Novell Home

SAML / NAM / Concur Integration

Novell Cool Solutions: AppNote
By Neil Cashell

Digg This - Slashdot This

Posted: 3 Oct 2007
 

Introduction

Concur Technologies (http://www.concur.com/) is a provider of expense management software. Concur Expense Service (CES) is a powerful web-based expense reporting solution that enables expense reports to be created, submitted, filed, reviewed, approved, and audited online, using one complete solution.

This AppNote demonstrates how to integrate Novell Access Manager and Concur, using the Security Assertion Markup Language (SAML) solution for Single Sign-on (SSO) to the Concur Expense Service (CES). The tests were performed with the Novell Access Manager 3 Support pack 1 Gold Master build, and Concur Expense Services.

High-level Overview of the SAML Posting Process

There are two ways to exchange SAML assertions: via artifacts through a backchannel direct server-to-server connection, or by using HTTP POSTs through the user's browser using a SAML form. Concur supports only the POSTing of the assertions through the user's browser, so the SAML profile defined at the Identity Server for the SAML relationship with Concur's SP will have to be POST.

Figure 1 shows the general process that Novell's SAML Identity server and Concur's SP follow in granting access to Concur Expense Service (CES) users.

Figure 1: SAML Process Flow

Steps 1 and 2: The CES user is authenticated to the corporate portal. The user selects the CES link on the portal, and a redirect is sent to IDP server to log in and provide an IDP-initiated SSO to the Concur SP.

Step 3: The user logs into the Access Manager Identity Server and a request to access the SP is sent to the identity provider inter-site transfer URL.

Step 4: An XML assertion is created that shows that an end user authenticated with the identity provider at a particular time, with a particular method of authentication. An authentication assertion is also sent with the user credentials required to uniquely identify the user at the SP. The assertion is sent back to the browser with Javascript injected for the browser to auto-post the form.

The assertion generated is authenticated through digital signature or symmetric key encryption. In both cases, the assertion is Base 64-encoded to be safely transferred across the Internet.

Step 5: The form, including the assertion, is posted from the user's browser to the Concur SP Expense Logon page, where the assertion is decoded and verified. Specifically, the system validates that the user ID exists in the Concur database and that the time on the form is within the configured timeout.

Step 6: If the user credentials are validated, the user's browser is automatically authenticated into the Concur Expense Service. If the system is not able to validate the user, the user's browser is redirected to an error URL provided by the client.

Access Manager Configuration Steps

Creating the trust relationship between IDP and SP

1. Because the Concur SP supports only SAML 1.1, go to the Access Manager Identity Server configuration and create a new service provider (e.g., Concur).

At this point, you are asked to enter the metadata URL or paste a copy of the metadata.

2. Concur does not publish or provide the metadata, so select the Manual Entry option.

3. At this stage, the administator must enter some data specific to the Concur SAML setup (as shown below).

Figure 2: Data entry for the Concur SAML setup

  • Supported version: This must be set to SAML 1.1 (Access Manager also supports SAML 1.0, which Concur does not)
  • Provider ID: To initiate single sign-on, a URL must contain the inter-site transfer service URL and a TARGET parameter. This specifies the provider ID of the service provider in the federation and the name of the application that a user can log in to, using single sign-on.
  • Metadata expiration: This defines for how long this metadata is valid (not required).
  • Artifact Consumer URL: This is not required, because Concur SP supports only POSTing of assertions
  • Post Consumer URL: URL on the Service provider where the assertions must be sent. This is information provided by Concur SP.
  • Signing certificate Service provider: Theoretically, this is not required in this case, as we do not receive any information from the SP (it would be required if the SP made an attribute request to our IDP server). However, due to a bug in the SP1 GUI, it is a required field. When you add a certificate here, you MUST import the trusted root of that certificate into the NIDP-Trustore of the Identity Server. Failure to do so will cause the SAML SP not to get initialized, and the following message will be visible in the catalina.out file:
<amLogEntry> 2007-08-22T09:40:45Z SEVERE NIDS Application: AM#100105007:
AMDEVICEID#EC00ADA81ABF14BC:  Error verifying metadata certificates while loading trusted provider
http://sapnw.nam.com  java.lang.NullPointerException  </amLogEntry>

Enabling the POST profile on the Identity Server

The assertions sent from the Access Manager IDP server to the Concur SP must be POST-based and not artifact-based, as Concur doesn't support artifact-based assertions. By default, the Artifact option is enabled, so you need to disable the artifact options to only leave the Post settings.

Figure 3: Enabling the POST profile

Defining Attributes to be Sent to the Concur Service Provider within the SAML Authentication Assertion

Concur will single-sign-on users that have authenticated to the Access Manager IDP server in the trust relationship, but information about these users is still required at the Concur application end.

Figure 4: Defining attribute sets

Figure 5: Concur attribute mapping

In our setup, the Concur SP application expects an authentication assertion with the Concur user's userID from the Access Manager Identity Server. The username that Concur expects is the user's LDAP CN attribute on the Identity Servers LDAP user store.

