Wiki source code of ONEcount SAML Server

Version 6.1 by santosh on 2022/03/25 10:02

version	line-number	content
6.1	1	\\
3.1	2
6.1	3	SAML is setup on ONECount which can support both IDP and SP initiated logins. The main use of this saml is to provide authentication and authorization services for the SP while ONECount being IDP. This document uses the following abbreviations.
3.1	4
4.1	5	SP (Service Provider) : The system which is having the services the user requests for. The Service provider would just render services based on the authentication information provided by IDP.
6.1	6
4.1	7	IDP (Identity Provider) : The system which manages the user details and the user privileges. The IDP would authenticate user and provide necessary information regarding the user to the SP.
5.1	8
6.1	9	SAML: Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. This defines the way SP and IDP communication protocols and how to react to requests.
5.1	10
6.1	11	SSO SERVICES: In our ONECount we primarily use SAML for SSO Services across all the domains. The SSO services can be broadly divided into 2 types they are
3.1	12
	13	* SP Initiated login
	14	* IDP Initiated Login
	15
6.1	16	SP Initiated login: In this type of login the service provider requests for authentication to the IDP on for the same site. In SP initiated login the SP needs to create SAML request and send into to ONECount. The ONECount then authenticates the user and sends the required details to the SP back as SAML response.
5.1	17
6.1	18	IDP Initiated login: In this type of login the request for authentication would be by made by a partner site or third party site other than SP. Partner websites link to SP by passing us parameters which service they want to use on SP. We authenticate the user and send required information to SP. In this type login is initiated by IDP to the SP.
5.1	19
6.1	20	\\
5.1	21
6.1	22	Login Service : The total login process can be divided into 3 parts
5.1	23
6.1	24	* Login Request
	25	* Authentication
	26	* Login Response
3.1	27
6.1	28	Login Request: The login request needs to be a valid saml request.
3.1	29
6.1	30	SP intitiated login: In the case of the SP initiated login ONECount supports only HTTP Redirect binding request with the request payload. We read the request and extract the required parameters for authentication.
3.1	31
6.1	32	Sample Login Request: The redirect request needs to have the following query parameters
3.1	33
6.1	34	SAMLREQUEST
3.1	35
6.1	36	<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_809707f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0" IssueInstant="2016-12-08T23:52:45Z" Destination=" https:~/~/saml.[[onecount.net/saml/resources/login>>url:http://onecount.net/saml/resources/login\|\|shape="rect"]] " ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL=" [[https:~~/~~/devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp>>url:https://devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp\|\|shape="rect"]] ">
3.1	37
6.1	38	<saml:Issuer> https:~/~/ [[devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php>>url:http://devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php\|\|shape="rect"]]</saml:Issuer>
3.1	39
6.1	40	<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
3.1	41
6.1	42	<samlp:RequestedAuthnContext Comparison="exact">
3.1	43
6.1	44	<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
3.1	45
6.1	46	</samlp:RequestedAuthnContext>
3.1	47
6.1	48	</samlp:AuthnRequest>
3.1	49
6.1	50	\\
3.1	51
6.1	52	SigAlg=[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1>>url:http://www.w3.org/2000/09/xmldsig#rsa-sha1\|\|shape="rect"]] ,
3.1	53
6.1	54	RelayState= [[http:~~/~~/ devel.devslg.net /5345>>url:http://achsstage.dlcdev.com/5345\|\|shape="rect"]]
5.1	55
6.1	56	clientid=780bdb442b04b35f7f1c02c47a7a7537521e46af
5.1	57
6.1	58	Signature
5.1	59
6.1	60	bM441nuRIzAjKeMM8RhegMFjZ4L4xPBHhAfHYqgnYDQnSxC++Qn5IocWuzuBGz7JQmT9C57nxjxgbFIatiqUCQN17aYrLn/mWE09C5mJMYlcV68ibEkbR/JKUQ+2u/N+mSD4/C/QvFvuB6BcJaXaz0h7NwGhHROUte6MoGJKMPE=
5.1	61
6.1	62	\\
5.1	63
6.1	64	IDP Initiated login: In the case of IDP initiated login the partner site needs to have the relay state which is the url of the SP that they want to user to access. They also need to add a query parameter clientid which is used by the ONECount to correctly identify the client- SP pair.
5.1	65
6.1	66	Sample link
5.1	67
6.1	68	[[Https:~~/~~/saml.onecount.net/saml/resources/login?RelayState=http:~~/~~/achsstage.dlcdev.com/5345&clientid=780bdb442b04b35f7f1c02c47a7a7537521e46af>>url:Https://saml.onecount.net/saml/resources/login?RelayState=http://achsstage.dlcdev.com/5345&clientid=780bdb442b04b35f7f1c02c47a7a7537521e46af\|\|shape="rect"]]
	69
	70	Authentication:
	71
	72	The SAML Server relies on cookies for user identification. We look for ONECount cookies and if found we try to identify the user based on that. If the cookie is not found or contains an invalid cookie, server is unable to accurately identify the user then the saml sends the user challenge questions to authenticate themselves. When the user authenticates himself the we set required cookies for the user to be used in future and redirects the user to the requested or configured pages on SP.
