 when actually processed as data by the Hub.

content_length

long integer

Value of content length header

remote_user

string

Value of REMOTE_USER internal server variable

remote_addr

string

Requesting client address as reported by web server

local_addr

string

Server address as reported by web server

method

string

Requested HTTP method

uri

unsafe_string

Requested URI (the part after the scheme, host, and port

url

unsafe_string

Requested URL (including scheme, host, and port (if non-default)

query

string

Requested query string

headers

structure

Each header is populated as a member whose name is the header name and whose unsafe_string value is the header value

When an HTTP response has to be remoted, the output will contain a struct member named “http” with the following substructure:

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

redirect

unsafe_string

Redirect URL to return to client, mutually exclusive with response structure

response.data

unsafe_string

Response body

response.status

integer

HTTP response status code

headers

list

Each header is populated as a list element whose name is the header name and whose unsafe_string value is the header value

Agent Authentication

Details TBD, just parking one issue for now…

The caching support in the Hub to leverage the JSESSIONID cookie works less well unless Jetty is told to drop the node suffix from its cookie values:

jetty.sessionIdManager.workerName=

Without that, the session ID inside the app server is not a one for one match to the cookie and while Jetty sees and honors the session if the cookie contains only the partial value, it keeps reissuing a Set-Cookie header to the Agent every time with the same value (but with the worker name suffixed). Doesn’t really hurt anything.

General Operations

These are generic functions that don’t involve a specific Application and so the input does not carry an “application” member.

ping

Testing operation that returns the current epoch in seconds.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

epoch

longinteger

Current epoch in seconds

session-cache

Remote implementation of a session cache. In practice implemented via the OpenSAML StorageService API but this is not an exposed assumption of the operation.

To avoid complexity, the HTTP method is fixed as POST, as many client libraries complicate use of other methods when using request bodies.

Create Operation

Stores new sessions and returns a key for retrieval.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

op

string

“C”

session

structure

session data structure, treated as opaque by the operation

storage_timeout

longinteger

time in seconds until newly created records should expire from underlying storage

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

key

string

newly created session key

Event

Description

Event

Description

InputOutputError

Storage-related exception

InvalidMessage

Malformed input

MessageProcessingError

Failure to produce a usable/unique key after exhausting attempts

Read Operation

Retrieves existing sessions using the key returned by a Create. If no matching session is found, an empty response is returned.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

op

string

“R”

key

string

session key

storage_timeout

longinteger

time in seconds until newly created records should expire from underlying storage, needed to compute last access of session, required iff “timeout” supplied

timeout

integer

optional, instructs Hub to determine if session has expired from inactivity

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

session

structure

session data structure, treated as opaque by the operation

Event

Description

Event

Description

InputOutputError

Storage-related exception

InvalidMessage

Malformed input

InvalidSession

Corrupt or unusable session record

ExpiredSession

Session existed but has expired based on policy

Update Operation

Updates a session in place if it has not been updated past a specified version. If the session no longer exists, an empty response is returned.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

op

string

“U”

key

string

session key

ver

integer

current session version

storage_timeout

longinteger

time in seconds until newly created records should expire from underlying storage, needed to compute last access of session

session

structure

session data structure, treated as opaque by the operation

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

ver

integer

updated session version

Event

Description

Event

Description

InputOutputError

Storage-related exception

InvalidMessage

Malformed input

VersionMismatch

The record was already updated beyond the specified version

Touch Operation

Updates a session’s last access time to the current time.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

op

string

“T”

key

string

session key

storage_timeout

longinteger

time in seconds until newly created records should expire from underlying storage, needed to compute last access of session

timeout

integer

optional, instructs Hub to determine if session has expired from inactivity

None

Event

Description

Event

Description

InputOutputError

Storage-related exception

InvalidMessage

Malformed input

ExpiredSession

Session existed but has expired based on policy

MissingSession

Session no longer exists

Delete Operation

Deletes a session record.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

op

string

“D”

key

string

session key

None

Event

Description

Event

Description

InputOutputError

Storage-related exception

InvalidMessage

Malformed input

MissingSession

Session no longer exists

Handler Operations

session-initiator

API to initiate a login request to an IdP on behalf of the requesting Agent’s application. This is a facade for an unbounded set of subflows that implement support for particular protocols. The input contract contains some fixed inputs and variable inputs that depend on the implementation(s) of subflows available. The operation will attempt any number of initiator subflows in a defined order until one succeeds or all have failed.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

application

string

Application ID for request

state

string

A translated state token used to recover the URL to direct the user Agent after processing a response to thie request being created, indicates that the state has already been generated

disco_return_url

string

Set to the URL Encoded Discovery protocol’s “return” parameter in the event discovery should be attempted if needed. The requirement to encode it at the Agent is why it’s passed as a “string” rather than an “unsafe_string”, which is necessary because the Hub will be required to append a parameter to the URL to embed/add the state token once it is generated.

The presence of this member instructs the Hub’s support for Discovery that it MAY be performed and the supplied value used as the basis of the “return” parameter. Of course, Discovery will only occur if it is needed.

The absence of this member precludes the Hub from issuing requests for Discovery, resulting in failure in the event that an authenticating authority cannot be determined.

Agents MUST ensure that they do not loop; that is, they MUST already attach a query string parameter they will recgonize into the URL to identify that the request to the Agent already resulted from a Discovery attempt and so should omit this member from a subsequent request to this operation to prevent the cycle from repeating.

In short, Agents should check for the presence of their internally defined signal, then if absent include this self-referencing URL into their request, but omit it if the signal is detected.

Finally, note that the target resource if known should NOT be included as a parameter in this URL as doing so would expose the value to the DS. The Hub will ensure proper handling of the target resource supplied separately and ensure the proper state token is added to this URL before use. Likewise, any existing “state” parameter supplied in the query string should be removed.

target

unsafe_string

Required in the absence of the “state” parameter to supply the resource URL

http

structure

Remoted request from client to provide access to input cookie(s) when handling state token translation and request correlation.

This may optionally include a “body” child carrying the request body in the event that POST preservation is requested by the Agent for the request. The Hub is the arbiter of whether preservation is enabled for the Agent.

response_url

string or list

If a string, the value is a “universal” response URL that should handle any protocol or binding.

If a list, then compatibility with legacy binding-specific endpoints is enabled. Each list element is a string node whose value is the location URL. The name of the node must be set to one of a set of legacy binding indicators that map to SAML bindings to facilitate legacy compatibility with pre-V4 endpoint layout.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

http

structure

a remoted/tunneled HTTP response to deliver to the client (including cookies, etc.)

Event

Description

Event

Description

NoPotentialFlow

No configured initiator subflows handled the request

initiator/saml2

Session initiator subflow supporting SAML 2.0, i.e., responsible for producing SAML 2.0 <AuthnRequest> messages on behalf of Agents. A number of inputs are supported to influence request generation, typically based on content, but this can be disallowed on a per-Agent/Application/RelyingParty basis.

Member Name

DDF Type

Content/Definition

Member Name

DDF Type

Content/Definition

authority

string

IdP to use, if known