Skip to main content

SAML Flow for Session Upgrade

The SAML session upgrade flow is proprietary as it relies on AuthnContext extensions that are not standardized. Thus, this flow is supported only if both parties (SP and IDP) are set up using Nevis patterns.

The session upgrade flow is quite similar to the SP-initiated SAML authentication flow: The user is simply sent to the SAML IDP again.

However, there are two differences:

  • The first difference is how the two flows are initiated:
    • SP-initiated authentication is performed when a user tries to access an application for the first time. The application is protected by a SAML SP and there is no authenticated session.
    • Session upgrade is performed when an authorization policy is assigned to this application, and the policy demands an authentication level that is not yet attained.
  • The second difference is that in the session upgrade flow, additional information is added to SAML messages:
    • AuthnRequest messages now contain the requested authentication Level.
    • Response messages now contain the attained authentication Level.

The following examples illustrate the session upgrade SAML flow. To improve readability, the examples have been formatted and irrelevant parts have been skipped.

Example 1

AuthnRequest for Authentication Level 2
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 AssertionConsumerServiceURL="https://www.siven.ch/sp/"
 Destination="https://sso.siven.com/idp/"
 ID="AuthnRequest_121b0d58e8ebfc4ed2e245559c17686565330c92" IssueInstant="2020-04-01T14:56:59.845Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.siven.ch/sp/</saml2:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
 <ds:Reference URI="#AuthnRequest_121b0d58e8ebfc4ed2e245559c17686565330c92">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
 <ds:DigestValue>P2REE2gWgg6nweROy/1s5gStpJUbbTjUiUI86LwBiaM=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>b8sE4....</ds:SignatureValue>
 <ds:KeyInfo>
 <ds:X509Data>
 <ds:X509Certificate>MIICuzC...
 ...x5/KIfLt1+klg==</ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 </ds:Signature>
 <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2020-04-01T14:56:59.845Z" NotOnOrAfter="2020-04-01T14:57:59.845Z" />
 <saml2p:RequestedAuthnContext>
 <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:nevis:level:2</saml2:AuthnContextClassRef>
 </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

Example 2

Response after reaching Authentication Level 2
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 Destination="https://www.siven.ch/sp/"
 ID="Response_af29832546bbb99693bda5748d4273f397a1ef25" InResponseTo="AuthnRequest_121b0d58e8ebfc4ed2e245559c17686565330c92" IssueInstant="2020-04-01T15:00:19.965Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.siven.com/idp/</saml2:Issuer>
 <saml2p:Status>
 <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
 </saml2p:Status>
 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="Assertion_412504ed0df 9177c252f92f029faa6039e94f22d" IssueInstant="2020-04-01T15:00:19.964Z" Version="2.0">
 <saml2:Issuer>https://sso.siven.com/idp/</saml2:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
 <ds:Reference URI="#Assertion_412504ed0df9177c252f92f029faa6039e94f22d">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
 <ds:DigestValue>PzbuBUfPDk5IBfBsk0...</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>BJg9QG7Izq9L...</ds:SignatureValue>
 </ds:Signature>
 <saml2:Subject>
 <saml2:NameID>my-test-user</saml2:NameID>
 </saml2:Subject>
 <saml2:Conditions NotBefore="2020-04-01T15:00:19.964Z" NotOnOrAfter="2020-04-01T15:01:19.964Z" />
 <saml2:AuthnStatement AuthnInstant="2020-04-01T15:00:19.964Z">
 <saml2:AuthnContext>
 <saml2:AuthnContextClassRef>urn:nevis:level:auth.weak,2</saml2:AuthnContextClassRef>
 </saml2:AuthnContext>
 </saml2:AuthnStatement>
 </saml2:Assertion>
</saml2p:Response>