In order to understand this example, it is recommended that first you understand the previously seen example: X.509 Certificate Validation.

Single Sign-On is an authentication process that enables the user to authenticate once and to gain access to several systems with this one identification process.

The following login request, sent to the system, returns an assertion with the authentication and session information which, then, can be used for further authentication processes in the TrustedX platform.

Firstly, we can see the sfly:AuthNRequest element. This element indicates that it is an authentication request with user/password credentials (sfly:credentials).

Lastly, the information required for the TrustedX agent is added. Firstly, the sfly:respondWith element is selected to indicate that the response will be in assertion format, followed by selection of the name of the agent (sfly:agentId). Also included are: a random number generated (sfly:rand), the creation date (sfly:created), the authentication method to be used (sfly:authMethod), the authentication policy used (sfly:authPolicy) and the IP address from where the request came (sfly:ipAddr). Lastly, the (sfly:auth) element is included. This element contains the HMAC key created from the previous elements and is used to check that these elements have not been modified in transit.

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:sfly="http://www.safelayer.com/TWS" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body wsu:Id="Id-2541245256044413507"> <sfly:AuthNRequest><sfly:agent><sfly:agentId>urn:safelayer:tws:agents:password</sfly:agentId><sfly:rand>ngmZCJydjCpWa/79t6xWqV54XKg=</sfly:rand><sfly:created>1196349768946</sfly:created><sfly:ipAddr>192.168.7.36</sfly:ipAddr><sfly:auth>OlBsXBkh8iV2PVPSmRqUKoyOv9g=</sfly:auth><sfly:authMethod>urn:oasis:names:tc:SAML:1.0:am:password</sfly:authMethod><sfly:authPolicy>urn:safelayer:tws:policies:authentication:sample:1</sfly:authPolicy><sfly:credentials><wsse:UsernameToken wsu:Id="SecurityToken-6552815159211767048"><wsse:Username>dave</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">trustedx</wsse:Password></wsse:UsernameToken></sfly:credentials><sfly:respondWith>saml:Assertion</sfly:respondWith></sfly:agent><sfly:entity Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">dave</sfly:entity></sfly:AuthNRequest></SOAP-ENV:Body> </SOAP-ENV:Envelope>

The following explanation refers to the response that the TrustedX platform obtains once the request has been sent. Therefore, you should press the "try" button (above) to generate this response.

Basically, the response contains the element, which indicates that it is an authentication response (AuthNResponse) and the assertion (saml:Assertion). The assertion is re-used in other requests to allow subsequent SAML authentication.

This assertion is made up of an identifier specified in the AssertionID attribute and of its validity conditions (saml:Conditions). Details of the user to whom the authentication token belongs (saml:Subject), as well as of the locality (saml:SubjectLocality) are also given.

Go to discussion forum (1)