Home Canonicalization Signature Encryption Key Management Signature Services Secure Assertions

saml

SAML is the OASIS Secure Assertions Markup Language Specification. This page describes some of the features currently supported by my implementation of SAML 1.1.

I am running a SAML service endpoint at the following URL's:

http://markupsecurity.com:4080/saml/service/plain-http https://markupsecurity.com:4080/saml/service/plain-http

The service currently responds to AuthenticationQuery's and queries containing AssertionID's carried in SAML protocol requests.

The main motivation for this effort is to support testing that I am conducting in the areas of WSS and DSS, both of which leverage SAML to some extent or another.

This service is currently aware of a single subject, Alice. Alice performs a login/logout sequence every ten minutes resulting in an AuthenticationStatement that can be represented in an Assertion of the following form.

The most recent successful login attempt that Alice made, is represented by the Assertion below and is valid for another  seconds.

<saml:Assertion
    AssertionID=""
    IssueInstant=""
    Issuer="saml-aa.markupsecurity.com"
    MajorVersion="1" MinorVersion="1"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions NotBefore=""
      NotOnOrAfter=""
    <saml:AudienceRestrictionCondition>
      <saml:Audience>www.markupsecurity.com</saml:Audience>
    </saml:AudienceRestrictionCondition>
  </saml:Conditions>
  <saml:AuthenticationStatement AuthenticationInstant=""
      AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
    <saml:Subject>
      <saml:NameIdentifier
          Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
          alice@example.com
      </saml:NameIdentifier>
      <saml:SubjectConfirmation>
        <saml:ConfirmationMethod>
            urn:oasis:names:tc:SAML:1.0:cm:bearer
        </saml:ConfirmationMethod>
      </saml:SubjectConfirmation>
    </saml:Subject>
  </saml:AuthenticationStatement>
</saml:Assertion>
    

The above Assertion is also returned in response to a SAML protocol request like the following.

<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      IssueInstant="xxxx-xx-xxTyy:yy:yyZ"
      MajorVersion="1" MinorVersion="1"
      RequestID="I8f1e6f2e10a5dd6278fca6ec106210b0319c7fe7>
    <saml:AssertionIDReference>
        
    </saml:AssertionIDReference>
</samlp:Request>
    

The service also responds to requests of the following form:

<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      IssueInstant="xxxx-xx-xxTyy:yy:yyZ"
      MajorVersion="1" MinorVersion="1"
      RequestID="I8f1e6f2e10a5dd6278fca6ec106210b0319c7fe7">
  <samlp:AuthenticationQuery
            AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
    <saml:Subject>
      <saml:NameIdentifier
               Format="urn:oasis:names:tc:SAML:1.0:assertion#emailAddress">
          alice@example.com
      <saml:NameIdentifier>
      <saml:SubjectConfirmation>
        <saml:ConfirmationMethod>
               urn:oasis:names:tc:SAML:1.0:cm:bearer
        <saml:ConfirmationMethod>
      <saml:SubjectConfirmation>
    <saml:Subject>
  <samlp:AuthenticationQuery>
<samlp:Request>
    

In this case the service will respond with Assertion's corresponding to the ten most recent authentications (logins) performed by Alice.