Project

General

Profile

Actions

The Shibboleth Protocol

Introduction to the Shibboleth Protocol

The Authentication and Authorization Infrastructure (AAI) provides general introduction to the Shibboleth Protocol in three levels of detail:

The lastest documents of the official technical documentation can be found here:

Regarding the integration of the CSSO Profiles, in particular the desktop application profile, more detailed information is necessary to determine the feasibility of the Shibboleth Proxy. Therefore we carried out a logging session to analyse the protocol observing the current EDIT Shibboleth demonstration scenario. The next paragraphs will focus on the current EDIT Shibboleth setup emphasising only on those protocol details necessary for the Shibboleth Proxy to intercept the Shibboleth protocol communication and carry out single sign-on functions in favour of the client user. Please refer to the logging session chapter, if you are interested in the complete logging results.

Initial setup

The current EDIT federation setup consists of the most simple Shibboleth configuration including one IdP responsible for authentication and attribute distribution, and one SP hosting some web applications like Drupal, Trac and Subversion to evaluate and demonstrate the EDIT Shibboleth framework.

The IdP host is installed on https://idp.e-taxonomy.eu and performs client authentication on request of the SP. Authentication is related to the actual BDTracker user database.

The SP is running on https://sp.e-taxonomy.eu/. Drupal, Trac and Subversion demo instances are available under the paths /drupal-5.2, /trac and /svn respectively.

Currently, no WAYF service is installed, since we only set up a single IdP instance in the EDIT federation. So, the following protocol description omit the WAYF-step also.

Initial Client Request (Step 1)

The Shibboleth protocol will be initialised by a client request to access the URL https://sp.e-taxonomy.eu/ on the service provider. This results in the following minimal HTTP-Request:

GET / HTTP/1.1
Host: sp.e-taxonomy.eu

Redirection to IdP for authentication (Step 2)

Since, the client user is not an authenticated Shibboleth user, the SP answers with an HTTP-Redirect to the IdP, where the client has to perform its login.

HTTP/1.1 302 Found
Set-Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; path=/
Location: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp

Mainly, this response contains two relevant pieces of information:

  • Cookie _shibstate_XXX

  • Location URL instructing the client where to redirect to

The XXX naming part of the cookie represents the hash value of the providerId. The value of the cookie contains the target's URL and path of the initial client request to the SP.

The Location attribute contains the URL of the IdP, where the client has to direct his next request to.

https://idp.e-taxonomy.eu/shibboleth-idp/SSO?
  shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&
  time=1194870964&
  target=cookie&
  providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp

Shibboleth calls this request authentication request. It includes the following parameters:

shire::

location of the assertion consumer service endpoint at the SP(!https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST). Becomes the value of the action attribute of the form element within the IdP response to this authentication request.

time::

This parameter is optional and represents the current time in seconds past the epoch, and may be used to assist the IdP in detecting stale requests from the client.

target::

contains the location of the target ressource and must be preserved by the IdP and included in its response to the SP. The target parameter refers to the _shibstate_XXX cookie denoting the initial target URL !https://sp.e-taxonomy.eu/.

providerId::

Unique indentifier(URI) of the SP(!https://sp.e-taxonomy.eu/shibboleth-sp). Can be used by the IdP for special processing of the authentication request.

As returned from the SP within the Location response attribute, the client sends the following authentication request to the IdP:

GET /shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp HTTP/1.1
Host: idp.e-taxonomy.eu

IdP Response to the Authentication Request (Step 3)

Since the client is not authenticated yet at the IdP, the client has to append corresponding Authorisation information to the request. The EDIT's IdP currently requires HTTP-Basic authentication, so the client has to add the related credentials to the attribute Authorisation of the request:

GET /shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp HTTP/1.1
Host: idp.e-taxonomy.eu
Authorization: Basic bC5zdWhyYmlfkiiuwMHFlIy

After succesful authentication on the IdP, the SSO service of the IdP responds with an cookie and a HTML document containing a html form.

