SAML / NAM / Concur Integration
Novell Cool Solutions: AppNote
By Neil Cashell
|
Digg This -
Slashdot This
Posted: 3 Oct 2007 |
Introduction
Concur Technologies (http://www.concur.com/) is a provider of expense management software. Concur Expense Service (CES) is a powerful web-based expense reporting solution that enables expense reports to be created, submitted, filed, reviewed, approved, and audited online, using one complete solution.
This AppNote demonstrates how to integrate Novell Access Manager and Concur, using the Security Assertion Markup Language (SAML) solution for Single Sign-on (SSO) to the Concur Expense Service (CES). The tests were performed with the Novell Access Manager 3 Support pack 1 Gold Master build, and Concur Expense Services.
High-level Overview of the SAML Posting Process
There are two ways to exchange SAML assertions: via artifacts through a backchannel direct server-to-server connection, or by using HTTP POSTs through the user's browser using a SAML form. Concur supports only the POSTing of the assertions through the user's browser, so the SAML profile defined at the Identity Server for the SAML relationship with Concur's SP will have to be POST.
Figure 1 shows the general process that Novell's SAML Identity server and Concur's SP follow in granting access to Concur Expense Service (CES) users.
Figure 1: SAML Process Flow
Steps 1 and 2: The CES user is authenticated to the corporate portal. The user selects the CES link on the portal, and a redirect is sent to IDP server to log in and provide an IDP-initiated SSO to the Concur SP.
Step 3: The user logs into the Access Manager Identity Server and a request to access the SP is sent to the identity provider inter-site transfer URL.
Step 4: An XML assertion is created that shows that an end user authenticated with the identity provider at a particular time, with a particular method of authentication. An authentication assertion is also sent with the user credentials required to uniquely identify the user at the SP. The assertion is sent back to the browser with Javascript injected for the browser to auto-post the form.
The assertion generated is authenticated through digital signature or symmetric key encryption. In both cases, the assertion is Base 64-encoded to be safely transferred across the Internet.
Step 5: The form, including the assertion, is posted from the user's browser to the Concur SP Expense Logon page, where the assertion is decoded and verified. Specifically, the system validates that the user ID exists in the Concur database and that the time on the form is within the configured timeout.
Step 6: If the user credentials are validated, the user's browser is automatically authenticated into the Concur Expense Service. If the system is not able to validate the user, the user's browser is redirected to an error URL provided by the client.
Access Manager Configuration Steps
Creating the trust relationship between IDP and SP
1. Because the Concur SP supports only SAML 1.1, go to the Access Manager Identity Server configuration and create a new service provider (e.g., Concur).
At this point, you are asked to enter the metadata URL or paste a copy of the metadata.
2. Concur does not publish or provide the metadata, so select the Manual Entry option.
3. At this stage, the administator must enter some data specific to the Concur SAML setup (as shown below).
Figure 2: Data entry for the Concur SAML setup
- Supported version: This must be set to SAML 1.1 (Access Manager also supports SAML 1.0, which Concur does not)
- Provider ID: To initiate single sign-on, a URL must contain the inter-site transfer service URL and a TARGET parameter. This specifies the provider ID of the service provider in the federation and the name of the application that a user can log in to, using single sign-on.
- Metadata expiration: This defines for how long this metadata is valid (not required).
- Artifact Consumer URL: This is not required, because Concur SP supports only POSTing of assertions
- Post Consumer URL: URL on the Service provider where the assertions must be sent. This is information provided by Concur SP.
- Signing certificate Service provider: Theoretically, this is not required in this case, as we do not receive any information from the SP (it would be required if the SP made an attribute request to our IDP server). However, due to a bug in the SP1 GUI, it is a required field. When you add a certificate here, you MUST import the trusted root of that certificate into the NIDP-Trustore of the Identity Server. Failure to do so will cause the SAML SP not to get initialized, and the following message will be visible in the catalina.out file:
<amLogEntry> 2007-08-22T09:40:45Z SEVERE NIDS Application: AM#100105007: AMDEVICEID#EC00ADA81ABF14BC: Error verifying metadata certificates while loading trusted provider http://sapnw.nam.com java.lang.NullPointerException </amLogEntry>
Enabling the POST profile on the Identity Server
The assertions sent from the Access Manager IDP server to the Concur SP must be POST-based and not artifact-based, as Concur doesn't support artifact-based assertions. By default, the Artifact option is enabled, so you need to disable the artifact options to only leave the Post settings.
Figure 3: Enabling the POST profile
Defining Attributes to be Sent to the Concur Service Provider within the SAML Authentication Assertion
Concur will single-sign-on users that have authenticated to the Access Manager IDP server in the trust relationship, but information about these users is still required at the Concur application end.