1. Remap the user's LDAP CN on the IDP server to the attribute required by Concur.

By mapping the LDAP CN attribute above to the 'saml:NameIdentifier' keyword in the Remote Attribute field, the attribute value will be added to the <saml:NameIdentifier> tag of the <saml:AuthenticationStatement> (the authentication assertion).

Note that if the 'saml:NameIdentifier' keyword in the Remote Attribute field is omitted and another attribute name was defined, the attribute value will be added to the attribute assertion instead. Because Concur expects the username to be passed in the authentication assertion, not having the above keyword would cause the Single Sign On to fail.

Next, you need to assign the above SAML attributes to the trust session. To do this,

1. Go to the SAML SP that you defined for the Concur service provider.

2. Drill down to Access > Attributes and select the attribute set as defined in the previous step. When the set is selected, a list of all attributes will appear in the available section of the UI.

3. Select the LDAP CN attribute and move it over to the 'Send with authentication' section. This makes sure that this attribute will be sent to the SP after we authenticated to the IDP.

Figure 6: Selecting the SAML Service Provider

Figure 7: Assigning SAML attributes

Finally, after applying the changes to the Identity Server, you need to define the URL that will perform an IDP-initiated SSO to the Concur SP. This URL needs to be in the following format (assuming that HTTPS enabled on both the IDP and SP servers), and assumes that the provider ID specified in the metadata above matches the Concur SP URL:

https://<AccessManager_IDP_server_hostname>/nidp/saml/idpsend?PID=https://director.concursolutions.com/entity=p0001535kxfs&TARGET=

... where <AccessManager_IDP_server_hostname> corresponds to the DNS hostname of the Access Manager Identity Server base URL and <Concur_expenses_URL> is the URL where users will enter their expenses.

After logging in to the Access Manager Identity Server, users should now get access to the Concur application without having to authenticate again. In our example, I would get redirected to my home page with my Concur username being displayed on that page.

Troubleshooting

1. To simplify the troubleshooting and confirmation of the setup, enable the following log settings on the Identity Server configuration. This will add a lot of debugging information to the /var/opt/novell/tomcat4/logs/catalina.out file.

Figure 8: SAML Process Flow

2. Check the catalina.out file for errors. If the service provider signing certificate's trusted root is not imported into the NIDP-strustore trusted root store, the SAML service provider will NOT initialize, and no valid assertions will be sent to the remote location. What you need to do is confirm that the trusted provider has loaded successfully. For example, the following statement will be reported in the catalina.out when the Concur SAML 1 SP initializes correctly:

<amLogEntry> 2007-09-19T10:44:13Z INFO NIDS Application: 
AM#500105038: AMDEVICEID#D5AF8CA5FBDB5813:  Loaded trusted 
provider concur of protocol SAML 1 </amLogEntry>

3. Make sure that the providerID specified in the SP metadata matches the PID specified in the inter-site transfer URL. In the above case, the providerID defined in the metadata was https://director.concursolutions.com?entity=p0001535kxfs. The PID parameter in the URL that we used to single-sign-on to Concur through Novell Access Manager's Identity server was:

https://idpcluster.lab.novell.com/nidp/saml/idpsend?
PID=https://director.concursolutions.com?
entity=p0001535kxfs&TARGET=https://director.concursolutions.com?
entity=p0001535kxfs

... where the PID patches the ProviderID in the metadata. Failure to match these two entities would result in the following error being displayed on the browser after the users credentials have been entered at the Identity server:

Unable to send authentication to service provider.
Cause/Code: AM#300101005: AMDEVICEID#D5AF8CA5FBDB5813: : Invalid or no provider is specified-D5AF8CA5FBDB5813

The catalina output file would give more details:

2007-09-19T12:22:09Z INFO NIDS SAML1: AM#500105030: AMDEVICEID#D5AF8CA5FBDB5813: Processing Intersite Transfer Service request. ProviderID: https://director.concursolutions.com Target:https://director.concursolutions.com?entity=p0001535kxfs 2007-09-19T12:22:09Z SEVERE NIDS SAML1: NIDPException: AM#300101005: AMDEVICEID#D5AF8CA5FBDB5813: : Invalid or no provider is specified

4. Check the assertions being sent to the Concur SAML Service provider. To do this, make sure that you have a browser that has the ability to dump HTTP headers during the testing (e.g., Internet Explorer's ieHTTPHeaders or Firefox's LiveHTTPHeaders). You could also do a View > Source of the data to be submitted to get the same details (although this is difficult, as there is only a 2 second window where the data is stored on the browser before being submitted).

An example of what can be viewed is the data POSTed by the browser, and specifically the SAMLResponse data.