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=41483D1EC5DC97338458848CC51FD0F1; Path=/shibboleth-idp; Secure
...
<form id="shibboleth"  action="https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST" method="post">
<div>
<input type="hidden" name="TARGET" value="cookie" />
<input type="hidden" name="SAMLResponse" value="PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht
...
ZGRyZXNzPSIxNjAuNDUuMTE0LjIxNSI+PC9TdWJqZWN0TG9jYWxpdHk+PC9BdXRoZW50aWNhdGlv
blN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg==
"

The cookie JSESSIONID ...

The form with the id shibboleth includes the URL of the assertion consumer service at the SP within the action parameter.

The form parameter TARGET contains the preserved target value from Step 2. The target will be delivered in the value of the related +shibstate_XXX_ cookie.

The form parameter SAMLResponse includes the case64 encoded and digitally signed SAML-response to the client's authentication request.

The HTML document itself contains a piece of javascript code automatically issuing the HTTP-POST request to the SP's assertion consumer service (!https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST):

POST /Shibboleth.sso/SAML/POST HTTP/1.1
Host: sp.e-taxonomy.eu
Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F

TARGET=cookie&SAMLResponse=PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht%0D%0AbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnNh%0X
...
NzPSIxNjAuNDUuMTE0LjIxNSI%2BPC9TdWJqZWN0TG9jYWxpdHk%2BPC9BdXRoZW50aWNhdGlv%0D%0AblN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg%3D%3D%0D%0A

The POST request includes following relevant parameters:

Referer::

The HTTP-Referer attribute includes the URL transmitted by the SP to be send by the client to IdP as authentication request before.

_shibstate_XXX cookie::

The _shibstate_XXX cookie stores the target URL of the initial client request to the SP.

TARGET parameter::

Refers to the target stored within the _shibstate_XXX cookie.

SAMLResponse parameter::

Contains the URL encoded SAMLResponse from the IdP.

Final Request to the Target Resource (Step 4)

In response to the POST request, the SP's assertion consumer service creates a security context and returns and redirects the client to the originally requested resource.

HTTP/1.1 302 Found
Set-Cookie: _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; path=/
Set-Cookie: _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D; path=/;
Location: https://sp.e-taxonomy.eu/

Location attribute::

URL of the orinally requested target resource

_shibsession_XXX cookie::

cookie storing the client handle. May be used by the SP to issue an attribute request to the IdP.

_saml_idp cookie::

base64-encoded URI values of the IdP(s) unique ids used by the SP.

With the following request, the SP finally responds to the initial client request:

GET / HTTP/1.1
Host: sp.e-taxonomy.eu

Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D

This, and any subsequent requests to the SP must include the _shibsession_XXX cookie*, *_shibstate_XXX cookie and the _saml_idp cookie::. This provides the SP with all information necessary and prevents the SP from repeating the authentication process.

I am not sure, if the Referer attribute is really necessary here.

Finally, the following chapter presents the complete results of Shibboleth protocol logging session.

Logging the HTTP-Shibboleth Protocol

Initial Service Provider Request

Request:

GET / HTTP/1.1
Host: sp.e-taxonomy.eu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0

Response:

HTTP/1.1 302 Found
Date: Mon, 12 Nov 2007 12:36:04 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c
Set-Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; path=/
Location: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Content-Length: 572
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&amp;time=1194870964&amp;target=cookie&amp;providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp">here</a>.</p>
<hr>
<address>Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at sp.e-taxonomy.eu Port 443</address>
</body></html>
  1. The request is redirected to the following IdP Location (Return Code 302):

https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp

  1. A cookie is set within the browser:

Set-Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; path=/

Redirected Request to the Identity Provider

Request:

GET /shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp HTTP/1.1
Host: idp.e-taxonomy.eu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Basic bC5zdWhyYmllcjo3aFRkMlIy
  1. The browser redirects to the URL returned with the initial request to the SP.