Figure 4: Defining attribute sets
Figure 5: Concur attribute mapping
In our setup, the Concur SP application expects an authentication assertion with the Concur user's userID from the Access Manager Identity Server. The username that Concur expects is the user's LDAP CN attribute on the Identity Servers LDAP user store.
1. Remap the user's LDAP CN on the IDP server to the attribute required by Concur.
By mapping the LDAP CN attribute above to the 'saml:NameIdentifier' keyword in the Remote Attribute field, the attribute value will be added to the <saml:NameIdentifier> tag of the <saml:AuthenticationStatement> (the authentication assertion).
Note that if the 'saml:NameIdentifier' keyword in the Remote Attribute field is omitted and another attribute name was defined, the attribute value will be added to the attribute assertion instead. Because Concur expects the username to be passed in the authentication assertion, not having the above keyword would cause the Single Sign On to fail.
Next, you need to assign the above SAML attributes to the trust session. To do this,
1. Go to the SAML SP that you defined for the Concur service provider.
2. Drill down to Access > Attributes and select the attribute set as defined in the previous step. When the set is selected, a list of all attributes will appear in the available section of the UI.
3. Select the LDAP CN attribute and move it over to the 'Send with authentication' section. This makes sure that this attribute will be sent to the SP after we authenticated to the IDP.
Figure 6: Selecting the SAML Service Provider
Figure 7: Assigning SAML attributes
Finally, after applying the changes to the Identity Server, you need to define the URL that will perform an IDP-initiated SSO to the Concur SP. This URL needs to be in the following format (assuming that HTTPS enabled on both the IDP and SP servers), and assumes that the provider ID specified in the metadata above matches the Concur SP URL:
https://<AccessManager_IDP_server_hostname>/nidp/saml/idpsend?PID=https://director.concursolutions.com/entity=p0001535kxfs&TARGET=
... where <AccessManager_IDP_server_hostname> corresponds to the DNS hostname of the Access Manager Identity Server base URL and <Concur_expenses_URL> is the URL where users will enter their expenses.
After logging in to the Access Manager Identity Server, users should now get access to the Concur application without having to authenticate again. In our example, I would get redirected to my home page with my Concur username being displayed on that page.
Troubleshooting
1. To simplify the troubleshooting and confirmation of the setup, enable the following log settings on the Identity Server configuration. This will add a lot of debugging information to the /var/opt/novell/tomcat4/logs/catalina.out file.
Figure 8: SAML Process Flow
2. Check the catalina.out file for errors. If the service provider signing certificate's trusted root is not imported into the NIDP-strustore trusted root store, the SAML service provider will NOT initialize, and no valid assertions will be sent to the remote location. What you need to do is confirm that the trusted provider has loaded successfully. For example, the following statement will be reported in the catalina.out when the Concur SAML 1 SP initializes correctly:
<amLogEntry> 2007-09-19T10:44:13Z INFO NIDS Application: AM#500105038: AMDEVICEID#D5AF8CA5FBDB5813: Loaded trusted provider concur of protocol SAML 1 </amLogEntry>
3. Make sure that the providerID specified in the SP metadata matches the PID specified in the inter-site transfer URL. In the above case, the providerID defined in the metadata was https://director.concursolutions.com?entity=p0001535kxfs. The PID parameter in the URL that we used to single-sign-on to Concur through Novell Access Manager's Identity server was:
https://idpcluster.lab.novell.com/nidp/saml/idpsend? PID=https://director.concursolutions.com? entity=p0001535kxfs&TARGET=https://director.concursolutions.com? entity=p0001535kxfs
... where the PID patches the ProviderID in the metadata. Failure to match these two entities would result in the following error being displayed on the browser after the users credentials have been entered at the Identity server:
Unable to send authentication to service provider. Cause/Code: AM#300101005: AMDEVICEID#D5AF8CA5FBDB5813: : Invalid or no provider is specified-D5AF8CA5FBDB5813
The catalina output file would give more details:
4. Check the assertions being sent to the Concur SAML Service provider. To do this, make sure that you have a browser that has the ability to dump HTTP headers during the testing (e.g., Internet Explorer's ieHTTPHeaders or Firefox's LiveHTTPHeaders). You could also do a View > Source of the data to be submitted to get the same details (although this is difficult, as there is only a 2 second window where the data is stored on the browser before being submitted).
An example of what can be viewed is the data POSTed by the browser, and specifically the SAMLResponse data.