<HTML><HEAD><META HTTP-EQUIV="Pragma" CONTENT="no-cache"></HEAD>
<BODY Onload="document.forms[0].submit()">
<FORM Method="Post" Action="https://director.concursolutions.com?entity=p0001535kxfs">
<INPUT TYPE="hidden" NAME="TARGET" Value="https://director.concursolutions.com/">
<INPUT TYPE="hidden" NAME="SAMLResponse" Value="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6
cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRp
b24iIElzc3VlSW5zdGFudD0iMjAwNy0wOC0xMFQxMjoyMDoyN1oiIE1ham9yVmVyc2lvbj0iMSIg
TWlub3JWZXJzaW9uPSIwIiBSZWNpcGllbnQ9Imh0dHBzOi8vZGlyZWN0b3IuY29uY3Vyc29sdXRp
b25zLmNvbS8iIFJlc3BvbnNlSUQ9ImlkVmVIaE10VG5Cbk1KWkVrbnoxRmRxcUNpRzI4Ij48ZHM6
U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4K
PGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0
cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRo
b2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEi
Lz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNpZFZlSGhNdFRuQm5NSlpFa256MUZkcXFDaUcyOCI+Cjxk
czpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcv
MjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdv
cml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRy
YW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8y
MDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+dWl1cHl1eEFmMUFIbzlwRUla
UHFOclE5UThnPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZElu
Zm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KR0VFTS9BQWpBUFY2MG5xUXN3S1hDL050WDFCTHU0UEZz
YmlDTmY0V1V0WW9NbkFGaExlNGE1WldBZzNVb2hyUGN6QkUzRTk1U0wvdgp0c21VeVZvamRtZnc1
VkdLMExIMFNYMThjLzdOWDNmZ0xLRm9VMlprL1lXeFZmbGEyV3hKRzAzYVI0TkExWU9jTjhHZ0dz
MHhSckRQCmg0ZDBBb08wVUNzYmFqRVJCVDgzOERiaGVXVFdDdGx0YS9MN1hMSFBCR2dHMEJpRnpN
SUc3MXR3OU1PaE1uU3NTUTZuQ1UrOFVLeDkKcmVLTXIxWEo2a2JDeHdwTDdneXFlMElraXVWKzlE
b0hxRlI5MUk4Mjc2S0hHWlZTRHBHbHh4cWhFOUVZVmVlOFZzbGRDV0NqRGdYeQpEMDgvUWMrTDI0
T2ZlTld6b1VOTEYxdHRRNHFrYXRyaU02d3FuZz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpL
ZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZKekNDQkErZ0F3
SUJBZ0lpQWh3Ui82T0gvcmRJWkZCMnpudW5LdjRVQkUxUSs4bk15WXFqS2dKOEFnSUdXekFOQmdr
cWhraUcKOXcwQkFRVUZBREExTVJvd0dBWURWUVFMRXhGUGNtZGhibWw2WVhScGIyNWhiQ0JEUVRF
WE1CVUdBMVVFQ2hRT2JHbHVkWGhzWVdJMQpYM1J5WldVd0hoY05NRFl4TWpFeE1Ua3lPVEE0V2hj
Tk1EZ3hNakV4TVRreU9UQTRXakJBTVJVd0V3WURWUVFERXd4MFpYTjBMWE5wCloyNXBibWN4RmpB
VUJnTlZCQXNURFdGalkyVnpjMDFoYm1GblpYSXhEekFOQmdOVkJBb1RCbTV2ZG1Wc2JEQ0NBU0l3
RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNb0xGbGdsb21rZVQrdkNKcWRB
R3RsdG5XWFNpY1FiVDV5SXFtZmxwS1ZWcTZXcgpadG1WSGtRU2FCT3Q2cEZDNm5rY1ZzcDB3RGhL
