test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

SOAP Messages

SOAP messages consist of three parts: an envelope, header data, and a message body. The SAML <Request> and <Response> elements are enclosed in the message body. A client transmits a SAML <Request> element within the body of a SOAP message to an entity.

Note –

The SAML API and the Java API for XML Messaging (JAXM) are used to construct SOAP messages and send them to SAML SOAP Receiver.

The following two samples illustrate a SOAP exchange for the Web Browser Artifact Profile. The first is a request for an authentication assertion.

Example 9–1 SOAP Request for Authentication Assertion Using Web Browser Artifact Profile


POST /authn HTTP/1.1
Host: idp.example.com
Content-type: text/xml
Content-length: nnnn
<soap-env:Envelope
xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Header/>
<soap-env:Body>
<samlp:Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
	xmlns:lib="http://projectliberty.org/schemas/core/2002/12"
	xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
	xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	IssueInstant="2002-12-12T10:08:56Z"
	MajorVersion="1"
	MinorVersion="0"
	RequestID="e4d71c43-c89a-426b-853e-a2b0c14a5ed8"
	id="ericssonb6dc3636-f2ad-42d1-9427-220f2cf70ec1"
	xsi:type="lib:SignedSAMLRequestType">
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod
				Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
			</ds:CanonicalizationMethod>
			<ds:SignatureMethod
				Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
			</ds:SignatureMethod>
			<ds:Reference URI="#ericssonb6dc3636-f2ad-42d1-9427-220f2cf70ec1">
				<ds:Transforms>
					<ds:Transform
						Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
					</ds:Transform>
					<ds:Transform
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
					</ds:Transform>
				</ds:Transforms>
				<ds:DigestMethod
					Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
				</ds:DigestMethod>
				<ds:DigestValue>+k6TnolGkIPKZlpUQVyok8dwkuE=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>
			wXJMVoPO1V1jFnWJPyOWqP5Gqm8A1+/2b5gNzF4L4LMu4yEcRtttLdPPT3bvhwkwHXjL9
			NuOFumQ5YEyiVzlNcjAxX0LfgwutvEdJb748IU4L+8obXPXfqTZLiBK1RbHCRmRvjlPIu
			22oGCV6EwuiWRvOD6Ox9svtSgFJ+iXkZQ
		</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
			<ds:X509Certificate>
			MIIDMTCCApqgAwIBAgIBHDANBgkqhkiG9w0BAQQFADCBlTELMAkGA1UEBhMCVVMxCzAJB
			gNVBAcTAlNGMRkwFwYDVQQKExBMaWJlcnR5IEFsbGlhbmNlMRQwEgYDVQQLEwtJT1AgVG
			VzdGVyczEiMCAGA1UEAxMZTGliZXJ0eSBUZXN0ZXJzIENlcnRpZmllcjEkMCIGCSqGSIb
			3DQEJARYVcnJvZHJpZ3VlekBuZW9zb2wubmV0MB4XDTAyMTIwNDE1NTg0NFoXDTEyMTIw
			MTE1NTg0NFowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQHEwJTRjEkMCIGA1UEChMbTGliZ
			XJ0eSBBbGxpYW5jZSBlcmljc3Nvbi1hMSYwJAYDVQQLEx1JT1AgVGVzdGVycyBlcmljc3
			Nvbi1hIHNpZ25lcjEXMBUGA1UEAxMOZXJpY3Nzb24tYS5pb3AxKDAmBgkqhkiG9w0BCQE
			WGXJyb2RyaWd1ZXpAZXJpY3Nzb24tYS5pb3AwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
			AoGBAPUoGYvJxQc5jzDnJ14TV6TaTbB3fH95ju24Z0y6HQxm6gXdJSAoWh7/AIes4UcV0
			9DC2kKS6Vow2YoXt2LIyH9HWH2tEUt1jS/PUeBHEWcW3tFezM6jh5GG5rCuVPZaW9eoGU
			bFPSzOPFKUAwdHUXSDWufY1KZ93IxhOBeZgg6VAgMBAAGjeTB3MEoGCWCGSAGG+EIBDQQ
			9FjtUaGlzIHNpZ25pbmcgY2VydCB3YXMgY3JlYXRlZCBmb3IgdGVzdGluZy4gRG8gbm90
			IHRydXN0 IGl0LjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEMDALBgNVHQ8EBAMC
			BsAwDQYJKoZIhvcNAQEEBQADgYEAR/HSgBpAprQwQVyWDE9pCaiduKv4/W/+hrdpXlVKS
			r6TIlg4ouDCQJNos7tNuG9ZAbfWtHvCss51N2cfAzfns/DKqxRqcsxzL5ZUBksPpmsDob
			oopUv6Xm8RFsi7yB9AGaVuqObeY/+m70nOu03O+FlMN3U1k2E3rOKXlU1noC0
			</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
<samlp:AssertionArtifact>
	AAM1uXw6+f+jyA/4XuFHqPl7QDvc/LIQL9+t7YQtG1Gwk9bph0Adl+o+
</samlp:AssertionArtifact>
</samlp:Request>
</soap-env:Body>
</soap-env:Envelope>