	73
	74	SAML Response:
	75
	76	The response is generated with the configured user information as attributes in the response. If that is SP initiated login then we send an extra attribute “InResponseTo” in the response which will have the unique request identifier initially sent by SP. In the request if the server receives any relay state then SAML server retains that and forwards the relay state without any modification. In our setup we are using URL post binding to send the response to the SP.
	77
	78	Sample response
	79
	80	<saml2p:Response Destination="https:~/~/ [[devel.devslg.net>>url:http://devel.devslg.net\|\|shape="rect"]] /sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp" ID="_e453dc1c2671bc7a1e7a7f58fe400610be0bf5dd80e8f0e2af264c5c32e7d405" IssueInstant="2016-12-07T18:30:12.708Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https:~/~/saml.onecount.net/saml/resources/metadata</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion ID="_64d98f896931e0f8f44d26aaf4146b3c9c8045c6df844f5ea820286879a8830f" IssueInstant="2016-12-07T18:30:12.708Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="[[http:~~/~~/www.w3.org/2001/XMLSchema>>url:http://www.w3.org/2001/XMLSchema\|\|shape="rect"]]"> <saml2:Issuer>https:~/~/saml.onecount.net/saml/resources/metadata</saml2:Issuer> <ds:Signature xmlns:ds="[[http:~~/~~/www.w3.org/2000/09/xmldsig#>>url:http://www.w3.org/2000/09/xmldsig\|\|shape="rect"]]"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="[[http:~~/~~/www.w3.org/2001/10/xml-exc-c14n#>>url:http://www.w3.org/2001/10/xml-exc-c14n\|\|shape="rect"]]" /> <ds:SignatureMethod Algorithm="[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1>>url:http://www.w3.org/2000/09/xmldsig#rsa-sha1\|\|shape="rect"]]" /> <ds:Reference URI="#_64d98f896931e0f8f44d26aaf4146b3c9c8045c6df844f5ea820286879a8830f"> <ds:Transforms> <ds:Transform Algorithm="[[http:~~/~~/www.w3.org/2000/09/xmldsig#enveloped-signature>>url:http://www.w3.org/2000/09/xmldsig#enveloped-signature\|\|shape="rect"]]" /> <ds:Transform Algorithm="[[http:~~/~~/www.w3.org/2001/10/xml-exc-c14n#>>url:http://www.w3.org/2001/10/xml-exc-c14n\|\|shape="rect"]]"> <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="[[http:~~/~~/www.w3.org/2001/10/xml-exc-c14n#>>url:http://www.w3.org/2001/10/xml-exc-c14n\|\|shape="rect"]]" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="[[http:~~/~~/www.w3.org/2000/09/xmldsig#sha1>>url:http://www.w3.org/2000/09/xmldsig#sha1\|\|shape="rect"]]" /> <ds:DigestValue>kEHcy+PbvRWUbUDMV1uMHDjkQwA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>S57N2w12bzKrPdxendqACdajE/3GfoaBYpdRJflcPZcv/lPK6xm6lOsgCYmm94AAN7JLW8k0NCBaPatDmkrWPeA/LUsJzC+SIzO9QiFG7TmQmIJXm6cgZ1HzP2iYdOHFLksuJNAM5vLAcFbcKZFzXo8Jn4NnzLGlk2b1ayARwr9U5hunoHkY2B32GZorvERVLg29UsGmUF5vaL3zu+BxLf39Ee6OGi1oiwB4m9xaCtKK2Hp3nqBL0+2fW87UWPn7GMWyJiSkVc21IfzUaVpmXJg/2Bv0ZEi4KWjlZfFMEJRHVV0X1NmG5khtVwQ1ZJYBUbN2M07yQPgh/xF/7CBW0w==</ds:SignatureValue> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="Onecount SAML" SPNameQualifier="https:~/~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp">Onecount SAML</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotBefore="2016-12-07T18:30:12.708Z" NotOnOrAfter="2016-12-07T19:00:12.708Z" Recipient="[[https:~~/~~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp>>url:https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp\|\|shape="rect"]]" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2016-12-07T18:30:12.708Z" NotOnOrAfter="2016-12-07T19:00:12.708Z"> <saml2:AudienceRestriction> <saml2:Audience>https:~/~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php/default-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2016-12-07T18:30:12.708Z" SessionIndex="_51ed9a81cf54747f8bc674f4e33eba4fa7220d10e5549a25fdccaca7e114e9bb" SessionNotOnOrAfter="2016-12-07T19:00:12.708Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="Specialty"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Profession"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">University Cancer Specialists</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Email"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">jamiem1985@[[yahoo.com>>url:http://yahoo.com\|\|shape="rect"]]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Degree"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="First name"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">Jamie</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Prefix"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="OCID"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">8249</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Middle name"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">NA</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Postal code"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">37923</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Last name"> <saml2:AttributeValue xmlns:xsi="[[http:~~/~~/www.w3.org/2001/XMLSchema-instance>>url:http://www.w3.org/2001/XMLSchema-instance\|\|shape="rect"]]" xsi:type="xs:string">Loveday</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion></saml2p:Response>
	81
	82	\\
	83
	84	\\
	85
	86	Logout Service:
	87
	88	In the case of logout request the SP needs to send a valid logout request to the URL stated in ONECount MetaData File. So based on the request we send the logout response so that SP can logout the user on their side. But we don’t delete the ONECount cookie as that is not just limited to SAML and has various other applications.