<HTML><HEAD><META HTTP-EQUIV="Pragma" CONTENT="no-cache"></HEAD> <BODY Onload="document.forms[0].submit()"> <FORM Method="Post" Action="https://director.concursolutions.com?entity=p0001535kxfs"> <INPUT TYPE="hidden" NAME="TARGET" Value="https://director.concursolutions.com/"> <INPUT TYPE="hidden" NAME="SAMLResponse" Value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6 cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRp b24iIElzc3VlSW5zdGFudD0iMjAwNy0wOC0xMFQxMjoyMDoyN1oiIE1ham9yVmVyc2lvbj0iMSIg TWlub3JWZXJzaW9uPSIwIiBSZWNpcGllbnQ9Imh0dHBzOi8vZGlyZWN0b3IuY29uY3Vyc29sdXRp b25zLmNvbS8iIFJlc3BvbnNlSUQ9ImlkVmVIaE10VG5Cbk1KWkVrbnoxRmRxcUNpRzI4Ij48ZHM6 U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4K PGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0 cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRo b2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEi Lz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNpZFZlSGhNdFRuQm5NSlpFa256MUZkcXFDaUcyOCI+Cjxk czpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcv MjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdv cml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRy YW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8y MDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+dWl1cHl1eEFmMUFIbzlwRUla UHFOclE5UThnPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZElu Zm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KR0VFTS9BQWpBUFY2MG5xUXN3S1hDL050WDFCTHU0UEZz YmlDTmY0V1V0WW9NbkFGaExlNGE1WldBZzNVb2hyUGN6QkUzRTk1U0wvdgp0c21VeVZvamRtZnc1 VkdLMExIMFNYMThjLzdOWDNmZ0xLRm9VMlprL1lXeFZmbGEyV3hKRzAzYVI0TkExWU9jTjhHZ0dz MHhSckRQCmg0ZDBBb08wVUNzYmFqRVJCVDgzOERiaGVXVFdDdGx0YS9MN1hMSFBCR2dHMEJpRnpN SUc3MXR3OU1PaE1uU3NTUTZuQ1UrOFVLeDkKcmVLTXIxWEo2a2JDeHdwTDdneXFlMElraXVWKzlE b0hxRlI5MUk4Mjc2S0hHWlZTRHBHbHh4cWhFOUVZVmVlOFZzbGRDV0NqRGdYeQpEMDgvUWMrTDI0 T2ZlTld6b1VOTEYxdHRRNHFrYXRyaU02d3FuZz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpL ZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZKekNDQkErZ0F3 SUJBZ0lpQWh3Ui82T0gvcmRJWkZCMnpudW5LdjRVQkUxUSs4bk15WXFqS2dKOEFnSUdXekFOQmdr cWhraUcKOXcwQkFRVUZBREExTVJvd0dBWURWUVFMRXhGUGNtZGhibWw2WVhScGIyNWhiQ0JEUVRF WE1CVUdBMVVFQ2hRT2JHbHVkWGhzWVdJMQpYM1J5WldVd0hoY05NRFl4TWpFeE1Ua3lPVEE0V2hj Tk1EZ3hNakV4TVRreU9UQTRXakJBTVJVd0V3WURWUVFERXd4MFpYTjBMWE5wCloyNXBibWN4RmpB VUJnTlZCQXNURFdGalkyVnpjMDFoYm1GblpYSXhEekFOQmdOVkJBb1RCbTV2ZG1Wc2JEQ0NBU0l3 RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNb0xGbGdsb21rZVQrdkNKcWRB R3RsdG5XWFNpY1FiVDV5SXFtZmxwS1ZWcTZXcgpadG1WSGtRU2FCT3Q2cEZDNm5rY1ZzcDB3RGhL VHBaME9kY0p3bGdxRlpFQnVZMUVJVmcwMlNwd3dvbktoNm5QTEFHMi9BMXBGY1h6CmJPalpXYmF3 WUZCempFcTNIKzIyQXpwOHBYMVR2STZOS0JoVStnRFlJbEJPM2M2L2ZCSjRtVUx3Yng3Rm1sQzg1 RnpxMEF5RG5uZWkKcW5CT0JDZXVIblo2bmNDSkMvZVlpak9SMUJxTHloYnc2V2N4VDB4WVE1QklS YjhqRzhLZUM2dk9FT0RYT3d0Z0RWcU9GNHI0czkzTwpCQjRUVi84Z2dlVERXU1YvYmgrSmxWSjZO NTYza2I4bDdPZTdxWVJKd1dZTlBTVmdLZU14YVNMcGpjbW9kelFFWUg4Q0F3RUFBYU9DCkFoUXdn