The Web Browser POST Profile allows security information to be supplied to a trusted partner site using the HTTP POST method (without the use of an artifact). This interaction consists of two parts. The first part is between a user with a web browser and Access Manager. The second part is between the same user and the trusted partner site. The content of the POST should be signed to ensure message integrity, and the method of transport should be SSL.
The POST profile function is provided by either of two means:
an HTTP request using SAMLPOSTProfileServlet
, or an SAMLClient API call [doWebPost()] to a Java application.
The first interaction of the Web Browser POST Profile is as follows:
An authenticated user attempts to access a trusted partner site using a web browser (usually by clicking a link), and the user is redirected to a transfer service at the authority site.
In Access Manager, the transfer
service is SAMLPostProfileServlet
.
The base of the transfer service URL is http(s)://access-manager-host.domain:port/deploy-uri/SAMLPOSTProfileServlet. This URL is appended with the location
to which the user is requesting access (?TARGET=URL-of-destination).
SAMLPostProfileServlet
provides
functions for both Web Browser POST Profile interactions.
Access Manager obtains the TARGET location from the request and matches it against the trusted partners configured in the Trusted Partners attribute of the SAML module.
For more information, see Trusted Partners.
Access Manager generates an assertion using the AssertionManager class of the SAML API.
For information about the AssertionManager class, see com.sun.identity.saml Package.
Access Manager forms, signs, and Base64 encodes a SAMLResponse that contains the assertion.
Access Manager generates an HTML form that contains both the SAMLResponse and the TARGET as parameters and posts the form as an HTTP response back to the user’s browser.
The user’s browser is then directed to the location based on this information.
The second interaction of the Web Browser POST Profile is as follows:
The trusted partner site obtains the TARGET and SAMLResponse from the redirected request.
The trusted partner site decodes the SAMLResponse, verifies the signature on the SAMLResponse, and obtains and verifies the SAML response.
The trusted partner site also verifies the assertion inside the SAMLResponse and enforces single sign-on policy.
Assuming a positive authentication, the trusted partner site obtains or creates an SSOToken and redirects the authenticated user to the TARGET location.
A sample has been provided to test the Web Browser POST Profile function. See SAML Samples.
According to the SAML specifications, the trusted partner site must ensure a single-use policy for SSO assertions that are communicated
using the Web Browser POST Profile. SAMLPOSTProfileServlet
maintains a store of SSO assertion identifiers and the time
that they expire. When an assertion is received, the servlet first checks
for an entry in the map. If an entry exists, the servlet returns an error.
If an entry does not exist, the assertion identifier and expiration time are
saved to the map. POSTCleanUpThread removes expired
assertion identifiers periodically.