Changes for page ONEcount SAML Server -- How it works
Last modified by Admin User on 2025/01/16 14:24
From version 7.1
edited by Admin User
on 2025/01/16 14:24
on 2025/01/16 14:24
Change comment:
There is no comment for this version
To version 6.1
edited by santosh
on 2022/03/25 10:02
on 2022/03/25 10:02
Change comment:
There is no comment for this version
Summary
-
Page properties (3 modified, 0 added, 0 removed)
Details
- Page properties
-
- Title
-
... ... @@ -1,1 +1,1 @@ 1 -ONEcount SAML Server -- How it works1 +ONEcount SAML Server - Author
-
... ... @@ -1,1 +1,1 @@ 1 -XWiki.a dmin1 +XWiki.santosh - Content
-
... ... @@ -1,4 +1,4 @@ 1 - 1 +\\ 2 2 3 3 SAML is setup on ONECount which can support both IDP and SP initiated logins. The main use of this saml is to provide authentication and authorization services for the SP while ONECount being IDP. This document uses the following abbreviations. 4 4 ... ... @@ -17,6 +17,7 @@ 17 17 18 18 **IDP Initiated login: **In this type of login the request for authentication would be by made by a partner site or third party site other than SP. Partner websites link to SP by passing us parameters which service they want to use on SP. We authenticate the user and send required information to SP. In this type login is initiated by IDP to the SP. 19 19 20 +\\ 20 20 21 21 **Login Service :** The total login process can be divided into 3 parts 22 22 ... ... @@ -46,6 +46,7 @@ 46 46 47 47 </samlp:AuthnRequest> 48 48 50 +\\ 49 49 50 50 SigAlg=[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1>>url:http://www.w3.org/2000/09/xmldsig#rsa-sha1||shape="rect"]] , 51 51 ... ... @@ -57,6 +57,7 @@ 57 57 58 58 bM441nuRIzAjKeMM8RhegMFjZ4L4xPBHhAfHYqgnYDQnSxC++Qn5IocWuzuBGz7JQmT9C57nxjxgbFIatiqUCQN17aYrLn/mWE09C5mJMYlcV68ibEkbR/JKUQ+2u/N+mSD4/C/QvFvuB6BcJaXaz0h7NwGhHROUte6MoGJKMPE= 59 59 62 +\\ 60 60 61 61 IDP Initiated login: In the case of IDP initiated login the partner site needs to have the relay state which is the url of the SP that they want to user to access. They also need to add a query parameter clientid which is used by the ONECount to correctly identify the client- SP pair. 62 62 ... ... @@ -76,7 +76,9 @@ 76 76 77 77 <saml2p:Response Destination="https:~/~/ [[devel.devslg.net>>url:http://devel.devslg.net||shape="rect"]] /sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp" ID="_e453dc1c2671bc7a1e7a7f58fe400610be0bf5dd80e8f0e2af264c5c32e7d405" IssueInstant="2016-12-07T18:30:12.708Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https:~/~/saml.onecount.net/saml/resources/metadata</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion ID="_64d98f896931e0f8f44d26aaf4146b3c9c8045c6df844f5ea820286879a8830f" IssueInstant="2016-12-07T18:30:12.708Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="[[http:~~/~~/www.w3.org/2001/XMLSchema>>url:http://www.w3.org/2001/XMLSchema||shape="rect"]]"> <saml2:Issuer>https:~/~/saml.onecount.net/saml/resources/metadata</saml2:Issuer> <ds:Signature xmlns:ds="[[http:~~/~~/www.w3.org/2000/09/xmldsig#>>url:http://www.w3.org/2000/09/xmldsig||shape="rect"]]"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="[[http:~~/~~/www.w3.org/2001/10/xml-exc-c14n#>>url:http://www.w3.org/2001/10/xml-exc-c14n||shape="rect"]]" /> <ds:SignatureMethod Algorithm="[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1>>url:http://www.w3.org/2000/09/xmldsig#rsa-sha1||shape="rect"]]" /> <ds:Reference URI="#_64d98f896931e0f8f44d26aaf4146b3c9c8045c6df844f5ea820286879a8830f"> <ds:Transforms> <ds:Transform Algorithm="[[http:~~/~~/www.w3.org/2000/09/xmldsig#enveloped-signature>>url:http://www.w3.org/2000/09/xmldsig#enveloped-signature||shape="rect"]]" /> <ds:Transform Algorithm="[[http:~~/~~/www.w3.org/2001/10/xml-exc-c14n#>>url:http://www.w3.org/2001/10/xml-exc-c14n||shape="rect"]]"> <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="[[http:~~/~~/www.w3.org/2001/10/xml-exc-c14n#>>url:http://www.w3.org/2001/10/xml-exc-c14n||shape="rect"]]" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="[[http:~~/~~/www.w3.org/2000/09/xmldsig#sha1>>url:http://www.w3.org/2000/09/xmldsig#sha1||shape="rect"]]" /> <ds:DigestValue>kEHcy+PbvRWUbUDMV1uMHDjkQwA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>S57N2w12bzKrPdxendqACdajE/3GfoaBYpdRJflcPZcv/lPK6xm6lOsgCYmm94AAN7JLW8k0NCBaPatDmkrWPeA/LUsJzC+SIzO9QiFG7TmQmIJXm6cgZ1HzP2iYdOHFLksuJNAM5vLAcFbcKZFzXo8Jn4NnzLGlk2b1ayARwr9U5hunoHkY2B32GZorvERVLg29UsGmUF5vaL3zu+BxLf39Ee6OGi1oiwB4m9xaCtKK2Hp3nqBL0+2fW87UWPn7GMWyJiSkVc21IfzUaVpmXJg/2Bv0ZEi4KWjlZfFMEJRHVV0X1NmG5khtVwQ1ZJYBUbN2M07yQPgh/xF/7CBW0w==</ds:SignatureValue> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="Onecount