VHBaME9kY0p3bGdxRlpFQnVZMUVJVmcwMlNwd3dvbktoNm5QTEFHMi9BMXBGY1h6CmJPalpXYmF3
WUZCempFcTNIKzIyQXpwOHBYMVR2STZOS0JoVStnRFlJbEJPM2M2L2ZCSjRtVUx3Yng3Rm1sQzg1
RnpxMEF5RG5uZWkKcW5CT0JDZXVIblo2bmNDSkMvZVlpak9SMUJxTHloYnc2V2N4VDB4WVE1QklS
YjhqRzhLZUM2dk9FT0RYT3d0Z0RWcU9GNHI0czkzTwpCQjRUVi84Z2dlVERXU1YvYmgrSmxWSjZO
NTYza2I4bDdPZTdxWVJKd1dZTlBTVmdLZU14YVNMcGpjbW9kelFFWUg4Q0F3RUFBYU9DCkFoUXdn
Z0lRTUIwR0ExVWREZ1FXQkJSSHJyajA0N3NLeEIvOE9YVFdwMlp2cFlmUkZEQWZCZ05WSFNNRUdE
QVdnQlFOVzNYZlZFSjUKZXdTT0FJK213SEJGZHkrK1J6Q0NBY3dHQzJDR1NBR0crRGNCQ1FRQkJJ
SUJ1ekNDQWJjRUFnRUFBUUgvRXgxT2IzWmxiR3dnVTJWagpkWEpwZEhrZ1FYUjBjbWxpZFhSbEtI
UnRLUlpEYUhSMGNEb3ZMMlJsZG1Wc2IzQmxjaTV1YjNabGJHd3VZMjl0TDNKbGNHOXphWFJ2CmNu
a3ZZWFIwY21saWRYUmxjeTlqWlhKMFlYUjBjbk5mZGpFd0xtaDBiVENDQVVpZ0dnRUJBREFJTUFZ
Q0FRRUNBVVl3Q0RBR0FnRUIKQWdFS0FnRnBvUm9CQVFBd0NEQUdBZ0VCQWdGR01BZ3dCZ0lCQVFJ
QkNnSUJhYUlHQWdFWEFRSC9vNElCQktCWUFnRUNBZ0lBL3dJQgpBQU1OQUlBQUFBQUFBQUFBQUFB
QUFBTUpBSUFBQUFBQUFBQUFNQmd3RUFJQkFBSUlmLy8vLy8vLy8vOEJBUUFDQkFidzMwZ3dHREFR
CkFnRUFBZ2gvLy8vLy8vLy8vd0VCQUFJRUJ2RGZTS0ZZQWdFQ0FnSUEvd0lCQUFNTkFFQUFBQUFB
QUFBQUFBQUFBQU1KQUVBQUFBQUEKQUFBQU1CZ3dFQUlCQUFJSWYvLy8vLy8vLy84QkFRQUNCQkgv
bzRjd0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVFZitqaDZKTwpNRXdDQVFJQ0FRQUNBZ0Qv
QXcwQWdBQUFBQUFBQUFBQUFBQUFBd2tBZ0FBQUFBQUFBQUF3RWpBUUFnRUFBZ2gvLy8vLy8vLy8v
d0VCCkFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJB
UUNpT2t3bkZGTTlVNmI0Tnl0c3QxcHgKVDFQWjZnczZRbjJLemFrRUZuMkErQmdFVlJvTHdLaGk0
d2FVc1NrRGw3SkFqdkZrd2cyaVhZMlplZktFdmlvbGx2QkdaQ3dMVzdUYgpMN1Rqd1IrelNlNzlj
TXpvbnI4Yi9XVzNYWUZuK1B4WHhFOXJZUDFlR2thQnNaayt5WFY1OUFzcUZibTBrK0Jrd2w3K0ly
eU1Bc2hiCkF1MExUaWlWLzU3dGwrSUtEQ2tZeEVuaVNIZzZBN1ZoRDZCNlBjMStKUlUvSk1pVXJk
SWtmUmlkTkltSVZFMGpUeERxQVAwK0hINjAKa0IzSkg1cVMwSjBBVG1yV1BlQkUwRFZablBsenh0
QUhjWXJnSkxGY1F3dnhVRHkvS1hjMUhndHJqNkJiRUUwK2ZWTXliWlZTdVJVOApyaHRnTmxLR1ZR
N1R0SlFHCjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8+
CjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InNh
bWxwOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gQXNzZXJ0aW9uSUQ9
ImlkY2pLLUhNMjMtTTgzU0c1N3VIZEs5eERHRndrIiBJc3N1ZUluc3RhbnQ9IjIwMDctMDgtMTBU
MTI6MjA6MjdaIiBJc3N1ZXI9Imh0dHBzOi8vaWRwY2x1c3Rlci5sYWIubm92ZWxsLmNvbS9uaWRw
L3NhbWwvbWV0YWRhdGEiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIwIj48c2FtbDpD
b25kaXRpb25zIE5vdEJlZm9yZT0iMjAwNy0wOC0xMFQxMjoxNToyN1oiIE5vdE9uT3JBZnRlcj0i
MjAwNy0wOC0xMFQxMjoyNToyN1oiLz48c2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudCBBdXRo
ZW50aWNhdGlvbkluc3RhbnQ9IjIwMDctMDgtMTBUMTI6MjA6MjdaIiBBdXRoZW50aWNhdGlvbk1l
dGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVuc3BlY2lmaWVkIj48c2FtbDpT
