SURFconext combines all sorts of technologies in a single collaboration platform, and when all these technologies are working in concert, that’s when SURFconext really shines.
But the interweaving of those technologies can also make SURFconext seem complex and daunting at times.
In fact, SURFconext acts as a proxy between the IDP and the SP.
Although this slightly complicates matters when relaying messages between IDPs and SPs, the same basic idea as sketched here applies.
If we get rid of the encoding and compression, the SAML message might read something like this (slightly simplified): < Authn Request ID="kfcn...lfki" Version="2.0" Issue Instant="2013-02-05TZ" Protocol Binding="urn:oasis:names:tc: SAML:2.0:bindings: HTTP-POST" Provider Name="google.com" Assertion Consumer Service URL="https:// > < Issuer>google.com</Issuer> < Name IDPolicy Allow Create="true" Format="urn:oasis:names:tc: SAML:1.1:nameid-format:unspecified" /> </Authn Request> In plain English, this message more or less reads “this is a request from Google.
Please authenticate the user sending this message, and send the result back to Google”.
If everything is fine, Alice is logged in (step 8) – her mailbox is retrieved and she can start reading her mail.
In effect, there’s a lot more than meets the eye when logging on to an SP using SAML.
As SAML is XML-based the complete authentication request message is compressed (to save space in the URL) and encoded (because many characters are not allowed in URLs).It adds a viewer window to Firefox that automatically decodes and shows SAML messages.Here’s a screenshot from a real authentication request from Google: Hopefully, by now you have a better idea of how SAML works.When the IDP receives this message and decides to grant Google’s request, it will authenticate Alice by asking her to enter her credentials (unless she already did – for example when having logged in at another service earlier – in which case single sign-on is triggered by simply skipping authentication).After successful authentication, Alice’s browser is sent back to Google at the so called Assertion Consumer Service URL (step 6).And then there are aspects of SAML that I haven’t touched upon, such as metadata and attributes. If you have a question or suggestions for my other post, please let me know: mail at [email protected] As a member of the Trust and Identity team he works on innovative projects with a focus on Federated Identity.