Z0lRTUIwR0ExVWREZ1FXQkJSSHJyajA0N3NLeEIvOE9YVFdwMlp2cFlmUkZEQWZCZ05WSFNNRUdE QVdnQlFOVzNYZlZFSjUKZXdTT0FJK213SEJGZHkrK1J6Q0NBY3dHQzJDR1NBR0crRGNCQ1FRQkJJ SUJ1ekNDQWJjRUFnRUFBUUgvRXgxT2IzWmxiR3dnVTJWagpkWEpwZEhrZ1FYUjBjbWxpZFhSbEtI UnRLUlpEYUhSMGNEb3ZMMlJsZG1Wc2IzQmxjaTV1YjNabGJHd3VZMjl0TDNKbGNHOXphWFJ2CmNu a3ZZWFIwY21saWRYUmxjeTlqWlhKMFlYUjBjbk5mZGpFd0xtaDBiVENDQVVpZ0dnRUJBREFJTUFZ Q0FRRUNBVVl3Q0RBR0FnRUIKQWdFS0FnRnBvUm9CQVFBd0NEQUdBZ0VCQWdGR01BZ3dCZ0lCQVFJ QkNnSUJhYUlHQWdFWEFRSC9vNElCQktCWUFnRUNBZ0lBL3dJQgpBQU1OQUlBQUFBQUFBQUFBQUFB QUFBTUpBSUFBQUFBQUFBQUFNQmd3RUFJQkFBSUlmLy8vLy8vLy8vOEJBUUFDQkFidzMwZ3dHREFR CkFnRUFBZ2gvLy8vLy8vLy8vd0VCQUFJRUJ2RGZTS0ZZQWdFQ0FnSUEvd0lCQUFNTkFFQUFBQUFB QUFBQUFBQUFBQU1KQUVBQUFBQUEKQUFBQU1CZ3dFQUlCQUFJSWYvLy8vLy8vLy84QkFRQUNCQkgv bzRjd0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVFZitqaDZKTwpNRXdDQVFJQ0FRQUNBZ0Qv QXcwQWdBQUFBQUFBQUFBQUFBQUFBd2tBZ0FBQUFBQUFBQUF3RWpBUUFnRUFBZ2gvLy8vLy8vLy8v d0VCCkFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJB UUNpT2t3bkZGTTlVNmI0Tnl0c3QxcHgKVDFQWjZnczZRbjJLemFrRUZuMkErQmdFVlJvTHdLaGk0 d2FVc1NrRGw3SkFqdkZrd2cyaVhZMlplZktFdmlvbGx2QkdaQ3dMVzdUYgpMN1Rqd1IrelNlNzlj TXpvbnI4Yi9XVzNYWUZuK1B4WHhFOXJZUDFlR2thQnNaayt5WFY1OUFzcUZibTBrK0Jrd2w3K0ly eU1Bc2hiCkF1MExUaWlWLzU3dGwrSUtEQ2tZeEVuaVNIZzZBN1ZoRDZCNlBjMStKUlUvSk1pVXJk SWtmUmlkTkltSVZFMGpUeERxQVAwK0hINjAKa0IzSkg1cVMwSjBBVG1yV1BlQkUwRFZablBsenh0 QUhjWXJnSkxGY1F3dnhVRHkvS1hjMUhndHJqNkJiRUUwK2ZWTXliWlZTdVJVOApyaHRnTmxLR1ZR N1R0SlFHCjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8+ CjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InNh bWxwOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gQXNzZXJ0aW9uSUQ9 ImlkY2pLLUhNMjMtTTgzU0c1N3VIZEs5eERHRndrIiBJc3N1ZUluc3RhbnQ9IjIwMDctMDgtMTBU MTI6MjA6MjdaIiBJc3N1ZXI9Imh0dHBzOi8vaWRwY2x1c3Rlci5sYWIubm92ZWxsLmNvbS9uaWRw L3NhbWwvbWV0YWRhdGEiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIwIj48c2FtbDpD b25kaXRpb25zIE5vdEJlZm9yZT0iMjAwNy0wOC0xMFQxMjoxNToyN1oiIE5vdE9uT3JBZnRlcj0i MjAwNy0wOC0xMFQxMjoyNToyN1oiLz48c2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudCBBdXRo ZW50aWNhdGlvbkluc3RhbnQ9IjIwMDctMDgtMTBUMTI6MjA6MjdaIiBBdXRoZW50aWNhdGlvbk1l dGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVuc3BlY2lmaWVkIj48c2FtbDpT dWJqZWN0PjxzYW1sOk5hbWVJZGVudGlmaWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB TUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmlkMzM3UWRBVlh6ZkJ5QkIwd01wSlNw blBoZkVrPC9zYW1sOk5hbWVJZGVudGlmaWVyPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24+PHNh bWw6Q29uZmlybWF0aW9uTWV0aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFy ZXI8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwv c2FtbDpTdWJqZWN0Pjwvc2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1 dGVTdGF0ZW1lbnQ+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSWRlbnRpZmllciBGb3JtYXQ9InVy bjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5pZDMz