Skip to main content
Version: 4.12.x.x LTS

SAML Flow for Session Upgrade

The SAML session upgrade flow is proprietary as it relies on AuthnContext extensions that are not standardized. Thus, this flow is supported only if both parties (SP and IDP) are set up using Nevis patterns.

The session upgrade flow is quite similar to the SP-initiated SAML authentication flow: The user is simply sent to the SAML IDP again. However, there are two differences:

  • The first difference is how the two flows are initiated:
  • The second difference is that in the session upgrade flow, additional information is added to SAML messages:

The following examples illustrate the session upgrade SAML flow. To improve readability, the examples have been formatted and irrelevant parts have been skipped.

Example 1

AuthnRequest for Authentication Level 2

AuthnRequest for Authentication Level 2

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 AssertionConsumerServiceURL="https://www.siven.ch/sp/"
 Destination="https://sso.siven.com/idp/"
 ID="AuthnRequest_121b0d58e8ebfc4ed2e245559c17686565330c92" IssueInstant="2020-04-01T14:56:59.845Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.siven.ch/sp/</saml2:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
 <ds:Reference URI="#AuthnRequest_121b0d58e8ebfc4ed2e245559c17686565330c92">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
 <ds:DigestValue>P2REE2gWgg6nweROy/1s5gStpJUbbTjUiUI86LwBiaM=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>b8sE4....</ds:SignatureValue>
 <ds:KeyInfo>
 <ds:X509Data>
 <ds:X509Certificate>MIICuzC...
 ...x5/KIfLt1+klg==</ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 </ds:Signature>
 <saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2020-04-01T14:56:59.845Z" NotOnOrAfter="2020-04-01T14:57:59.845Z" />
 <saml2p:RequestedAuthnContext>
 <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:nevis:level:2</saml2:AuthnContextClassRef>
 </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

Example 2

Response after reaching Authentication Level 2

Response after reaching Authentication Level 2

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
 Destination="https://www.siven.ch/sp/"
 ID="Response_af29832546bbb99693bda5748d4273f397a1ef25" InResponseTo="AuthnRequest_121b0d58e8ebfc4ed2e245559c17686565330c92" IssueInstant="2020-04-01T15:00:19.965Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.siven.com/idp/</saml2:Issuer>
 <saml2p:Status>
 <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
 </saml2p:Status>
 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="Assertion_412504ed0df 9177c252f92f029faa6039e94f22d" IssueInstant="2020-04-01T15:00:19.964Z" Version="2.0">
 <saml2:Issuer>https://sso.siven.com/idp/</saml2:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
 <ds:Reference URI="#Assertion_412504ed0df9177c252f92f029faa6039e94f22d">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
 <ds:DigestValue>PzbuBUfPDk5IBfBsk0...</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>BJg9QG7Izq9L...</ds:SignatureValue>
 </ds:Signature>
 <saml2:Subject>
 <saml2:NameID>my-test-user</saml2:NameID>
 </saml2:Subject>
 <saml2:Conditions NotBefore="2020-04-01T15:00:19.964Z" NotOnOrAfter="2020-04-01T15:01:19.964Z" />
 <saml2:AuthnStatement AuthnInstant="2020-04-01T15:00:19.964Z">
 <saml2:AuthnContext>
 <saml2:AuthnContextClassRef>urn:nevis:level:auth.weak,2</saml2:AuthnContextClassRef>
 </saml2:AuthnContext>
 </saml2:AuthnStatement>
 </saml2:Assertion>
</saml2p:Response>