dWJqZWN0PjxzYW1sOk5hbWVJZGVudGlmaWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNB
TUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmlkMzM3UWRBVlh6ZkJ5QkIwd01wSlNw
blBoZkVrPC9zYW1sOk5hbWVJZGVudGlmaWVyPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24+PHNh
bWw6Q29uZmlybWF0aW9uTWV0aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFy
ZXI8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwv
c2FtbDpTdWJqZWN0Pjwvc2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1
dGVTdGF0ZW1lbnQ+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSWRlbnRpZmllciBGb3JtYXQ9InVy
bjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5pZDMz
N1FkQVZYemZCeUJCMHdNcEpTcG5QaGZFazwvc2FtbDpOYW1lSWRlbnRpZmllcj48c2FtbDpTdWJq
ZWN0Q29uZmlybWF0aW9uPjxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6
dGM6U0FNTDoxLjA6Y206YmVhcmVyPC9zYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD48L3NhbWw6U3Vi
amVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdHRyaWJ1dGUgQXR0cmlidXRl
TmFtZT0idWlkIiBBdHRyaWJ1dGVOYW1lc3BhY2U9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEu
MDphc3NlcnRpb24iPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPnNtY2RhbmllPC9zYW1sOkF0dHJpYnV0
ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48ZHM6U2ln
bmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRz
OlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDov
L3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2Qg
QWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4K
PGRzOlJlZmVyZW5jZSBVUkk9IiNpZGNqSy1ITTIzLU04M1NHNTd1SGRLOXhER0Z3ayI+CjxkczpU
cmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAw
MC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0
aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5z
Zm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAw
LzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+VFprNVBzRitjazVVRXdqYXA4R1FX
aEtYUHpjPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+
CjxkczpTaWduYXR1cmVWYWx1ZT4KQ3l1MzY0SDJxenVOUDQ2M1YrQ0Y4ZnJ1bU5qL2VGSVJsTHNW
SXA5QWUxN003allYZGViSnJ0czRxa3g1RWdtZUNWNEh2NDFLZ1pjUApWbGVaZXEzV1pmUHEzQUZM
NzdncXhHeXJwdHpTVkRpK01yZnkyTk1rNXppTDhPanlka25pYTgrSVJpTDdJSXQvNUdPQVl6U2ww
cGVNCjhRdVo0WnlQQzFzMjZRYjlOa25VQ0hPRlFlNGhUaUZrUHU3ZzNVV09KZ1cyaVFUUXZHbFR0
U1JYZEhjcXNNMkRIVU85cVJaMU5UTFIKTVZnTDMrQys4eGUrL01VNktpMDlhYzFLdjlHb1B1anUw
L3NFVkFneW5CU3k0VmtnZ1JSWGp4WTg0WEYweUJWMVVNcnJRRFBQVGovcApVaGtuMVpPa1JRWTE3
Y2syd0pwRUJoN25qS045R3ozcFowMlNudz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJ
bmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlmaWNhdGU+Ck1JSUZKekNDQkErZ0F3SUJB