  2. A Basic Authentication result is introduced within the Header (Authorization)

Response:

HTTP/1.1 200 OK
Date: Mon, 12 Nov 2007 12:36:29 GMT
Server: Apache/2.2.3 (Debian) mod_jk/1.2.18 mod_ssl/2.2.3 OpenSSL/0.9.8c
Set-Cookie: JSESSIONID=41483D1EC5DC97338458848CC51FD0F1; Path=/shibboleth-idp; Secure
Expires: 19-Mar-1971 08:23:00 GMT
Cache-control: no-cache
Pragma: no-cache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 9138

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">











<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
    <link rel="stylesheet" type="text/css" href="main.css" />
    <title>Shibboleth Authentication Request Processed</title>
</head>

<body onload="document.forms[0].submit()">



<h1>Shibboleth Authentication Request Processed</h1>

<script type="text/javascript">
<!--
document.write("<p>You are automatically being redirected to the requested site. ");
document.write("If the browser appears to be hung up after 15-20 seconds, try reloading ");
document.write("the page before contacting the technical support staff in charge of the ");
document.write("desired resource or service you are trying to access.</p>");
document.write("<h2>Redirecting to requested site...</h2>");
// -->
</script>

<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript, you must press the
Continue button once to proceed to the requested site.
</p>
</noscript>


