Skip to main content
Version: 4.25.x.x LTS

AssertionRequestState

Introduction and overview

The AssertionRequestState can be used to issue the following SAML requests:

  • AuthnRequest
  • AssertionIDRequest
  • SubjectQuery
  • AuthnQuery
  • AttributeQuery
  • AuthzDecisionQuery

Description

The following table describes the characteristics of the AuthState.

TopicDescription
Classch.nevis.esauth.auth.states.saml.AssertionRequestState
LoggingSaml
Auditingnone
Properties(generic)consumerURL (string, required)URL of the SAML consumer location. Messages to the IdP will request responses to be sent to this URL.
idpURL (string, required)URL of the IdP. Messages to the IdP will use this as destination address.
soap.proxy (<host-or-ip>:<port>, -)Outbound proxy to use for outgoing SOAP communication (artifact resolution protocol)
soap.content-type (string, "application/soap+xml")Content type to use for outgoing SOAP messages. Some SOAP services may accept only content type text/xml.
Properties(output)out.binding ({http-post,http-redirect, http-post-deferred, http-redirect-deferred, internal}, "http-post")Defines the SAML binding for outgoing SAML messages.The deferred bindings will prepare the neccessary data, but instead of initiating the binding right away, will place those values in the following OutArg fields: *nevis.deferred-transfer.destination: The destination of the deferred binding * nevis.deferred-transfer.field.<fieldname>: The request, response and RelayState with field names SAMLRequest, SAMLResponse and RelayState respectively. The internal binding causes the AuthState to place the outgoing messages in the outargs saml.SAMLRequest and saml.RelayState.
out.issuer (string, "${request:EsAuthId}")The issuer name to be used in outgoing SAML messages.
out.requestType (enum {AuthnRequest, AssertionIDRequest, SubjectQuery, AuthnQuery, AttributeQuery, AuthzDecisionQuery}, AttributeQuery)The request message type to issue.
out.sign (string (list), "AuthnRequest")List of outgoing SAML message types that will be signed with the configured key materials.
out.sign.hashAlgorithm ".
out.signatureKeyInfo (comma-separated list of {SKI,Certificate,CertificateChain,Subject,IssuerSerial,CRLs,SubjectDN,SubjectCN,KeyNames,PublicKey}, SKI)List of KeyInfo content to add to signatures. One, several or none of the listed options may be configured. Note that some of the options require non-mandatory fields within signer certificate used. E.g., SKI may not add anything to the KeyInfo if the signer certificate does not contain an SKI.nevisAuth currently requires one SKI, Certificate or IssuerSerial to identify the correct verification certificate when several are configured. Similarly, NINJA only supports SKI when several verification certificates are configured.
out.keystorerefout.keyobjectrefThese properties configure the key materials used to sign SAML messages whose type is listed in out.sign. Refer to chapter Certificates keys and public key infrastructure.
Properties (AuthnRequest)request.Subject (string, -)Subject of the AuthnRequest.
request.ProviderName (string, -)The ProviderName of the AuthnRequest.
request.RequestedAuthnContext.AuthnContextClassRef (comma-separated list of strings, -)Comma-separated list of AuthnContextClassRefs to the request.
request.RequestedAuthnContext.AuthnContextDeclRef (comma-separated list of strings, -)Comma-separated list of AuthnContextDeclRefs to the request.
request.RequestedAuthnContext.Comparison (enum {exact, minimum, maximum, better}, -)The comparison to be applied for the requested AuthnContext to be valid.
request.ttl (int, 10)TTL of the AuthnRequest, in seconds.
Properties(AssertionIDRequest)request.AssertionIDRef (list of string, -, required)Comma-separated list of assertion IDs referenced by the AssertionIDRequest.
Properties(SubjectQuery)request.Subject (string, -, required)Subject of the SubjectQuery.
Properties(AuthnQuery)request.Subject (string, -, required)Subject of the AuthnQuery.
request.SessionIndex (string, -)Index of SAML sessions assigned to the authentication.
request.RequestedAuthnContext.AuthnContextClassRef (comma-separated list of strings, -)Comma-separated list of AuthnContextClassRefs to request.
request.RequestedAuthnContext.AuthnContextDeclRef (comma-separated list of strings, -)Comma-separated list of AuthnContextDeclRefs to request.
request.RequestedAuthnContext.Comparison (enum {exact, minimum, maximum, better}, -)The comparison to be applied for the requested AuthnContext to be valid.
Properties(AttributeQuery)request.Subject (string, -, required)Subject of the AttributeQuery.
request.Attribute (comma-separated list of string, -)Comma-separated list of attributes to request.
Properties(AuthzDecision Query)request.Subject (string, -, required)Subject of the AuthzDecisionQuery.
request.Action (comma-separated list of string, -)Comma-separated list of actions for which authorization is requested.
request.Resource (string, - , required)A URI reference indicating the resource for which the authorization is requested.
request.Evidence.Assertion (string, -)An assertion that may be used for making the authorization decision.
request.Evidence.AssertionIdReference (comma-separated list of string, -)Comma-separated list of IDs of assertions that may be used for taking the authorization decision.
Properties(plug-ins)out.extension.<extension-name> (string, <classname>) <extension-name>.<property-name> (syntax)This syntax specifies plug-ins that will be called to process incoming messages. Properties may be passed to the plug-ins using the second syntax shown. Currently, only the output-extender ch.nevis.esauth.auth.states.saml.extensions.SuisseIDAttributeServiceExtender is implemented. This extension adds requests for SuisseID attributes to outgoing messages. It takes the following properties:<extension-name>. Attribute: Comma-separated list of attributes to request in the issued message.
<property name="out.extension.SuisseID" value="ch.nevis.esauth.auth.states.saml.extensions.SuisseIDAttributeServiceExtender" />
<property name="SuisseID.Attribute" value="${inargs:attributes}" />
TopicDescription
Methodsauthenticateunlocklogoutstepup
InputAll inputs used to resolve SAML bindings are according to SAML specification: inargs:SAMLRequest, SAMLResponse, RelayState etc.
Transitionsok: Successfully issued SAML message
Outputnone
Errors99: Generic error