Z0lpQWh3Ui82T0gvcmRJWkZCMnpudW5LdjRVQkUxUSs4bk15WXFqS2dKOEFnSUdXekFOQmdrcWhr
aUcKOXcwQkFRVUZBREExTVJvd0dBWURWUVFMRXhGUGNtZGhibWw2WVhScGIyNWhiQ0JEUVRFWE1C
VUdBMVVFQ2hRT2JHbHVkWGhzWVdJMQpYM1J5WldVd0hoY05NRFl4TWpFeE1Ua3lPVEE0V2hjTk1E
Z3hNakV4TVRreU9UQTRXakJBTVJVd0V3WURWUVFERXd4MFpYTjBMWE5wCloyNXBibWN4RmpBVUJn
TlZCQXNURFdGalkyVnpjMDFoYm1GblpYSXhEekFOQmdOVkJBb1RCbTV2ZG1Wc2JEQ0NBU0l3RFFZ
SktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNb0xGbGdsb21rZVQrdkNKcWRBR3Rs
dG5XWFNpY1FiVDV5SXFtZmxwS1ZWcTZXcgpadG1WSGtRU2FCT3Q2cEZDNm5rY1ZzcDB3RGhLVHBa
ME9kY0p3bGdxRlpFQnVZMUVJVmcwMlNwd3dvbktoNm5QTEFHMi9BMXBGY1h6CmJPalpXYmF3WUZC
empFcTNIKzIyQXpwOHBYMVR2STZOS0JoVStnRFlJbEJPM2M2L2ZCSjRtVUx3Yng3Rm1sQzg1Rnpx
MEF5RG5uZWkKcW5CT0JDZXVIblo2bmNDSkMvZVlpak9SMUJxTHloYnc2V2N4VDB4WVE1QklSYjhq
RzhLZUM2dk9FT0RYT3d0Z0RWcU9GNHI0czkzTwpCQjRUVi84Z2dlVERXU1YvYmgrSmxWSjZONTYz
a2I4bDdPZTdxWVJKd1dZTlBTVmdLZU14YVNMcGpjbW9kelFFWUg4Q0F3RUFBYU9DCkFoUXdnZ0lR
TUIwR0ExVWREZ1FXQkJSSHJyajA0N3NLeEIvOE9YVFdwMlp2cFlmUkZEQWZCZ05WSFNNRUdEQVdn
QlFOVzNYZlZFSjUKZXdTT0FJK213SEJGZHkrK1J6Q0NBY3dHQzJDR1NBR0crRGNCQ1FRQkJJSUJ1
ekNDQWJjRUFnRUFBUUgvRXgxT2IzWmxiR3dnVTJWagpkWEpwZEhrZ1FYUjBjbWxpZFhSbEtIUnRL
UlpEYUhSMGNEb3ZMMlJsZG1Wc2IzQmxjaTV1YjNabGJHd3VZMjl0TDNKbGNHOXphWFJ2CmNua3ZZ
WFIwY21saWRYUmxjeTlqWlhKMFlYUjBjbk5mZGpFd0xtaDBiVENDQVVpZ0dnRUJBREFJTUFZQ0FR
RUNBVVl3Q0RBR0FnRUIKQWdFS0FnRnBvUm9CQVFBd0NEQUdBZ0VCQWdGR01BZ3dCZ0lCQVFJQkNn
SUJhYUlHQWdFWEFRSC9vNElCQktCWUFnRUNBZ0lBL3dJQgpBQU1OQUlBQUFBQUFBQUFBQUFBQUFB
TUpBSUFBQUFBQUFBQUFNQmd3RUFJQkFBSUlmLy8vLy8vLy8vOEJBUUFDQkFidzMwZ3dHREFRCkFn
RUFBZ2gvLy8vLy8vLy8vd0VCQUFJRUJ2RGZTS0ZZQWdFQ0FnSUEvd0lCQUFNTkFFQUFBQUFBQUFB
QUFBQUFBQU1KQUVBQUFBQUEKQUFBQU1CZ3dFQUlCQUFJSWYvLy8vLy8vLy84QkFRQUNCQkgvbzRj
d0dEQVFBZ0VBQWdoLy8vLy8vLy8vL3dFQkFBSUVFZitqaDZKTwpNRXdDQVFJQ0FRQUNBZ0QvQXcw
QWdBQUFBQUFBQUFBQUFBQUFBd2tBZ0FBQUFBQUFBQUF3RWpBUUFnRUFBZ2gvLy8vLy8vLy8vd0VC
CkFEQVNNQkFDQVFBQ0NILy8vLy8vLy8vL0FRRUFNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUNp
T2t3bkZGTTlVNmI0Tnl0c3QxcHgKVDFQWjZnczZRbjJLemFrRUZuMkErQmdFVlJvTHdLaGk0d2FV
c1NrRGw3SkFqdkZrd2cyaVhZMlplZktFdmlvbGx2QkdaQ3dMVzdUYgpMN1Rqd1IrelNlNzljTXpv
bnI4Yi9XVzNYWUZuK1B4WHhFOXJZUDFlR2thQnNaayt5WFY1OUFzcUZibTBrK0Jrd2w3K0lyeU1B
c2hiCkF1MExUaWlWLzU3dGwrSUtEQ2tZeEVuaVNIZzZBN1ZoRDZCNlBjMStKUlUvSk1pVXJkSWtm
UmlkTkltSVZFMGpUeERxQVAwK0hINjAKa0IzSkg1cVMwSjBBVG1yV1BlQkUwRFZablBsenh0QUhj
WXJnSkxGY1F3dnhVRHkvS1hjMUhndHJqNkJiRUUwK2ZWTXliWlZTdVJVOApyaHRnTmxLR1ZRN1R0
SlFHCjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8+Cjwv
ZHM6U2lnbmF0dXJlPjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=">
<INPUT TYPE="Submit" NAME="button" Value="Submit">
</FORM></BODY></HTML>