<form id="shibboleth"  action="https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST" method="post">
<div>
<input type="hidden" name="TARGET" value="cookie" />
<input type="hidden" name="SAMLResponse" value="PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht
bG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnNh
bWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHhtbG5zOnhzZD0iaHR0
cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5v
cmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQxMjoz
NjozMC40MTlaIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgUmVjaXBpZW50PSJo
dHRwczovL3NwLmUtdGF4b25vbXkuZXUvU2hpYmJvbGV0aC5zc28vU0FNTC9QT1NUIiBSZXNwb25z
ZUlEPSJfNTUyZjdiZmYzNTQ5NzAxNjI1NDY1YTg0MGZkYTk3M2EiPjxkczpTaWduYXR1cmUgeG1s
bnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5m
bz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9y
Zy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRz
OlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s
ZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+CjxkczpSZWZlcmVuY2UgVVJJPSIj
XzU1MmY3YmZmMzU0OTcwMTYyNTQ2NWE4NDBmZGE5NzNhIj4KPGRzOlRyYW5zZm9ybXM+CjxkczpU
cmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52
ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGht
PSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVO
YW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0
biMiIFByZWZpeExpc3Q9ImNvZGUgZHMga2luZCBydyBzYW1sIHNhbWxwIHR5cGVucyAjZGVmYXVs
dCB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM+PC9kczpUcmFuc2Zvcm0+CjwvZHM6
VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn
LzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD4KPGRzOkRpZ2VzdFZhbHVl
PlpzNVJVT20rL0Uzd242NHpsQktWVXlMZERYYz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVy
ZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CkhCWEU4UGsyV25qRGc3
SHlwYndjZE5XUmlad2xKWm9EUENuWDZBUURrZVRpZnlLUElXSFovYTllOFJObjJCcGQ2M1YzMTlr
b3JkOUMKWXRidC8xWXk3QVo2cFJFV2x4anZNaHJySVN1WkJ4WmJseHVYdlRZYko3ZUZhMSt0cGVE
ZUJXeHE5cHJWbEtqVzdSM3dobi84bWlOSgo2QjU5ckY5bzE0d204c0lzOGl4amYyR3kxM3dNNTlv
ZWowb2NjVTQxaHJrK240NDJ1cUxNNjZmaFJBN0pWVVFnMjhVSFVHWXc3MEZKCnQ1WU81Z2lLaHNO
WnRtVXZkOVJ4Q0NiVmFEbjh3cmVkUmVBMGtEVDU1RFE5R3dOSjRXS2hDNEFTNnlSY2QwMjdVM0My
cG1DenNEb0QKQWpXNG80ek9JTGhyWUlyZkFJa1pHV2ZHOUd5clZjeWdNelc2S1NFRmdFeVc0QkJt
QVBFWGNUSkluUmZ4V2FZRUY3RGJpa1RlUXVlVAprRmFjQitnMmE1c2RlWnZRb3NvVjVLMVZ2YUNn
OVNGc3l5c1M4dlZyWGErTnJ6U3VwMmY0dVphUzlSOEZwNTgvcmJFQUdrTnB4QlUrClNpWGlWWFN0
d0lMcWZvelNVa05wc0lvNXZMQkxXY3ZxSFVTWFlWK2xwcjRyRXVOditDd1lmL2twbndwNXJHRnhn
bFQ5akVmNEo5TGUKc3MrL2VQWmRYME04cTl5ZlVzR3ZTN0NVdGxsdWlna3JMdG5xSkhvaHhIbWNY
