The Assertion Query/Request profile specifies a means for requesting existing assertions using a unique identifier. The requester initiates the profile by sending an assertion request, referenced by the identifier, to a SAMLv2 authority. The SAMLv2 authority processes the request, checks the assertion cache for the identifier, and issues a response to the requester.
To store assertions generated during single sign-on, add the following attribute to the metadata file of the identity provider acting as the SAMLv2 authority.
<IDPSSOConfig metaAlias="/idp"> <Attribute name="assertionCacheEnabled"> <Value>true</Value> </Attribute> </IDPSSOConfig>
To configure for assertion queries, the following tags must be defined in the identity provider standard metadata.
<IDPSSODescriptor WantAuthnRequestsSigned= "false" protocolSupportEnumeration="urn:oasis:names:tc: SAML:2.0:protocol"> <AssertionIDRequestService Binding="urn:oasis:names:tc: SAML:2.0: bindings:SOAP" Location= "http://isdev-3.red.iplanet.com:58080/ fam/AIDReqSoap/IDPRole/metaAlias/idp"/> <AssertionIDRequestService Binding= "urn:oasis:names:tc:SAML: 2.0:bindings:URI" Location= "http://isdev-3.red.iplanet.com: 58080/fam/AIDReqUri/IDPRole/metaAlias/idp"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionIDRequestService Binding= "urn:oasis:names:tc:SAML: 2.0:bindings:SOAP" Location= "http://isdev-3.red.iplanet.com: 58080/fam/AIDReqSoap/AttrAuthRole/metaAlias/attra"/> <AssertionIDRequestService Binding= "urn:oasis:names:tc:SAML: 2.0:bindings:URI" Location= "http://isdev-3.red.iplanet.com: 58080/fam/AIDReqUri/AttrAuthRole/ metaAlias/attra"/> </AttributeAuthorityDescriptor> <AuthnAuthorityDescriptor protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> ..<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML: 2.0:bindings:SOAP" Location="http://isdev-3.red.iplanet.com: 58080/fam/AIDReqSoap/AuthnAuthRole/metaAlias/authna"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML: 2.0:bindings:URI" Location="http://isdev-3.red.iplanet.com: 58080/fam/AIDReqUri/AuthnAuthRole/metaAlias/authna"/> ..</AuthnAuthorityDescriptor>
The following tags must be defined in the identity provider extended metadata.
<IDPSSOConfig metaAlias="/idp"> ..<Attribute name="assertionIDRequestMapper"> <Value>com.sun.identity.saml2.plugins. DefaultAssertionIDRequestMapper</Value> </Attribute> </IDPSSOConfig> <AttributeAuthorityConfig metaAlias="/attra"> ..<Attribute name="assertionIDRequestMapper"> <Value>com.sun.identity.saml2.plugins. DefaultAssertionIDRequestMapper</Value> </Attribute> </AttributeAuthorityConfig> <AuthnAuthorityConfig metaAlias="/authna"> ..<Attribute name="assertionIDRequestMapper"> <Value>com.sun.identity.saml2.plugins. DefaultAssertionIDRequestMapper</Value> </Attribute> </AuthnAuthorityConfig>
com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper is the default implementation used to process the assertion request. (See com.sun.identity.saml2.plugins.AssertionIDRequestMapper in the Sun OpenSSO Enterprise 8.0 Java API Reference.) To define a customized mapper, change the value of the assertionIDRequestMapper property in the IDP, attribute authority or authentication authority extended metadata.
Supported bindings are SOAP and URI however in order to implement URI binding, you must do the following.
Write an implementation of com.sun.identity.saml2.plugins.AssertionIDRequestMapper.
The method authenticateRequesterURI() should be returned without throwing an exception.
Modify the value of the assertionIDRequestMapper element in the identity provider metadata to match the name of the custom implementation.
To send a request for an assertion from a service provider use either of the methods of com.sun.identity.saml2.profile.AssertionIDRequestUtil as below.
public static Response sendAssertionIDRequest( AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID, String role, String realm, String binding) throws SAML2Exception; public static Assertion sendAssertionIDRequestURI( String assertionID, String samlAuthorityEntityID, String role, String realm) throws SAML2Exception;
To construct an AssertionIDRequest object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.*.