N1FkQVZYemZCeUJCMHdNcEpTcG5QaGZFazwvc2FtbDpOYW1lSWRlbnRpZmllcj48c2FtbDpTdWJq ZWN0Q29uZmlybWF0aW9uPjxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6 dGM6U0FNTDoxLjA6Y206YmVhcmVyPC9zYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD48L3NhbWw6U3Vi amVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdHRyaWJ1dGUgQXR0cmlidXRl TmFtZT0idWlkIiBBdHRyaWJ1dGVOYW1lc3BhY2U9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEu MDphc3NlcnRpb24iPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPnNtY2RhbmllPC9zYW1sOkF0dHJpYnV0 ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48ZHM6U2ln bmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRz OlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDov L3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2Qg QWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4K PGRzOlJlZmVyZW5jZSBVUkk9IiNpZGNqSy1ITTIzLU04M1NHNTd1SGRLOXhER0Z3ayI+CjxkczpU cmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAw MC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0 aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5z Zm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAw LzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+VFprNVBzRitjazVVRXdqYXA4R1FX aEtYUHpjPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+ CjxkczpTaWduYXR1cmVWYWx1ZT4KQ3l1MzY0SDJxenVOUDQ2M1YrQ0Y4ZnJ1bU5qL2VGSVJsTHNW SXA5QWUxN003allYZGViSnJ0czRxa3g1RWdtZUNWNEh2NDFLZ1pjUApWbGVaZXEzV1pmUHEzQUZM NzdncXhHeXJwdHpTVkRpK01yZnkyTk1rNXppTDhPanlka25pYTgrSVJpTDdJSXQvNUdPQVl6U2ww cGVNCjhRdVo0WnlQQzFzMjZRYjlOa25VQ0hPRlFlNGhUaUZrUHU3ZzNVV09KZ1cyaVFUUXZHbFR0 U1JYZEhjcXNNMkRIVU85cVJaMU5UTFIKTVZnTDMrQys4eGUrL01VNktpMDlhYzFLdjlHb1B1anUw L3NFVkFneW5CU3k0VmtnZ1JSWGp4WTg0WEYweUJWMVVNcnJRRFBQVGovcApVaGtuMVpPa1JRWTE3 Y2syd0pwRUJoN25qS045R3ozcFowMlNudz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJ bmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZKekNDQkErZ0F3SUJB Z0lpQWh3Ui82T0gvcmRJWkZCMnpudW5LdjRVQkUxUSs4bk15WXFqS2dKOEFnSUdXekFOQmdrcWhr aUcKOXcwQkFRVUZBREExTVJvd0dBWURWUVFMRXhGUGNtZGhibWw2WVhScGIyNWhiQ0JEUVRFWE1C VUdBMVVFQ2hRT2JHbHVkWGhzWVdJMQpYM1J5WldVd0hoY05NRFl4TWpFeE1Ua3lPVEE0V2hjTk1E Z3hNakV4TVRreU9UQTRXakJBTVJVd0V3WURWUVFERXd4MFpYTjBMWE5wCloyNXBibWN4RmpBVUJn TlZCQXNURFdGalkyVnpjMDFoYm1GblpYSXhEekFOQmdOVkJBb1RCbTV2ZG1Wc2JEQ0NBU0l3RFFZ SktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNb0xGbGdsb21rZVQrdkNKcWRBR3Rs dG5XWFNpY1FiVDV5SXFtZmxwS1ZWcTZXcgpadG1WSGtRU2FCT3Q2cEZDNm5rY1ZzcDB3RGhLVHBa ME9kY0p3bGdxRlpFQnVZMUVJVmcwMlNwd3dvbktoNm5QTEFHMi9BMXBGY1h6CmJPalpXYmF3WUZC empFcTNIKzIyQXpwOHBYMVR2STZOS0JoVStnRFlJbEJPM2M2L2ZCSjRtVUx3Yng3Rm1sQzg1Rnpx MEF5RG5uZWkKcW5CT0JDZXVIblo2bmNDSkMvZVlpak9SMUJxTHloYnc2V2N4VDB4WVE1QklSYjhq RzhLZUM2dk9FT0RYT3d0Z0RWcU9GNHI0czkzTwpCQjRUVi84Z2dlVERXU1YvYmgrSmxWSjZONTYz a2I4bDdPZTdxWVJKd1dZTlBTVmdLZU14YVNMcGpjbW9kelFFWUg4Q0F3RUFBYU9DCkFoUXdnZ0lR TUIwR0ExVWREZ1FXQkJSSHJyajA0N3NLeEIvOE9YVFdwMlp2cFlmUkZEQWZCZ05WSFNNRUdEQVdn