	89
	90	Sample Logout request:
	91
	92
	93	Logout Request
	94
	95	<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_21df91a89767879fc0f7df6a1490c6000c81644d" Version="2.0" IssueInstant="2016-12-08T01:13:06Z" Destination="[[https:~~/~~/saml.onecount.net/saml/resources/logout>>url:https://saml.onecount.net/saml/resources/logout\|\|shape="rect"]]">
	96
	97	<saml:Issuer> https:~/~/ [[devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php>>url:http://devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php\|\|shape="rect"]] </saml:Issuer>
	98
	99	<saml:NameID SPNameQualifier=" https:~/~/ [[devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php>>url:http://devel.devslg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/metadata.php\|\|shape="rect"]] " Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>
	100
	101	</samlp:LogoutRequest>
	102
	103
	104	Signature
	105
	106	x3Yq1dQ0S/6iirAPpkEYrDvY5mTqzQ3b1eE+sEmnmYbzDs5YHksRrc7uloHt7xqBcCGlk+ZI2USjKshf~/~/OVRkSr8gZ8qYtth1v69hVpEvUdzhSANyJCOCENN2DhX8kc76Wg+VyR1mzbvbrap0G6lrj9TSuM4wyh68gzJDeTQbs=
	107
	108	SigAlg=[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1>>url:http://www.w3.org/2000/09/xmldsig#rsa-sha1\|\|shape="rect"]] , RelayState=[[http:~~/~~/sp.example.com/relaystate>>url:http://sp.example.com/relaystate\|\|shape="rect"]]
	109
	110	\\
	111
	112	Sample LOGOUT Response
	113
	114	<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxe335499f-e73b-80bd-60c4-1628984aed4f" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination=" [[https:~~/~~/education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-logout.php/default-sp>>url:https://education.annenberg.net/sites/all/libraries/simplesaml/www/module.php/saml/sp/saml2-logout.php/default-sp\|\|shape="rect"]]" InResponseTo="_21df91a89767879fc0f7df6a1490c6000c81644d"> <saml:Issuer>https:~/~/saml.onecount.net/saml/resources/metadata</saml:Issuer> <ds:Signature xmlns:ds="[[http:~~/~~/www.w3.org/2000/09/xmldsig#>>url:http://www.w3.org/2000/09/xmldsig\|\|shape="rect"]]"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http:~/~/www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http:~/~/www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfxe335499f-e73b-80bd-60c4-1628984aed4f"> <ds:Transforms> <ds:Transform Algorithm="http:~/~/www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http:~/~/www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http:~/~/www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>PusFPAn+RUZV+fBvwPffNMOENwE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>UEsyvBbilIQFCYk5i63NKwohkV/RGhVlT+Ajx1XBarFyB8rPCYe6NWnoqbzimKiBZaL2eSINyBLzyFdHqbI+K7qP9rmHJmIC8g5M84GJrpHoaIYJkmLjSMf4APTAiKeuW8dVvcnrrzHb8fFV/2Ob6nWG2+K3ixvH1MWh5R0bGbE=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status></samlp:LogoutResponse>
	115
	116	\\
	117
	118	\\
	119
	120	SAML Communication setup Process with ONECount:
	121
	122	You need to send SP Metadata file and the fields required to ONECount to install on our side. WE send our Metadata file which defines to which URL you need to post the request and details of our entityID’s etc. Once both sides have added the other side in to their saml setup we can communicate in SAML.
	123
	124	When you are trying to link SP services in IDP initiated login you also need to add a parameter clientid which is a unique hash passed on to you along with the request which enables us to uniquely identify you.
	125
	126	If the server does not receive a valid SAML request the server responds with 500 error You can send the information that you received on the error screen to us in order to determine the fault.
	127
	128	We follow open standards and process using OPENSAML packages to de-serialize and serialize the request/response.
	129
	130	For more information SAML and valid saml Request and response attributes you can refer to following documentation from OASIS creators of SAML
	131
	132	[[http:~~/~~/docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>>url:http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf\|\|shape="rect"]]
	133
	134	[[http:~~/~~/docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>>url:http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf\|\|shape="rect"]]
	135
	136	[[http:~~/~~/docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf>>url:http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf\|\|shape="rect"]]
	137
	138	\\
	139
	140	\\
	141
	142	\\