WlBTdndxZWxmVnBsN0pkU1hETnZQT3VaQW0rQVdLbQpCSklZUlkvdzJBeGNUOUttN1psSkU4TE9q
ZUlwVUx6Y3BVK3NZSzNuZnlmMmlNNHVRRnVUZERSU1hpNnlPMFg0N3JEQWVaQTA5aFU9CjwvZHM6
U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlm
aWNhdGU+Ck1JSUdvRENDQklpZ0F3SUJBZ0lCQlRBTkJna3Foa2lHOXcwQkFRVUZBRENCZ1RFTE1B
a0dBMVVFQmhNQ1JWVXhEVEFMQmdOVkJBb1QKQkVWRVNWUXhEekFOQmdOVkJBc1RCbGRRSURVdU56
RW9NQ1lHQTFVRUF4UWZVMlZ5ZG1WeVEwRWdQSE5sWTNWeVpTNWxMWFJoZUc5dQpiMjE1TG1WMVBq
RW9NQ1lHQ1NxR1NJYjNEUUVKQVJZWmMzVm9jbUpwWlhKQWFXNW1MbVoxTFdKbGNteHBiaTVrWlRB
ZUZ3MHdOekE0Ck1UUXhOREkyTUROYUZ3MHhNakE0TVRJeE5ESTJNRE5hTUVreEN6QUpCZ05WQkFZ
VEFrVlZNUTB3Q3dZRFZRUUtFd1JGUkVsVU1ROHcKRFFZRFZRUUxFd1pYVUNBMUxqY3hHakFZQmdO
VkJBTVRFV2xrY0M1bExYUmhlRzl1YjIxNUxtVjFNSUlDSWpBTkJna3Foa2lHOXcwQgpBUUVGQUFP
Q0FnOEFNSUlDQ2dLQ0FnRUF5WUdHM1FEcFpTYzcvOUpTelYxeTRSTDQrQ3RiaEtEaGFCdTk1MXhw
TlFuWm0xbE1sOVhhCjdpSkF0VWRGME9yd2dPVlpUcXJNUUFXNm96YW45a0l4cytDSDh2YUdEVk93
b2FrWWg1U2E4akFHWmxoeHhBRitpdmtjMUk5TzlrQmIKWVVzMHJJa0dSR2dPbnA4YlNvZWt4cXRV
cmNTUkgrTDVNV2lGM0JZbkdxcnkzUTVWc3JHVTdnSTFhRFBMYkpQQlYvNWVWQ3VyUDUxRQpUdVMv
aExjOTRQSDZNY0F4bDFoZnJCa3ByTDNTcXRvRWVJYW9iSWxNRldJdE13S0xCTjBTNWh4T2RCNTE3
Z3NHaHpqOFJ0dVZMRWJKCjFQM1VuT2NaK3Q2cXpaREtCbEZEK2N4OEVHMkxRSGlnOVpxRUY3YVhC
RmVJdzE2SGNwY2QxL3l6djRLSW5oWmlnOGFIblV3RGpBaWgKWXk2UG9tUGZZQUNGNkdRR0NWbnMr
eVBlQzhDQWxOTmplaSt4SXRZOFZqT0d6UnRiQlAyaTZuTlF1aGpiWjMzSXVYS3ZPVUtpcS9tTgp1
cHBxZ0ZWMU02NzJ2dkdZSm5zMmw3eXgvWE1LbWwwam84M0NocEVwNWFXZkhKZko2Nk1vNVZjYSto
bkZkb3prbElQOXJYRC8zN3B2CnVKcDNUMTN2OFpabmFmanZKMjA2VFZ4N1ZrVFMvZFRQMXZzSGF5
S1NMVTBqVlA4OE5vWXpOSzFmd2lBaDRmclU3eFFJY2JUQ0Y3czAKODRaQUdyTGVXWGRmWUhhL0xs
UWdIL1hINi9oQStuMURxalFyaTIrdnJQWjQ2YkFvbVlad3p1em5qRzdtTTFQQVpxR3VQRkF6ZkF1
UAoybSsrNEdUZjIwbU8rdUlsS1Qva1VLOENBd0VBQWFPQ0FWZ3dnZ0ZVTUFrR0ExVWRFd1FDTUFB
d0VRWUpZSVpJQVliNFFnRUJCQVFECkFnYkFNQ3NHQ1dDR1NBR0crRUlCRFFRZUZoeFVhVzU1UTBF
Z1IyVnVaWEpoZEdWa0lFTmxjblJwWm1sallYUmxNQjBHQTFVZERnUVcKQkJRRGdtOGh1WldnOUZT
YTlQWlR5OG9iZmdlRUhUQ0JvQVlEVlIwakJJR1lNSUdWZ0JSTjkrMUlXVlNFSlIvM2IxSlk2MTY2
dk9IYwpaNkY2cEhnd2RqRUxNQWtHQTFVRUJoTUNSVlV4RFRBTEJnTlZCQW9UQkVWRVNWUXhEekFO
QmdOVkJBc1RCbGRRSURVdU56RWRNQnNHCkExVUVBeE1VYzJWamRYSmxMbVV0ZEdGNGIyNXZiWGt1
WlhVeEtEQW1CZ2txaGtpRzl3MEJDUUVXR1hOMWFISmlhV1Z5UUdsdVppNW0KZFMxaVpYSnNhVzR1
WkdXQ0FRRXdKQVlEVlIwU0JCMHdHNEVaYzNWb2NtSnBaWEpBYVc1bUxtWjFMV0psY214cGJpNWta
VEFQQmdOVgpIUkVFQ0RBR2h3U2dMVDhWTUE0R0ExVWREd0VCL3dRRUF3SUZvREFOQmdrcWhraUc5
dzBCQVFVRkFBT0NBZ0VBUHF1bzY2aVVMWlBtCmx6MW9LOUw0S1grY2VodEwxYmJGS3Y5WHFNVjA1
MHRxdXJrUnI5K21JT08xbUZ5ZTZ6WjlSTnM0MHl3MW40K2dFVm5qeDZ5OUprR3UKd2toejlFK1d5
K0VVNE5NVld1V2t3blNUQktvREVQZjZDb3B2dTcrNmJBbFcrSFVKQUZqNVRocjNZTmdPS25sOXRu
