SSO
- Rod Widdowson
- Scott Cantor
- Thomas Lenggenhager
TheĀ <SSO>Ā element is used to enable and configure support for Single Sign-On/Authentication protocols within the SP. This is of course the primary function of the software, so it is generally present within theĀ <Sessions>Ā element to enable and control SSO settings.
For each protocol activated in theĀ <SSO> element, the order of the Bindings is controlled inĀ protocols.xml.Ā
The use of theĀ <SSO>Ā element results in a basic chain of initiator plugins installed at the recommendedĀ "/Login"Ā handler location. For advanced scenarios that require additional plugins or options, additional explicitĀ <SessionInitiator>Ā elements can be added to the end of the surroundingĀ <Sessions>Ā element, but you should never install those handlers to the same default location as the one used by this element. To prevent unforeseen interactions, you likely should remove the shorthand element entirely.Ā
Attributes
Name | Type | Default | Description |
|---|---|---|---|
entityIDĀ | URI | Ā | If set, establishes an assumed IdP to use for authentication, if none is passed explicitly with aĀ query string parameterĀ or overridden viaĀ content settings. |
discoveryProtocol | string | Ā | Protocol to use for the Discovery Service. Typically either "SAMLDS" (SAML Discovery Service protocol) or "WAYF" (legacy Shibboleth WAYF protocol). |
discoveryURL | URL | Ā | Location of the discovery service, e.g., https://ds.example.org/DS |
relayStateĀ | string | Ā | OverridesĀ relayStateĀ setting from theĀ <Sessions>Ā element. |
entityIDParamĀ | string | Ā | Optional, advanced setting for overriding the name of the query string parameter used to override the IdP to use. NormallyĀ "entityID"Ā andĀ "providerId"Ā are the parameter names supported. This is provided for supporting unusual application requirements. |
targetĀ | URL | Allows the resources to return to after SSO to be "locked" to a specific value, even when running as a result of active protection of other resources. In other words, this value overrides the actual resource location when SSO redirection is automatic, including initial access and after a timeout. | |
The following attribute can be specified for SAML1 and SAML2 protocols: | |||
Name | Type | Default | Description |
isPassive | boolean | false | If true, causes theĀ <samlp:AuthnRequest>'sĀ IsPassiveĀ attribute to be "true". Can be overridden byĀ content settingĀ orĀ query string parameter. |
The following attributes can be specified for the SAML2 protocols: | |||
Name | Type | Default | Description |
templateĀ | local pathname | Ā | An HTML template used during transmission of theĀ <samlp:AuthnRequest>Ā message |
outgoingBindingsĀ | space delimited URIs | List of SAML binding identifiers that determines the order of preferredĀ <md:SingleSignOnService>Ā bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding | |
acsByIndexĀ | boolean | false | If true, the location of theĀ assertion consumer serviceĀ to return the assertion to is passed by reference (using an index), rather than passing an explicit URL and binding. Because of the difficulty of ensuring consistent indexing between local configuration and metadata, this is not an advisable feature. |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
forceAuthnĀ | boolean | false | If true, causes theĀ <samlp:AuthnRequest>'sĀ ForceAuthnĀ attribute to be "true". Can be overridden byĀ content settingĀ orĀ query string parameter. This asks for forced reauthentication by the IdP (bypassing SSO). |
authnContextClassRefĀ | space delimited URIs | If set, inserts aĀ <samlp:RequestedAuthnContext>Ā element containing the class reference into theĀ <samlp:AuthnRequest>. This can be a whitespace-delimited list of classes to request. Can be overridden byĀ content settingĀ orĀ query string parameter. | |
authnContextComparison | one of: | "exact" | If set, inserts aĀ <samlp:RequestedAuthnContext>Ā element containing the comparison operator into theĀ <samlp:AuthnRequest>. Can be overridden byĀ content settingĀ orĀ query string parameter. Ignored unless anĀ authnContextClassRefĀ value is set. |
ECP | boolean | false | If set, enables Enhanced Client/Proxy profile support, causing the SP to recognize the headers sent by an ECP-enabled client and respond with an ECP request instead of a redirect. Note that when this occurs, the IdP need not be known for a request to be generated, unlike in the normal case |
requestDelegationĀ | boolean | false | If set, causes the request to carry aĀ <saml:Conditions>Ā element that includes aĀ <saml:AudienceRestriction>Ā identifying the IdP as a desired relying party for the resulting assertion. This convention is associated with support for delegation, in which the SP can authenticate itself with the assertion as the user in the course of subsequent requests to the IdP. |
NameIDFormatĀ | URI | If set, causes the request to require the IdP to respond with a NameID identifier of the given format. If the IdP can not fulfill this requirement, it will return an error response (if correctly implemented). | |
SPNameQualifierĀ | URI | If set, causes the authentication request to carry aĀ saml:NameIDPolicyĀ with anĀ SPNameQualifierĀ containing the provided value. If the receiving IdP can not fulfill this requirement, it will return an error response (if correctly implemented). | |
signingĀ | Controls outbound signing of XML messages. See Signing & Encryption | ||
encryptionĀ | Controls outbound encryption of XML messages and content. See Signing & Encryption.Ā | ||
externalInputĀ | boolean | true | Ā |
Element Content
The content of the element is a whitespace-delimited list of "protocol" identifiers. Protocol identifiers are listed in preferential order, with the most preferred first. The three listed below are built-in to the SP.Ā Ā
SAML2
SAML 2.0 Browser SSO profile.
As a protocol handler, an entityID must be specified/known, which is then used to check for metadata with anĀ <md:IDPSSODescriptor>Ā role supporting SAML 2.0. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
See alsoĀ SAML2 Sessions ConfigurationsĀ
SAML1
SAML 1.x Browser-POST and Browser-Artifact profiles.
As a protocol handler, an entityID must be specified/known, which is then used to check for metadata with anĀ <md:IDPSSODescriptor>Ā role supporting Shibboleth 1.x. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
A "supporting" IdP's role element has aĀ protocolSupportEnumerationĀ attribute containing the valueĀ "urn:mace:shibboleth:1.0", with an accompanyingĀ <md:SingleSignOnService>Ā with aĀ BindingĀ ofĀ "urn:mace:shibboleth:1.0:profiles:AuthnRequest".
ADFS
Ā WS-Federation Passive Interoperability Profile (legacy ADFS) .
The ADFS handler is only available if theĀ adsfs.soĀ extension library is loaded by the SP.
As a protocol handler, anĀ entityIDĀ must be specified/known, which is then used to check for metadata with anĀ <md:IDPSSODescriptor>Ā role supporting ADFS. The absence of either causes a warning to be logged and the handler otherwise ignores the request.
A "supporting" IdP's role element has aĀ protocolSupportEnumerationĀ attribute containing the valueĀ "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanyingĀ <md:SingleSignOnService>with aĀ BindingĀ ofĀ "http://schemas.xmlsoap.org/ws/2003/07/secext".
Examples
A basic example using a single, fixed IdP, supporting the usual common SAML protocols:
<SSO entityID="https://idp.example.org/idp/shibboleth">
SAML2 SAML1
</SSO>An example using a SAML Discovery Service and supporting ECP:
<SSO discoveryProtocol="SAMLDS" ECP="true" discoveryURL="https://examplefederation.org/DS">
SAML2 SAML1
</SSO>For a legacy Shibboleth WAYF Service, just replace theĀ discoveryProtocolĀ value withĀ "WAYF"
.