QlFOVzNYZlZFSjUKZXdTT0FJK213SEJGZHkrK1J6Q0NBY3dHQzJDR1NBR0crRGNCQ1FRQkJJSUJ1 ekNDQWJjRUFnRUFBUUgvRXgxT2IzWmxiR3dnVTJWagpkWEpwZEhrZ1FYUjBjbWxpZFhSbEtIUnRL UlpEYUhSMGNEb3ZMMlJsZG1Wc2IzQmxjaTV1YjNabGJHd3VZMjl0TDNKbGNHOXphWFJ2CmNua3ZZ WFIwY21saWRYUmxjeTlqWlhKMFlYUjBjbk5mZGpFd0xtaDBiVENDQVVpZ0dnRUJBREFJTUFZQ0FR RUNBVVl3Q0RBR0FnRUIKQWdFS0FnRnBvUm9CQVFBd0NEQUdBZ0VCQWdGR01BZ3dCZ0lCQVFJQkNn SUJhYUlHQWdFWEFRSC9vNElCQktCWUFnRUNBZ0lBL3dJQgpBQU1OQUlBQUFBQUFBQUFBQUFBQUFB TUpBSUFBQUFBQUFBQUFNQmd3RUFJQkFBSUlmLy8vLy8vLy8vOEJBUUFDQkFidzMwZ3dHREFRCkFn RUFBZ2gvLy8vLy8vLy8vd0VCQUFJRUJ2RGZTS0ZZQWdFQ0FnSUEvd0lCQUFNTkFFQUFBQUFBQUFB QUFBQUFBQU1KQUVBQUFBQUEKQUFBQU1CZ3dFQUlCQUFJSWYvLy8vLy8vLy84QkFRQUNCQkgvbzRj d0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVFZitqaDZKTwpNRXdDQVFJQ0FRQUNBZ0QvQXcw QWdBQUFBQUFBQUFBQUFBQUFBd2tBZ0FBQUFBQUFBQUF3RWpBUUFnRUFBZ2gvLy8vLy8vLy8vd0VC CkFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUNp T2t3bkZGTTlVNmI0Tnl0c3QxcHgKVDFQWjZnczZRbjJLemFrRUZuMkErQmdFVlJvTHdLaGk0d2FV c1NrRGw3SkFqdkZrd2cyaVhZMlplZktFdmlvbGx2QkdaQ3dMVzdUYgpMN1Rqd1IrelNlNzljTXpv bnI4Yi9XVzNYWUZuK1B4WHhFOXJZUDFlR2thQnNaayt5WFY1OUFzcUZibTBrK0Jrd2w3K0lyeU1B c2hiCkF1MExUaWlWLzU3dGwrSUtEQ2tZeEVuaVNIZzZBN1ZoRDZCNlBjMStKUlUvSk1pVXJkSWtm UmlkTkltSVZFMGpUeERxQVAwK0hINjAKa0IzSkg1cVMwSjBBVG1yV1BlQkUwRFZablBsenh0QUhj WXJnSkxGY1F3dnhVRHkvS1hjMUhndHJqNkJiRUUwK2ZWTXliWlZTdVJVOApyaHRnTmxLR1ZRN1R0 SlFHCjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8+Cjwv ZHM6U2lnbmF0dXJlPjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4="> <INPUT TYPE="Submit" NAME="button" Value="Submit"> </FORM></BODY></HTML>
This SAML response data is simple base64-encoded data. Decoding the above data with a simple base64 decoder returns the SAML assertion shown below. Look at the values associated with the attribute and authentication statements below in bold to locate the key part of the SAML assertion.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2007-08-10T12:20:27Z" MajorVersion="1" MinorVersion="0" Recipient="https://director.concursolutions.com/" ResponseID="idVeHhMtTnBnMJZEknz1FdqqCiG28"> <ds:Signaturexmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml- exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#idVeHhMtTnBnMJZEknz1FdqqCiG28"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc- c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>uiupyuxAf1AHo9pEIZPqNrQ9Q8g=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> GEEM/AAjAPV60nqQswKXC/NtX1BLu4PFsbiCNf4WUtYoMnAFhLe4a5ZWAg3Uo hrPczBE3E95SL/vtsmUyVojdmfw5VGK0LH0SX18c/7NX3fgLKFoU2Zk/YWxVfla2 WxJG03aR4NA1YOcN8GgGs0xRrDPh4d0AoO0UCsbajERBT838DbheWTWCtlta /L7XLHPBGgG0BiFzMIG71tw9MOhMnSsSQ6nCU+8UKx9reKMr1XJ6kbCxwpL7g yqe0IkiuV+9DoHqFR91I8276KHGZVSDpGlxxqhE9EYVee8VsldCWCjDgXyD08/Q c+L24OfeNWzoUNLF1ttQ4qkatriM6wqng== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIFJzCCBA+gAwIBAgIiAhwR/6OH/rdIZFB2znunKv4UBE1Q+8nMyYqjKgJ8AgI