bDZ5S1pMNmh0RAp1S04rYVhLZU1oOEpkb1BFeTVZTnkrYjhuckM3eEVBdlJ3blYxYXEyY2E5S1Bx
N0g0OGZVL3JQYWhkaVlQZVpxZExBYktUSDBubVlVCitmYTA4NjhVVmpNbWZvaWJmeU9iSVg3eFZ5
TnlDaUM1WGNkOENibkRkSXZXbDMvM1pUbXJIdkp6c0xQUVFpZExSN0FrOXVqbzd5WFAKdTBXVzNI
bHZ5cmlGd3dLVU9WbEw4MVhOcWxDZkVXVnM3YjhnZk9abXJMbmRVRXFINlk3dUZjb1ZOQ09DT3Iw
RCtVcTdGTDNRSkY3dwpLbndpa3Bnd0xxbjh0bUZvTXIwTVRtTE9ZTWZLeSt1NVh2dzZPNUxZQlM0
MnNKam4xQ2ZpUWJycmlJVUw0Sk5nbzNlZnNVMGRNK2l2CmNla1NSQ01GVEdVNjBDM3crc0Q4SE1u
MjZ1eS9lbjRzVGFEUnN4WHlQZTdHeEpzRzQyV0dVSzZvZGRSRlhYZzdjUVozdTNZd3R0dlYKOGVl
bGdGWFA5aHZ5azBKeHdHa3hPbElReDVlN2liUVRMd3NoUlZGWjgzcEJDRDhuaFBERElTTzh5dlNK
dUJQSlVycDZZNzRBVGw2VgpjYWxLQ1YzUHNDOS9aQWRMS05Pckc5TDhJMXV0OU1ORTY0c3o3Qk9y
SHVOUXVUbE9RaHh2eGEyMk13bDRDME09CjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlE
YXRhPgo8L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1
ZT0ic2FtbHA6U3VjY2VzcyI+PC9TdGF0dXNDb2RlPjwvU3RhdHVzPjxBc3NlcnRpb24geG1sbnM9
InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIEFzc2VydGlvbklEPSJfMjNi
MGVkNGNjZTdmYTcxMjQ2YzdhYmFkYWNmZWY1YjYiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQx
MjozNjozMC40MThaIiBJc3N1ZXI9Imh0dHBzOi8vaWRwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0
aC1pZHAiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIxIj48Q29uZGl0aW9ucyBOb3RC
ZWZvcmU9IjIwMDctMTEtMTJUMTI6MzY6MzAuNDE4WiIgTm90T25PckFmdGVyPSIyMDA3LTExLTEy
VDEyOjQxOjMwLjQxOFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjxBdWRpZW5jZT5o
dHRwczovL3NwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0aC1zcDwvQXVkaWVuY2U+PEF1ZGllbmNl
Pmh0dHBzOi8vc2hpYmJvbGV0aC5lLXRheG9ub215LmV1L0ZlZGVyYXRpb248L0F1ZGllbmNlPjwv
QXVkaWVuY2VSZXN0cmljdGlvbkNvbmRpdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhlbnRpY2F0aW9u
U3RhdGVtZW50IEF1dGhlbnRpY2F0aW9uSW5zdGFudD0iMjAwNy0xMS0xMlQxMjozNjozMC40MTha
IiBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVu
c3BlY2lmaWVkIj48U3ViamVjdD48TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46bWFjZTpzaGli
Ym9sZXRoOjEuMDpuYW1lSWRlbnRpZmllciIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9pZHAuZS10
YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcCI+XzI3ZTEwOTJhZGY5NzVlMTE3NmFjMWViZmQxZjQy
ZTY5PC9OYW1lSWRlbnRpZmllcj48U3ViamVjdENvbmZpcm1hdGlvbj48Q29uZmlybWF0aW9uTWV0
aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L0NvbmZpcm1hdGlvbk1l
dGhvZD48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxTdWJqZWN0TG9jYWxpdHkgSVBB
ZGRyZXNzPSIxNjAuNDUuMTE0LjIxNSI+PC9TdWJqZWN0TG9jYWxpdHk+PC9BdXRoZW50aWNhdGlv
blN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg==
" />
</div>
<noscript>
<div>
<input type="submit" value="Continue" />
</div>
</noscript>