This SAML response data is simple base64-encoded data. Decoding the above data with a simple base64 decoder returns the SAML assertion shown below. Look at the values associated with the attribute and authentication statements below in bold to locate the key part of the SAML assertion.

<samlp:Response 
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2007-08-10T12:20:27Z" MajorVersion="1" MinorVersion="0" 
Recipient="https://director.concursolutions.com/" 
ResponseID="idVeHhMtTnBnMJZEknz1FdqqCiG28">
<ds:Signaturexmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-
exc-c14n#"/>
<ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#idVeHhMtTnBnMJZEknz1FdqqCiG28">
<ds:Transforms>
  <ds:Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"/>
</ds:Transforms>
<ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>uiupyuxAf1AHo9pEIZPqNrQ9Q8g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
GEEM/AAjAPV60nqQswKXC/NtX1BLu4PFsbiCNf4WUtYoMnAFhLe4a5ZWAg3Uo
hrPczBE3E95SL/vtsmUyVojdmfw5VGK0LH0SX18c/7NX3fgLKFoU2Zk/YWxVfla2
WxJG03aR4NA1YOcN8GgGs0xRrDPh4d0AoO0UCsbajERBT838DbheWTWCtlta
/L7XLHPBGgG0BiFzMIG71tw9MOhMnSsSQ6nCU+8UKx9reKMr1XJ6kbCxwpL7g
yqe0IkiuV+9DoHqFR91I8276KHGZVSDpGlxxqhE9EYVee8VsldCWCjDgXyD08/Q
c+L24OfeNWzoUNLF1ttQ4qkatriM6wqng==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFJzCCBA+gAwIBAgIiAhwR/6OH/rdIZFB2znunKv4UBE1Q+8nMyYqjKgJ8AgI
GWzANBgkqhkiG9w0BAQUFADA1MRowGAYDVQQLExFPcmdhbml6YXRpb25hb
CBDQTEXMBUGA1UEChQObGludXhsYWI1X3RyZWUwHhcNMDYxMjExMTkyOT
A4WhcNMDgxMjExMTkyOTA4WjBAMRUwEwYDVQQDEwx0ZXN0LXNpZ25pbmc
xFjAUBgNVBAsTDWFjY2Vzc01hbmFnZXIxDzANBgNVBAoTBm5vdmVsbDCCASI
wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoLFlglomkeT+vCJqdAGtlt
nWXSicQbT5yIqmflpKVVq6WrZtmVHkQSaBOt6pFC6nkcVsp0wDhKTpZ0OdcJwl
gqFZEBuY1EIVg02SpwwonKh6nPLAG2/A1pFcXzbOjZWbawYFBzjEq3H+22Azp
8pX1TvI6NKBhU+gDYIlBO3c6/fBJ4mULwbx7FmlC85Fzq0AyDnneiqnBOBCeuHn
Z6ncCJC/eYijOR1BqLyhbw6WcxT0xYQ5BIRb8jG8KeC6vOEODXOwtgDVqOF4r
4s93OBB4TV/8ggeTDWSV/bh+JlVJ6N563kb8l7Oe7qYRJwWYNPSVgKeMxaSLpj
cmodzQEYH8CAwEAAaOCAhQwggIQMB0GA1UdDgQWBBRHrrj047sKxB/8OXT
Wp2ZvpYfRFDAfBgNVHSMEGDAWgBQNW3XfVEJ5ewSOAI+mwHBFdy++RzC
CAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1Ob3ZlbGwgU2VjdX
JpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5ub3ZlbGwuY29tL3Jl
cG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0bTCCAUigGgEBADAI
MAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgFGMAgwBgIB
AQIBCgIBaaIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAAAAA
AAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgE
AAgh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAA
AAMJAEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/o4cwGDAQAgEAA
gh//////////wEBAAIEEf+jh6JOMEwCQICAQACAgD/Aw0AgAAAAAAAAAAAAAA
AAwkAgAAAAAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH///////
///AQEAMA0GCSqGSIb3DQEBBQUAA4IBAQCiOkwnFFM9U6b4Nytst1pxT1PZ6
gs6Qn2KzakEFn2A+BgEVRoLwKhi4waUsSkDl7JAjvFkwg2iXY2ZefKEviollvBGZC
wLW7TbL7TjwR+zSe79cMzonr8b/WW3XYFn+PxXxE9rYP1eGkaBsZk+yXV59As
qFbm0k+Bkwl7+IryMAshbAu0LTiiV/57tl+IKDCkYxEniSHg6A7VhD6B6Pc1+JRU/
JMiUrdIkfRidNImIVE0jTxDqAP0+HH60kB3JH5qS0J0ATmrWPeBE0DVZnPlzxtAH
cYrgJLFcQwvxUDy/KXc1Hgtrj6BbEE0+fVMybZVSuRU8rhtgNlKGVQ7TtJQG
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status><samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>