GWzANBgkqhkiG9w0BAQUFADA1MRowGAYDVQQLExFPcmdhbml6YXRpb25hb CBDQTEXMBUGA1UEChQObGludXhsYWI1X3RyZWUwHhcNMDYxMjExMTkyOT A4WhcNMDgxMjExMTkyOTA4WjBAMRUwEwYDVQQDEwx0ZXN0LXNpZ25pbmc xFjAUBgNVBAsTDWFjY2Vzc01hbmFnZXIxDzANBgNVBAoTBm5vdmVsbDCCASI wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoLFlglomkeT+vCJqdAGtlt nWXSicQbT5yIqmflpKVVq6WrZtmVHkQSaBOt6pFC6nkcVsp0wDhKTpZ0OdcJwl gqFZEBuY1EIVg02SpwwonKh6nPLAG2/A1pFcXzbOjZWbawYFBzjEq3H+22Azp 8pX1TvI6NKBhU+gDYIlBO3c6/fBJ4mULwbx7FmlC85Fzq0AyDnneiqnBOBCeuHn Z6ncCJC/eYijOR1BqLyhbw6WcxT0xYQ5BIRb8jG8KeC6vOEODXOwtgDVqOF4r 4s93OBB4TV/8ggeTDWSV/bh+JlVJ6N563kb8l7Oe7qYRJwWYNPSVgKeMxaSLpj cmodzQEYH8CAwEAAaOCAhQwggIQMB0GA1UdDgQWBBRHrrj047sKxB/8OXT Wp2ZvpYfRFDAfBgNVHSMEGDAWgBQNW3XfVEJ5ewSOAI+mwHBFdy++RzC CAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1Ob3ZlbGwgU2VjdX JpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5ub3ZlbGwuY29tL3Jl cG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0bTCCAUigGgEBADAI MAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgFGMAgwBgIB AQIBCgIBaaIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAAAAA AAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgE AAgh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAA AAMJAEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/o4cwGDAQAgEAA gh//////////wEBAAIEEf+jh6JOMEwCQICAQACAgD/Aw0AgAAAAAAAAAAAAAA AAwkAgAAAAAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH/////// ///AQEAMA0GCSqGSIb3DQEBBQUAA4IBAQCiOkwnFFM9U6b4Nytst1pxT1PZ6 gs6Qn2KzakEFn2A+BgEVRoLwKhi4waUsSkDl7JAjvFkwg2iXY2ZefKEviollvBGZC wLW7TbL7TjwR+zSe79cMzonr8b/WW3XYFn+PxXxE9rYP1eGkaBsZk+yXV59As qFbm0k+Bkwl7+IryMAshbAu0LTiiV/57tl+IKDCkYxEniSHg6A7VhD6B6Pc1+JRU/ JMiUrdIkfRidNImIVE0jTxDqAP0+HH60kB3JH5qS0J0ATmrWPeBE0DVZnPlzxtAH cYrgJLFcQwvxUDy/KXc1Hgtrj6BbEE0+fVMybZVSuRU8rhtgNlKGVQ7TtJQG </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status><samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion AssertionID="idB0z0MCNyqX.pL4pUzI73-GgwF.4" IssueInstant="2007-09-19T10:58:48Z" Issuer="https://idpcluster.lab.novell.com:8443/nidp/saml/metadata" MajorVersion="1" MinorVersion="0"> <saml:Conditions NotBefore="2007-09-19T10:53:48Z" NotOnOrAfter="2007-09-19T11:03:48Z"/> <saml:AuthenticationStatement AuthenticationInstant="2007-09- 19T10:58:48Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><s aml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid- format:unspecified">ncashell</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm: bearer</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#idcjK-HM23-M83SG57uHdK9xDGFwk"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>TZk5PsF+ck5UEwjap8GQWhKXPzc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Cyu364H2qzuNP463V+CF8frumNj/eFIRlLsVIp9Ae17M7jYXdebJrts4qkx5Egme CV4Hv41KgZcPVleZeq3WZfPq3AFL77gqxGyrptzSVDi+Mrfy2NMk5ziL8Ojydknia 8+IRiL7IIt/5GOAYzSl0peM8QuZ4ZyPC1s26Qb9NknUCHOFQe4hTiFkPu7g3UW OJgW2iQTQvGlTtSRXdHcqsM2DHUO9qRZ1NTLRMVgL3+C+8xe+/MU6Ki09ac1 