Skip to main content
Version: 7.2405.x.x LTS

AssertionRequestState

nevisAuth 4.38.x HTTP client changes

The new HTTP client shipped with nevisAuth 4.38.0.12 will likely require changes in this auth state configuration, specifically in the area of certificate configuration and handling.

Visit Appendix H for additional information.

Introduction and overview

The AssertionRequestState can be used to issue the following SAML requests:

  • AuthnRequest
  • AssertionIDRequest
  • SubjectQuery
  • AuthnQuery
  • AttributeQuery
  • AuthzDecision Query

Description

The following table and chapters describe the characteristics of the AuthState.

TopicDescription
Classch.nevis.esauth.auth.states.saml.AssertionRequestState
LoggingSaml
Auditingnone
Markernone
Methodsauthenticate, unlock, logout,stepup

Properties

  • consumerURL (string, required)

    URL of the SAML consumer location. Messages to the IdP will request responses to be sent to this URL.

  • idpURL (string, required)

    URL of the IdP. Messages to the IdP will use this as destination address.

  • soap.content-type (string, "application/soap+xml")

    Content type to use for outgoing SOAP messages. Some SOAP services may accept only content type text/xml.

Output

  • out.binding ({http-post,http-redirect, http-post-deferred, http-redirect-deferred, internal}, "http-post")

    Defines the SAML binding for outgoing SAML messages.

    The deferred bindings will prepare the necessary data, but instead of initiating the binding right away, will place those values in the following OutArg fields:

    • nevis.deferred-transfer.destination The destination of the deferred binding
    • nevis.deferred-transfer.field.<fieldname> The request, response and RelayState with field names SAMLRequest, SAMLResponse and RelayState respectively.

    The internal binding causes the AuthState to place the outgoing messages in the outargs saml.SAMLRequest and saml.RelayState.

  • out.issuer (string, "${request:EsAuthId}")

    The issuer name to be used in outgoing SAML messages.

  • out.requestType (enum {AuthnRequest, AssertionIDRequest, SubjectQuery, AuthnQuery, AttributeQuery, AuthzDecisionQuery}, AttributeQuery)

    The request message type to issue.

  • out.sign (string (list), "AuthnRequest")

    List of outgoing SAML message types that will be signed with the configured key materials.

  • out.sign.hashAlgorithm (string, "SHA256")

    Hash algorithm used in SAML signatures. Supported algorithms: SHA1, SHA256, SHA384, SHA512. See also chapter Signatures and signature validation.

  • out.signatureKeyInfo (comma-separated list of {SKI,Certificate,CertificateChain,Subject,IssuerSerial,CRLs,SubjectDN,SubjectCN,KeyNames,PublicKey}, SKI)

    List of KeyInfo content to add to signatures. One, several or none of the listed options may be configured. Note that some of the options require non-mandatory fields within signer certificate used. E.g., SKI may not add anything to the KeyInfo if the signer certificate does not contain an SKI.

    info

    nevisAuth currently requires one SKI, Certificate or IssuerSerial to identify the correct verification certificate when several are configured. Similarly, Ninja only supports SKI when several verification certificates are configured.

  • out.keystoreref, out.keyobjectref

    These properties configure the key materials used to sign SAML messages whose type is listed in out.sign. Refer to chapter Certificates keys and public key infrastructure.

AuthnRequest

  • request.Subject (string, -)

    Subject of the AuthnRequest.

  • request.ProviderName (string, -)

    The ProviderName of the AuthnRequest.

  • request.RequestedAuthnContext.AuthnContextClassRef (comma-separated list of strings, -)

    Comma-separated list of AuthnContextClassRefs to the request.

  • request.RequestedAuthnContext.AuthnContextDeclRef (comma-separated list of strings, -)

    Comma-separated list of AuthnContextDeclRefs to the request.

  • request.RequestedAuthnContext.Comparison(enum {exact, minimum, maximum, better}, -)

    The comparison to be applied for the requested AuthnContext to be valid.

  • request.ttl (int, 10)

    TTL of the AuthnRequest, in seconds.

AssertionIDRequest

  • request.AssertionIDRef (list of string, -, required)

    Comma-separated list of assertion IDs referenced by the AssertionIDRequest.

SubjectQuery

  • request.Subject (string, -, required)

    Subject of the SubjectQuery.

AuthnQuery

  • request.Subject (string, -, required)

    Subject of the AuthnQuery.

  • request.SessionIndex (string, -)

    Index of SAML sessions assigned to the authentication.

  • request.RequestedAuthnContext.AuthnContextClassRef (comma-separated list of strings, -)

    Comma-separated list of AuthnContextClassRefs to request.

  • request.RequestedAuthnContext.AuthnContextDeclRef (comma-separated list of strings, -)

    Comma-separated list of AuthnContextDeclRefs to request.

  • request.RequestedAuthnContext.Comparison (enum {exact, minimum, maximum, better}, -)

    The comparison to be applied for the requested AuthnContext to be valid.

AttributeQuery

  • request.Subject (string, -, required)

    Subject of the AttributeQuery.

  • request.Attribute (comma-separated list of string, -)

    Comma-separated list of attributes to request.

AuthzDecision Query

  • request.Subject (string, -, required)

    Subject of the AuthzDecisionQuery.

  • request.Action (comma-separated list of string, -)

    Comma-separated list of actions for which authorization is requested.

  • request.Resource (string, - , required)

    A URI reference indicating the resource for which the authorization is requested.

  • request.Evidence.Assertion (string, -)

    An assertion that may be used for making the authorization decision.

  • request.Evidence.AssertionIdReference (comma-separated list of string, -)

    Comma-separated list of IDs of assertions that may be used for taking the authorization decision.

Plugins

  • out.extension.<extension-name> (string, classname), <extension-name>.<property-name> (syntax)

    This syntax specifies plug-ins that will be called to process incoming messages. Properties may be passed to the plug-ins using the second syntax shown. Currently, only the output-extender ch.nevis.esauth.auth.states.saml.extensions.SuisseIDAttributeServiceExtender is implemented. This extension adds requests for SuisseID attributes to outgoing messages. It takes the following properties:

    • <extension-name>.Attribute Comma-separated list of attributes to request in the issued message.
    Example configuration for SuisseIDAttributeServiceExtender
    <property name="out.extension.SuisseID" value="ch.nevis.esauth.auth.states.saml.extensions.SuisseIDAttributeServiceExtender" />
    <property name="SuisseID.Attribute" value="${inargs:attributes}" />

HTTP Client

  • soap.httpclient.* (String)

    Configure the outgoing HTTP communication towards the web locations specified in the connection properties. For a list of valid HTTP properties, see HTTP Client.

Input

All inputs used to resolve SAML bindings are according to SAML specification: inargs:SAMLRequest, SAMLResponse, RelayState etc.

Transitions

  • ok

    Successfully issued SAML message

Output

none

Errors

  • lasterror=99

    lasterrorinfo=Generic error