test

Sun OpenSSO Enterprise 8.0 Administration Guide

Requesting a SAMLv2 Assertion

The Assertion Query/Request profile specifies a means for requesting existing assertions using a unique identifier. The requester initiates the profile by sending an assertion request, referenced by the identifier, to a SAMLv2 authority. The SAMLv2 authority processes the request, checks the assertion cache for the identifier, and issues a response to the requester.

Note –

To store assertions generated during single sign-on, add the following attribute to the metadata file of the identity provider acting as the SAMLv2 authority.

<IDPSSOConfig metaAlias="/idp">
<Attribute name="assertionCacheEnabled">
<Value>true</Value>
</Attribute>
</IDPSSOConfig>

To configure for assertion queries, the following tags must be defined in the identity provider standard metadata.

<IDPSSODescriptor WantAuthnRequestsSigned=
"false" protocolSupportEnumeration="urn:oasis:names:tc:
SAML:2.0:protocol">

  <AssertionIDRequestService Binding="urn:oasis:names:tc:
   SAML:2.0: bindings:SOAP" Location=
   "http://isdev-3.red.iplanet.com:58080/
   fam/AIDReqSoap/IDPRole/metaAlias/idp"/>
    <AssertionIDRequestService Binding=
     "urn:oasis:names:tc:SAML:
     2.0:bindings:URI" Location=
     "http://isdev-3.red.iplanet.com:
     58080/fam/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>

<AttributeAuthorityDescriptor protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
  <AssertionIDRequestService Binding=
   "urn:oasis:names:tc:SAML:
   2.0:bindings:SOAP" Location=
   "http://isdev-3.red.iplanet.com:
   58080/fam/AIDReqSoap/AttrAuthRole/metaAlias/attra"/>
    <AssertionIDRequestService Binding=
     "urn:oasis:names:tc:SAML:
     2.0:bindings:URI" Location=
     "http://isdev-3.red.iplanet.com:
     58080/fam/AIDReqUri/AttrAuthRole/
     metaAlias/attra"/>
</AttributeAuthorityDescriptor>

<AuthnAuthorityDescriptor protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
..<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:
   2.0:bindings:SOAP" Location="http://isdev-3.red.iplanet.com:
   58080/fam/AIDReqSoap/AuthnAuthRole/metaAlias/authna"/>
  <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:
   2.0:bindings:URI" Location="http://isdev-3.red.iplanet.com:
   58080/fam/AIDReqUri/AuthnAuthRole/metaAlias/authna"/>
..</AuthnAuthorityDescriptor>

The following tags must be defined in the identity provider extended metadata.

<IDPSSOConfig metaAlias="/idp">
..<Attribute name="assertionIDRequestMapper">
   <Value>com.sun.identity.saml2.plugins.
    DefaultAssertionIDRequestMapper</Value>
   </Attribute>
</IDPSSOConfig>

<AttributeAuthorityConfig metaAlias="/attra">
..<Attribute name="assertionIDRequestMapper">
   <Value>com.sun.identity.saml2.plugins.
    DefaultAssertionIDRequestMapper</Value>
  </Attribute>
</AttributeAuthorityConfig>

<AuthnAuthorityConfig metaAlias="/authna">
..<Attribute name="assertionIDRequestMapper">
   <Value>com.sun.identity.saml2.plugins.
    DefaultAssertionIDRequestMapper</Value>
  </Attribute>
</AuthnAuthorityConfig>

com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper is the default implementation used to process the assertion request. (See com.sun.identity.saml2.plugins.AssertionIDRequestMapper in the Sun OpenSSO Enterprise 8.0 Java API Reference.) To define a customized mapper, change the value of the assertionIDRequestMapper property in the IDP, attribute authority or authentication authority extended metadata.

Supported bindings are SOAP and URI however in order to implement URI binding, you must do the following.

  1. Write an implementation of com.sun.identity.saml2.plugins.AssertionIDRequestMapper.

    The method authenticateRequesterURI() should be returned without throwing an exception.

  2. Modify the value of the assertionIDRequestMapper element in the identity provider metadata to match the name of the custom implementation.