Kv9GoPuju0/sEVAgynBSy4VkggRRXjxY84XF0yBV1UMrrQDPPTj/pUhkn1ZOkRQ Y17ck2wJpEBh7njKN9Gz3pZ02Snw== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIFJzCCBA+gAwIBAgIiAhwR/6OH/rdIZFB2znunKv4UBE1Q+8nMyYqjKgJ8AgI GWzANBgkqhkiG9w0BAQUFADA1MRowGAYDVQQLExFPcmdhbml6YXRpb25hb CBDQTEXMBUGA1UEChQObGludXhsYWI1X3RyZWUwHhcNMDYxMjExMTkyOT A4WhcNMDgxMjExMTkyOTA4WjBAMRUwEwYDVQQDEwx0ZXN0LXNpZ25pbmc xFjAUBgNVBAsTDWFjY2Vzc01hbmFnZXIxDzANBgNVBAoTBm5vdmVsbDCCASI wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoLFlglomkeT+vCJqdAGtlt nWXSicQbT5yIqmflpKVVq6WrZtmVHkQSaBOt6pFC6nkcVsp0wDhKTpZ0OdcJwl gqFZEBuY1EIVg02SpwwonKh6nPLAG2/A1pFcXzbOjZWbawYFBzjEq3H+22Azp 8pX1TvI6NKBhU+gDYIlBO3c6/fBJ4mULwbx7FmlC85Fzq0AyDnneiqnBOBCeuHn Z6ncCJC/eYijOR1BqLyhbw6WcxT0xYQ5BIRb8jG8KeC6vOEODXOwtgDVqOF4r 4s93OBB4TV/8ggeTDWSV/bh+JlVJ6N563kb8l7Oe7qYRJwWYNPSVgKeMxaSLpj cmodzQEYH8CAwEAAaOCAhQwggIQMB0GA1UdDgQWBBRHrrj047sKxB/8OXT Wp2ZvpYfRFDAfBgNVHSMEGDAWgBQNW3XfVEJ5ewSOAI+mwHBFdy++RzC CAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1Ob3ZlbGwgU2VjdX JpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5ub3ZlbGwuY29tL3Jl cG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0bTCCAUigGgEBADAI MAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgFGMAgwBgIB AQIBCgIBaaIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAAAAA AAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgE AAgh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAA AAMJAEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/o4cwGDAQAgEAA gh//////////wEBAAIEEf+jh6JOMEwCAQICAQACAgD/Aw0AgAAAAAAAAAAAAA AAAwkAgAAAAAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH///// /////AQEAMA0GCSqGSIb3DQEBBQUAA4IBAQCiOkwnFFM9U6b4Nytst1pxT1PZ 6gs6Qn2KzakEFn2A+BgEVRoLwKhi4waUsSkDl7JAjvFkwg2iXY2ZefKEviollvBGZ CwLW7TbL7TjwR+zSe79cMzonr8b/WW3XYFn+PxXxE9rYP1eGkaBsZk+yXV59 AsqFbm0k+Bkwl7+IryMAshbAu0LTiiV/57tl+IKDCkYxEniSHg6A7VhD6B6Pc1+JR U/JMiUrdIkfRidNImIVE0jTxDqAP0+HH60kB3JH5qS0J0ATmrWPeBE0DVZnPlzxt AHcYrgJLFcQwvxUDy/KXc1Hgtrj6BbEE0+fVMybZVSuRU8rhtgNlKGVQ7TtJQG </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml:Assertion> </samlp:Response>
Conclusion
In most SAML 1.1 setups where the inter-site transfer URL is used to POST assertions to an SP, the attributes being sent are sent by default in the attribute assertion. There may be some applications, such as Concur, that require attribute values to be sent as part of the authentication assertion, and specifically within the <NameIdentifier> tag. Novell Access Manager SP1 has the ability to map an attribute value from the SAML Identity Server user store into this Athentication assertion <NameIdentifier> tag by using the 'saml:NameIdentifier' keyword. The Concur SAML Service provider will consume the assertions, check the value of the <NameIdentifier> tag, and validate that username before allowing access to the application.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com