In response to the request, SAML SOAP Receiver must return either a <Response> element within the body of another SOAP message or a SOAP fault code (error message) for every request received. The following sample is a response that contains an authentication assertion.

Example 9–2 SOAP Response to SOAP Request for Web Browser Artifact Profile


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: nnnn
<soap-env:Envelope
	xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
	<soap-env:Header/>
	<soap-env:Body>
		<samlp:Response
			xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
			InResponseTo="RPCUk2ll+GVz+t1lLURp51oFvJXk"
			IssueInstant="2002-10-31T21:42:13Z" 
			MajorVersion="1" MinorVersion="0"
			Recipient="http://localhost:8080/sp"
			ResponseID="LANWfL2xLybnc+BCwgY+p1/vIVAj">
			<samlp:Status>
				<samlp:StatusCode
					xmlns:qns="urn:oasis:names:tc:SAML:1.0:protocol"
					Value="qns:Success">
				</samlp:StatusCode>
			</samlp:Status>
			<saml:Assertion
				xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
				xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
				xmlns:lib="http://projectliberty.org/schemas/core/2002/12"
				xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
				AssertionID="SqMC8Hs2vJ7Z+t4UiLSmhKOSUO0U"
				InResponseTo="RPCUk2ll+GVz+t1lLURp51oFvJXk"
				IssueInstant="2002-10-31T21:42:13Z" 
				Issuer="http://host:8080/idp"
				MajorVersion="1" MinorVersion="0"
				xsi:type="lib:AssertionType">
				<saml:Conditions
					NotBefore="2002-10-31T21:42:12Z"
					NotOnOrAfter="2002-10-31T21:42:43Z">
					<saml:AudienceRestrictionCondition>
						<saml:Audience>http://localhost:8080/sp</saml:Audience>
					</saml:AudienceRestrictionCondition>
				</saml:Conditions>
				<saml:AuthenticationStatement
					AuthenticationInstant="2002-10-31T21:42:13Z"
					AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
					xsi:type="lib:AuthenticationStatementType">
					<saml:Subject xsi:type="lib:SubjectType">
						<saml:NameIdentifier>
							C9FfGouQdBJ7bpkismYgd8ygeVb3PlWK
						</saml:NameIdentifier>
						<saml:SubjectConfirmation>
							<saml:ConfirmationMethod>
								urn:oasis:names:tc:SAML:1.0:cm:artifact-01
							</saml:ConfirmationMethod>
						</saml:SubjectConfirmation>
						<lib:IDPProvidedNameIdentifier>
							C9FfGouQdBJ7bpkismYgd8ygeVb3PlWK
						</lib:IDPProvidedNameIdentifier>
					</saml:Subject>
				</saml:AuthenticationStatement>
				<ds:Signature>
					<ds:SignedInfo>
						<ds:CanonicalizationMethod
							Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						</ds:CanonicalizationMethod>
					<ds:SignatureMethod 
						Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
					</ds:SignatureMethod>
					<ds:Reference URI="">
					<ds:Transforms>
					<ds:Transform 
					Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
					</ds:Transform>
					<ds:Transform 
					Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
					</ds:Transform>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
					</ds:DigestMethod>
					<ds:DigestValue>ZbscbqHTX9H8bBftRIWlG4Epv1A=</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>
					H+q3nC3jUalj1uKUVkcC4iTFClxeZQIFF0nvHqPS5oZhtkBaDb9qI
					TA7gIkotaB584wXqTXwsfsuIrwT5uL3r85Rj7IF6NeCeiy3K0+z3u
					ewxyeZPz8wna449VNm0qNHYkgNak9ViNCp0/ks5MAttoPo2iLOfaK
					u3wWG6d1G+DM=
				</ds:SignatureValue>
			</ds:Signature>
		</saml:Assertion>
	</samlp:Response>
</soap-env:Body>
</soap-env:Envelope>
Note –

The entities requesting and responding with SAML must not include more than one SAML request or response per SOAP message. They must also not include any additional XML elements in the SOAP body.