SAML response requirements

You only need to use this document if you are building your own SAML integration with ScreenSteps. If you are using a third party SAML provider such as Salesforce or OneLogin then you will not need to use this document as ScreenSteps is already configured to handle responses from those services.

Security Certificate

The response must have a certificate that matches the certificate that you upload to ScreenSteps. The path should be:

ds:X509Certificate

ScreenSteps will compute a fingerprint from this certificate and compare it to the fingerprint of the certificate you have uploaded to ScreenSteps.

Identifying users

You need to pass in the email address of the user you want to authenticate. When you do this, ScreenSteps will do one of two things:

1. If a user with that email already exists in the system, ScreenSteps will math the email in the SAML response to that user.

2. If a user with that email does not exist, the user will be created as a "reader" user in ScreenSteps. You can go back later and adjust the role of SAML users after they have logged in.

How we find the email address

ScreenSteps will check three values for the user email address:

  • We will check the AttributeStatement for an 'email' value.
  • We will check the AttributeStatement for a 'mail' value.
  • We will change the Subject/NameID

Below is an example SAML response with the NameID set to mail@example.com:

<samlp:Response xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' ID='GOSAMLR12901174571794' Destination='{recipient}' IssueInstant='2010-11-18T21:57:37Z'>
  <samlp:Status>
    <samlp:StatusCode Value='urn:oasis:names:tc:SAML:2.0:status:Success'/></samlp:Status>
  <saml:Assertion Version='2.0' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' ID='pfxa46574df-b3b0-a06a-23c8-636413198772' xmlns:xs='http://www.w3.org/2001/XMLSchema' IssueInstant='2010-11-18T21:57:37Z'>
    <saml:Issuer>https://app.onelogin.com/saml/metadata/13590</saml:Issuer>
    <ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
        <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
        <ds:Reference URI='#pfxa46574df-b3b0-a06a-23c8-636413198772'>
          <ds:Transforms>
            <ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
            <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
          <ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>yiveKcPdDpuDNj6shrQ3ABwr/cA3CryD2phG/xLZszKWxU5/mlaKt8ewbZOdKKvtOs2pHBy5Dua3k94AF+zxGyel5gOowmoyXJr+AOr+kPO0vli1V8o3hPPUZwRgSX6Q9pS1CqQghKiEasRyylqqJUaPYzmOzOE8/XlMkwiWmO0=</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTg0NVoXDTE1MDMwOTA5NTg0NVowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjSu1fjPy8d5w4QyL1+zd4hIw1Mkkff4WY/TLG8OZkU5YTSWmmHPD5kvYH5uoXS/6qQ81qXpR2wV8CTowZJULg09ddRdRn8Qsqj1FyOC5slE3y2bZ2oFua72of/49fpujnFT6KnQ61CBMqlDoTQqOT62vGJ8nP6MZWvA6sxqud5AgMBAAEwAwYBAAMBAA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>example@mail.com</saml:NameID>
      <saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'>
        <saml:SubjectConfirmationData NotOnOrAfter='2010-11-18T22:02:37Z' Recipient='{recipient}'/></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotOnOrAfter='2010-11-18T22:02:37Z' NotBefore='2010-11-18T21:52:37Z'>
      <saml:AudienceRestriction>
        <saml:Audience>{audience}</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex='_531c32d283bdff7e04e487bcdbc4dd8d' AuthnInstant='2010-11-18T21:57:37Z' SessionNotOnOrAfter='2010-11-19T21:57:37Z'>
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name='uid'>
        <saml:AttributeValue xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xs='http://www.w3.org/2001/XMLSchema' xsi:type='xs:string'>demo</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name='another_value'>
        <saml:AttributeValue xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xs='http://www.w3.org/2001/XMLSchema' xsi:type='xs:string'>value</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

0 Comments

Add your comment

E-Mail me when someone replies to this comment