<saml:Assertion AssertionID="idB0z0MCNyqX.pL4pUzI73-GgwF.4" 
IssueInstant="2007-09-19T10:58:48Z" 
Issuer="https://idpcluster.lab.novell.com:8443/nidp/saml/metadata" 
MajorVersion="1" MinorVersion="0">
<saml:Conditions NotBefore="2007-09-19T10:53:48Z" 
NotOnOrAfter="2007-09-19T11:03:48Z"/>
<saml:AuthenticationStatement AuthenticationInstant="2007-09-
19T10:58:48Z" 
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><s
aml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">ncashell</saml:NameIdentifier>
<saml:SubjectConfirmation>
	<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:
bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#idcjK-HM23-M83SG57uHdK9xDGFwk">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>TZk5PsF+ck5UEwjap8GQWhKXPzc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Cyu364H2qzuNP463V+CF8frumNj/eFIRlLsVIp9Ae17M7jYXdebJrts4qkx5Egme
CV4Hv41KgZcPVleZeq3WZfPq3AFL77gqxGyrptzSVDi+Mrfy2NMk5ziL8Ojydknia
8+IRiL7IIt/5GOAYzSl0peM8QuZ4ZyPC1s26Qb9NknUCHOFQe4hTiFkPu7g3UW
OJgW2iQTQvGlTtSRXdHcqsM2DHUO9qRZ1NTLRMVgL3+C+8xe+/MU6Ki09ac1
Kv9GoPuju0/sEVAgynBSy4VkggRRXjxY84XF0yBV1UMrrQDPPTj/pUhkn1ZOkRQ
Y17ck2wJpEBh7njKN9Gz3pZ02Snw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFJzCCBA+gAwIBAgIiAhwR/6OH/rdIZFB2znunKv4UBE1Q+8nMyYqjKgJ8AgI
GWzANBgkqhkiG9w0BAQUFADA1MRowGAYDVQQLExFPcmdhbml6YXRpb25hb
CBDQTEXMBUGA1UEChQObGludXhsYWI1X3RyZWUwHhcNMDYxMjExMTkyOT
A4WhcNMDgxMjExMTkyOTA4WjBAMRUwEwYDVQQDEwx0ZXN0LXNpZ25pbmc
xFjAUBgNVBAsTDWFjY2Vzc01hbmFnZXIxDzANBgNVBAoTBm5vdmVsbDCCASI
wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoLFlglomkeT+vCJqdAGtlt
nWXSicQbT5yIqmflpKVVq6WrZtmVHkQSaBOt6pFC6nkcVsp0wDhKTpZ0OdcJwl
gqFZEBuY1EIVg02SpwwonKh6nPLAG2/A1pFcXzbOjZWbawYFBzjEq3H+22Azp
8pX1TvI6NKBhU+gDYIlBO3c6/fBJ4mULwbx7FmlC85Fzq0AyDnneiqnBOBCeuHn
Z6ncCJC/eYijOR1BqLyhbw6WcxT0xYQ5BIRb8jG8KeC6vOEODXOwtgDVqOF4r
4s93OBB4TV/8ggeTDWSV/bh+JlVJ6N563kb8l7Oe7qYRJwWYNPSVgKeMxaSLpj
cmodzQEYH8CAwEAAaOCAhQwggIQMB0GA1UdDgQWBBRHrrj047sKxB/8OXT
Wp2ZvpYfRFDAfBgNVHSMEGDAWgBQNW3XfVEJ5ewSOAI+mwHBFdy++RzC
CAcwGC2CGSAGG+DcBCQQBBIIBuzCCAbcEAgEAAQH/Ex1Ob3ZlbGwgU2VjdX
JpdHkgQXR0cmlidXRlKHRtKRZDaHR0cDovL2RldmVsb3Blci5ub3ZlbGwuY29tL3Jl
cG9zaXRvcnkvYXR0cmlidXRlcy9jZXJ0YXR0cnNfdjEwLmh0bTCCAUigGgEBADAI
MAYCAQECAUYwCDAGAgEBAgEKAgFpoRoBAQAwCDAGAgEBAgFGMAgwBgIB
AQIBCgIBaaIGAgEXAQH/o4IBBKBYAgECAgIA/wIBAAMNAIAAAAAAAAAAAAA
AAAMJAIAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBAbw30gwGDAQAgE
AAgh//////////wEBAAIEBvDfSKFYAgECAgIA/wIBAAMNAEAAAAAAAAAAAAAA
AAMJAEAAAAAAAAAAMBgwEAIBAAIIf/////////8BAQACBBH/o4cwGDAQAgEAA
gh//////////wEBAAIEEf+jh6JOMEwCAQICAQACAgD/Aw0AgAAAAAAAAAAAAA
AAAwkAgAAAAAAAAAAwEjAQAgEAAgh//////////wEBADASMBACAQACCH/////
/////AQEAMA0GCSqGSIb3DQEBBQUAA4IBAQCiOkwnFFM9U6b4Nytst1pxT1PZ
6gs6Qn2KzakEFn2A+BgEVRoLwKhi4waUsSkDl7JAjvFkwg2iXY2ZefKEviollvBGZ
CwLW7TbL7TjwR+zSe79cMzonr8b/WW3XYFn+PxXxE9rYP1eGkaBsZk+yXV59
AsqFbm0k+Bkwl7+IryMAshbAu0LTiiV/57tl+IKDCkYxEniSHg6A7VhD6B6Pc1+JR
U/JMiUrdIkfRidNImIVE0jTxDqAP0+HH60kB3JH5qS0J0ATmrWPeBE0DVZnPlzxt
AHcYrgJLFcQwvxUDy/KXc1Hgtrj6BbEE0+fVMybZVSuRU8rhtgNlKGVQ7TtJQG
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</samlp:Response>

Conclusion

In most SAML 1.1 setups where the inter-site transfer URL is used to POST assertions to an SP, the attributes being sent are sent by default in the attribute assertion. There may be some applications, such as Concur, that require attribute values to be sent as part of the authentication assertion, and specifically within the <NameIdentifier> tag. Novell Access Manager SP1 has the ability to map an attribute value from the SAML Identity Server user store into this Athentication assertion <NameIdentifier> tag by using the 'saml:NameIdentifier' keyword. The Concur SAML Service provider will consume the assertions, check the value of the <NameIdentifier> tag, and validate that username before allowing access to the application.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell