From c11a10a5524db3eb01e5a27cb149fd7547759c45 Mon Sep 17 00:00:00 2001 From: Vraj Mohan Date: Thu, 19 Sep 2024 10:37:44 -0700 Subject: [PATCH 1/3] Describe the SAML Response in greater detail The existing documentation for the SAML Authentication response (https://developers.login.gov/saml/authentication/#authentication-response) is low on detail - it just states that the response contains encrypted data. The example provided is for the _encrypted_ response and does not help in understanding the payload. This change attempts to: - provide a description of the actual data elements returned - adds an example of the decrypted response --- .../snippets/saml/auth/response_example.md | 68 ++++++++++-------- _pages/saml/authentication.md | 71 ++++++++++++++++++- 2 files changed, 109 insertions(+), 30 deletions(-) diff --git a/_includes/snippets/saml/auth/response_example.md b/_includes/snippets/saml/auth/response_example.md index f85e4699..dccd8ae8 100644 --- a/_includes/snippets/saml/auth/response_example.md +++ b/_includes/snippets/saml/auth/response_example.md @@ -1,38 +1,50 @@ {% capture example %} ```xml - + https://idp.int.identitysandbox.gov/api/saml - - - - - - - - MIIDejCCAmICCQDxlELhbJBQdzANBgkqhkiG9w0BAQUFADB/MRYwFAYDVQQDDA1TUCBSYWlscyBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEGA1UEBwwKV2FzaGluZ3RvbjELMAkGA1UECAwCREMxCzAJBgNVBAYTAlVTMRowGAYJKoZIhvcNAQkBFgsxOGZAZ3NhLmdvdjAeFw0xNjA4MTgyMDIzMzNaFw0yNjA4MTYyMDIzMzNaMH8xFjAUBgNVBAMMDVNQIFJhaWxzIERlbW8xDDAKBgNVBAoMA0dTQTEMMAoGA1UECwwDMThmMRMwEQYDVQQHDApXYXNoaW5ndG9uMQswCQYDVQQIDAJEQzELMAkGA1UEBhMCVVMxGjAYBgkqhkiG9w0BCQEWCzE4ZkBnc2EuZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6gWv5EDu88CgWTgo+B8+Rp7ZSjNKKdud2I4U6Bfr0IMerdrh1LVwO6JOli/qRRDqECQz7Jm6m4XnVvf1bUiQd8cn/FheQfD2NuDNfrnAvyIRIHDgGHGSx3vjPZJVYi5BVmEOPFEKYEKHqS/UGnNjkS2XsoAkstRe6gioo4Hd2WLwjuCMqgNA3vgwyVxdgfI5vsrm6q43X15wb/wCP4r2rGKGSUIIshZPeUcPOzBMAmwVqREN4ux79Ee5K/87aXBVRF7Z2tFV1d5KEXO3dCw+T6cspj9MjfY2976cQfBXWnDKGdNWaLdwtFqvpgo9IXRxlAmUQtx8SC8z+zXaSSGB/wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCtc97SZLs5eBx7LrxdaeP5hq2etB7l6uM6+l/eSvXu8LlQfTUT7URxX4hXbKyORs1BLpnMYxofeyJlzb9K0koy1ZFhUtBufvU1R+ouMfZlV3QGOUMIUp00UNS39b74214jpuUYi7oEM0gHBN3BXxVyzUEAzt2HYHp2Im97ERSmTMkvSfiqilx/t03qIuZVxzu+jIU2BQUxS7s6XQ2DpDbvfggmnvToCmNA0VSg9rZkziOLSRHblcUpdMYH8+mzbTCfgg/Of0kTDVqXzgNa/iR0HUq18bDf3iFebS/sugwXN3vCxdCnad64q5tqF+VscZEtc7Okech2OuctnWy0nzFQ - - - - yaI+Z9oWcrP2WL02UdN7wdeoloWSBuz4nrFKh+vuyHitlk3A3/ATy4rtHerREue6uEYJ2sr7RoJbF/pqsr1j2ZWGJRL9FS++i0biE9iv3NwrW1MDvzGAaMiI9q+tmDqhorftiD+0byrtftZU2Emmwz34/bZJQKFszDeWlDrTVIXGDz+jF0Q+AvFxtaMrXXw6VmLlQlM/Hc9GiGCY+yalGmlteAJD+xk9aqUqfO9+qbwqufLQTpLyM8UdjHuwN9V4ZEo09er34SZD3ZhGq7IdWvROpcPeagU2+r6pivCmhY3x1t01uDtKe0jDt8LTGA1/P8atB3zQHkNnbGO1CiBKpg== - - - - - - - - vy4Ohper0Oq24kU9GBTr0L8dHSBLkRpeu/iNr790cOQrAKphfPRCtLR7RHFI0mTCiko+Wy/oQqX4gu0LVtOOkcjJIicDyuWhIF6guUHvHz1PP4cv3pG++EhAJ73dbCPFSFkrDCzyMM5KZaY0xj6GpcYAVhOjez2ooOqwyTRYVpgozyuIreuooNFV8K++6GixLfBjw9T47eokKqLiROcRjEpV1dBoIkr34KtA7+TCrms1tLwAv4mdzCpUa7j + + + + + + + +MIIDgDCCAmgCCQCwpieA9CKuDDANBgkqhkiG9w0BAQUFADCBgTEYMBYGA1UEAwwP +U1AgU2luYXRyYSBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEG + +IYOalU+bIBpQt6EGN/mWBu7yZtgxKULZamJUUpd5xpcPcGKwf59etPVMTSxgeeQY +MFjibtIlMmAweHgIqDyF2s8Etz8hlcKrXIUAK5CoMvgUn41V + + + + + + DUs/UGjZTIioxWuRdUs8dWK4sLZ3zmAoTxX/mxliznXJfKn7JGQ6u9ccAG+o +NbdunEQd0552Y6jdLGTulpuPxgC79gWsgxjV4sZzlALeLKu/VI/gUN7YNaoy +QHQeO0XsH51pu5P4H0fjee2sJ++jnrY4auOMIYE3jWFScmRGrDXnvde6N1MW +QThl1uSu2fDsQZdE9SOzg8rm8c85NcaBorJnHTTt7ywgLSt3weXkztUeujsc +6ifawqRIdfcvL8eZxqKBUHSRu9gIXbmp13VQVZuKHO+MLrO2eTNMS6wRpGjl +Lykqm6G3d8d7gn7oC08WI6YDrB5Kzo6hF/eaveOjtw== + + + + + + + + + cIGCpOu5tXI1RuBj32Sas6saN5brvkYea2QYgIAFNi6NgHngIs4JAkcTGxRg +U9Vyfb2F3kndo5hBJaLmnKjLlwZRCBwoVfYfiaKUumH+igiPeyfcOGi617bN +dpylxgT3Exg/g8qX5V02nIibCvlgO9tm9mPL5Rx0EZ32HMOc+Q62TF7F3e6X + +2SWxCSIh0QLjt0Sos4ixK58eYc0p+8wbJnks14GzDGA07qJenT4NKxIIU2wW +y+0Uv+X9Bk3S+y/6ba+v + @@ -41,4 +53,4 @@ {% endcapture %}
{{ example | markdownify }} -
\ No newline at end of file + diff --git a/_pages/saml/authentication.md b/_pages/saml/authentication.md index a4cfd060..822d637c 100644 --- a/_pages/saml/authentication.md +++ b/_pages/saml/authentication.md @@ -51,6 +51,63 @@ A proofed identity request at AAL2, with phishing resistent MFA, for email, phon ``` {% endcapture %} +{% capture decrypted_response %} +```xml + +https://idp.int.identitysandbox.gov/api/saml + + + + + + + + + + + 5uICLRmnTHr/Ma7+uphAjCf86rmR+P6QELBf2C53mIc= + + + XT9CguQWKBvbqVsJ+Khu5/eyl09JVhHkUuyFHa98ViZUBVgL/Hc9gzwUr43CA7OVOO+uMfCc6WvPKeADF9w9kqJaUgsi8LiKC/nfDCY6+UiRoep2zmXyFJRAvrD/HbgVfayx/4Nn3ponRPZ/T/oezhimssFF66m+/UAwJekO9kuob+5n+uaOiFOMuHEycSdASH/iFnTSR1ajdo6AaLomG6YT8zJbuRzcKmesouAKPiQCJFt2cgstEs1zw8dvTgmozy4qd/0aMiZ52eGcXoORD8VZOQiY63HT8F4wkhk5eGU05sFcyfpg7dXNtKOfCddHwyngmgmPhpRN30ew5njg7w== + + + MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQBI0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrOSc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPSbHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCYw0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4EFgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5STz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRlsFXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldxAQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3Co30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68QU7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb5Hu7DxRRt91dm77MlQ== + + + + + 34abda40-d5aa-4259-9f17-a3757fd2e094 + + + + + + + urn:gov:gsa:SAML:2.0.profiles:sp:sso:identitysandbox + + + + + 34abda40-d5aa-4259-9f17-a3757fd2e094 + + + subcriber@example.com + + + http://idmanagement.gov/ns/assurance/aal/2 + + + http://idmanagement.gov/ns/assurance/ial/1 + + + + + http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true + + + +``` +{% endcapture %}
@@ -114,8 +171,18 @@ A proofed identity request at AAL2, with phishing resistent MFA, for email, phon

Authentication response

-

After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL:

-

The SAMLResponse is a base64-encoded XML payload that contains encrypted data.

+

After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL with a hidden form control named `SAMLResponse`.

+

`SAMLResponse` contains a base64-encoded XML payload that contains data that is encrypted with the service provider's public key.

+

The decrypted `SAMLResponse` contains a `` element, which in turn contains the following elements:

+
+
`Subject`
+
Contains the NameID, the Recipient of this information and the validity period.
+
`AttributeStatement`
+
All the requested attributes.
+
`AuthnStatement`
+
Contains the AAL that was used.
+
+

For example: {{ decrypted_response | markdownify }}

Next step: Logout
From 87b0cc72d0eef9accc6eab40671d25049301c565 Mon Sep 17 00:00:00 2001 From: Vraj Mohan Date: Fri, 20 Sep 2024 11:34:54 -0700 Subject: [PATCH 2/3] Use abridged instead of elided --- _includes/snippets/saml/auth/response_example.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_includes/snippets/saml/auth/response_example.md b/_includes/snippets/saml/auth/response_example.md index dccd8ae8..6fe8ebde 100644 --- a/_includes/snippets/saml/auth/response_example.md +++ b/_includes/snippets/saml/auth/response_example.md @@ -16,7 +16,7 @@ MIIDgDCCAmgCCQCwpieA9CKuDDANBgkqhkiG9w0BAQUFADCBgTEYMBYGA1UEAwwP U1AgU2luYXRyYSBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEG - + IYOalU+bIBpQt6EGN/mWBu7yZtgxKULZamJUUpd5xpcPcGKwf59etPVMTSxgeeQY MFjibtIlMmAweHgIqDyF2s8Etz8hlcKrXIUAK5CoMvgUn41V @@ -41,7 +41,7 @@ Lykqm6G3d8d7gn7oC08WI6YDrB5Kzo6hF/eaveOjtw== cIGCpOu5tXI1RuBj32Sas6saN5brvkYea2QYgIAFNi6NgHngIs4JAkcTGxRg U9Vyfb2F3kndo5hBJaLmnKjLlwZRCBwoVfYfiaKUumH+igiPeyfcOGi617bN dpylxgT3Exg/g8qX5V02nIibCvlgO9tm9mPL5Rx0EZ32HMOc+Q62TF7F3e6X - + 2SWxCSIh0QLjt0Sos4ixK58eYc0p+8wbJnks14GzDGA07qJenT4NKxIIU2wW y+0Uv+X9Bk3S+y/6ba+v From 1851500e0a86e8c1a1ff84a48c5399cd8bc3cd5f Mon Sep 17 00:00:00 2001 From: Vraj Mohan Date: Fri, 20 Sep 2024 13:56:26 -0700 Subject: [PATCH 3/3] Try to retain XML formatting Introduces horizontal scrolling --- .../snippets/saml/auth/response_example.md | 2 - _pages/saml/authentication.md | 52 +++++++++---------- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/_includes/snippets/saml/auth/response_example.md b/_includes/snippets/saml/auth/response_example.md index 6fe8ebde..c674e90e 100644 --- a/_includes/snippets/saml/auth/response_example.md +++ b/_includes/snippets/saml/auth/response_example.md @@ -51,6 +51,4 @@ y+0Uv+X9Bk3S+y/6ba+v ``` {% endcapture %} -
{{ example | markdownify }} -
diff --git a/_pages/saml/authentication.md b/_pages/saml/authentication.md index 822d637c..95d2adf0 100644 --- a/_pages/saml/authentication.md +++ b/_pages/saml/authentication.md @@ -54,57 +54,57 @@ A proofed identity request at AAL2, with phishing resistent MFA, for email, phon {% capture decrypted_response %} ```xml -https://idp.int.identitysandbox.gov/api/saml - + https://idp.int.identitysandbox.gov/api/saml + - - - + + + - - + + 5uICLRmnTHr/Ma7+uphAjCf86rmR+P6QELBf2C53mIc= - + XT9CguQWKBvbqVsJ+Khu5/eyl09JVhHkUuyFHa98ViZUBVgL/Hc9gzwUr43CA7OVOO+uMfCc6WvPKeADF9w9kqJaUgsi8LiKC/nfDCY6+UiRoep2zmXyFJRAvrD/HbgVfayx/4Nn3ponRPZ/T/oezhimssFF66m+/UAwJekO9kuob+5n+uaOiFOMuHEycSdASH/iFnTSR1ajdo6AaLomG6YT8zJbuRzcKmesouAKPiQCJFt2cgstEs1zw8dvTgmozy4qd/0aMiZ52eGcXoORD8VZOQiY63HT8F4wkhk5eGU05sFcyfpg7dXNtKOfCddHwyngmgmPhpRN30ew5njg7w== - + MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQBI0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrOSc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPSbHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCYw0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4EFgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5STz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRlsFXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldxAQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3Co30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68QU7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb5Hu7DxRRt91dm77MlQ== - + - - + + 34abda40-d5aa-4259-9f17-a3757fd2e094 - + - - + + - urn:gov:gsa:SAML:2.0.profiles:sp:sso:identitysandbox + urn:gov:gsa:SAML:2.0.profiles:sp:sso:identitysandbox - - + + - 34abda40-d5aa-4259-9f17-a3757fd2e094 + 34abda40-d5aa-4259-9f17-a3757fd2e094 - subcriber@example.com + vraj@example.com - http://idmanagement.gov/ns/assurance/aal/2 + http://idmanagement.gov/ns/assurance/aal/2 - http://idmanagement.gov/ns/assurance/ial/1 + http://idmanagement.gov/ns/assurance/ial/1 - - + + - http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true + http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true - + ``` {% endcapture %}