SAML" SPNameQualifier="https:~/~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp">Onecount SAML</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotBefore="2016-12-07T18:30:12.708Z" NotOnOrAfter="2016-12-07T19:00:12.708Z" Recipient="[[https:~~/~~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp>>url:https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp||shape="rect"]]" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2016-12-07T18:30:12.708Z" NotOnOrAfter="2016-12-07T19:00:12.708Z"> <saml2:AudienceRestriction> <saml2:Audience>https:~/~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php/default-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2016-12-07T18:30:12.708Z" SessionIndex="_51ed9a81cf54747f8bc674f4e33eba4fa7220d10e5549a25fdccaca7e114e9bb" SessionNotOnOrAfter="2016-12-07T19:00:12.708Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="Specialty"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Profession"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">University Cancer Specialists</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Email"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">jamiem1985@[[yahoo.com>>url:http://yahoo.com||shape="rect"]]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Degree"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="First name"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">Jamie</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Prefix"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="OCID"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">8249</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Middle name"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Postal code"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">37923</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Last name"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance||shape="rect"]]" xsi:type="xs:string">Loveday</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion></saml2p:Response> 78 78 82 +\\ 79 79 84 +\\ 80 80 81 81 **Logout Service:** 82 82 ... ... @@ -102,12 +102,15 @@ 102 102 103 103 SigAlg=[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1>>url:http://www.w3.org/2000/09/xmldsig#rsa-sha1||shape="rect"]] , RelayState=[[http:~~/~~/sp.example.com/relaystate>>url:http://sp.example.com/relaystate||shape="rect"]] 104 104 110 +\\ 105 105 106 106 Sample LOGOUT Response 107 107 108 108 <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxe335499f-e73b-80bd-60c4-1628984aed4f" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination=" [[https:~~/~~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-logout.php/default-sp>>url:https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-logout.php/default-sp||shape="rect"]]" InResponseTo="_21df91a89767879fc0f7df6a1490c6000c81644d"> <saml:Issuer>https:~/~/saml.onecount.net/saml/resources/metadata</saml:Issuer> <ds:Signature xmlns:ds="[[http:~~/~~/www.w3.org/2000/09/xmldsig#>>url:http://www.w3.org/2000/09/xmldsig||shape="rect"]]"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http:~/~/www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http:~/~/www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfxe335499f-e73b-80bd-60c4-1628984aed4f"> <ds:Transforms> <ds:Transform Algorithm="http:~/~/www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http:~/~/www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http:~/~/www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>PusFPAn+RUZV+fBvwPffNMOENwE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>UEsyvBbilIQFCYk5i63NKwohkV/RGhVlT+Ajx1XBarFyB8rPCYe6NWnoqbzimKiBZaL2eSINyBLzyFdHqbI+K7qP9rmHJmIC8g5M84GJrpHoaIYJkmLjSMf4APTAiKeuW8dVvcnrrzHb8fFV/2Ob6nWG2+K3ixvH1MWh5R0bGbE=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status></samlp:LogoutResponse> 109 109 116 +\\ 110 110 118 +\\ 111 111 112 112 **SAML Communication setup Process with ONECount:** 113 113 ... ... @@ -127,6 +127,8 @@ 127 127 128 128 [[http:~~/~~/docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf>>url:http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf||shape="rect"]] 129 129 138 +\\ 130 130 140 +\\ 131 131 132 - 142 +\\