</form>
</body>
</html>

The response sets the cookie JSESSIONID.

Further more, it contains a javascript from, which automatically generates a new request to the SP if javascript is installed. Otherwise, the button "Continue" must be pressed (Or the resulting request must be generated otherwise).

The submitted action sends a POST request to the service provider URL given within the action parameter, transmitting

  1. IdP Cookie

  2. Coded SAML-Response

Stylesheet Request to the Identity Provider

Request:

GET /shibboleth-idp/main.css HTTP/1.1
Host: idp.e-taxonomy.eu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Accept: text/css,*/*;q=0.1
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Cookie: JSESSIONID=41483D1EC5DC97338458848CC51FD0F1
If-Modified-Since: Wed, 26 Feb 2003 07:35:02 GMT
If-None-Match: W/"440-1046244902000"
Authorization: Basic bC5zdWhyYmm345ksdsg9FRkMlIy
Cache-Control: max-age=0

Response:

HTTP/1.1 304 Not Modified
Date: Mon, 12 Nov 2007 12:36:31 GMT
Server: Apache/2.2.3 (Debian) mod_jk/1.2.18 mod_ssl/2.2.3 OpenSSL/0.9.8c
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100

IdP-Generated POST Request to the Service Provider

Request:

POST /Shibboleth.sso/SAML/POST HTTP/1.1
Host: sp.e-taxonomy.eu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F
Content-Type: application/x-www-form-urlencoded
Content-Length: 8161

TARGET=cookie&SAMLResponse=PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht%0D%0AbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnNh%0D%0AbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHhtbG5zOnhzZD0iaHR0%0D%0AcDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5v%0D%0AcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQxMjoz%0D%0ANjozMC40MTlaIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgUmVjaXBpZW50PSJo%0D%0AdHRwczovL3NwLmUtdGF4b25vbXkuZXUvU2hpYmJvbGV0aC5zc28vU0FNTC9QT1NUIiBSZXNwb25z%0D%0AZUlEPSJfNTUyZjdiZmYzNTQ5NzAxNjI1NDY1YTg0MGZkYTk3M2EiPjxkczpTaWduYXR1cmUgeG1s%0D%0AbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5m%0D%0Abz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9y%0D%0AZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRz%0D%0AOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s%0D%0AZHNpZyNyc2Etc2hhMSI%2BPC9kczpTaWduYXR1cmVNZXRob2Q%2BCjxkczpSZWZlcmVuY2UgVVJJPSIj%0D%0AXzU1MmY3YmZmMzU0OTcwMTYyNTQ2NWE4NDBmZGE5NzNhIj4KPGRzOlRyYW5zZm9ybXM%2BCjxkczpU%0D%0AcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52%0D%0AZWxvcGVkLXNpZ25hdHVyZSI%2BPC9kczpUcmFuc2Zvcm0%2BCjxkczpUcmFuc2Zvcm0gQWxnb3JpdGht%0D%0APSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVO%0D%0AYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0%0D%0AbiMiIFByZWZpeExpc3Q9ImNvZGUgZHMga2luZCBydyBzYW1sIHNhbWxwIHR5cGVucyAjZGVmYXVs%0D%0AdCB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM%2BPC9kczpUcmFuc2Zvcm0%2BCjwvZHM6%0D%0AVHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn%0D%0ALzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD4KPGRzOkRpZ2VzdFZhbHVl%0D%0APlpzNVJVT20rL0Uzd242NHpsQktWVXlMZERYYz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVy%0D%0AZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU%2BCkhCWEU4UGsyV25qRGc3%0D%0ASHlwYndjZE5XUmlad2xKWm9EUENuWDZBUURrZVRpZnlLUElXSFovYTllOFJObjJCcGQ2M1YzMTlr%0D%0Ab3JkOUMKWXRidC8xWXk3QVo2cFJFV2x4anZNaHJySVN1WkJ4WmJseHVYdlRZYko3ZUZhMSt0cGVE%0D%0AZUJXeHE5cHJWbEtqVzdSM3dobi84bWlOSgo2QjU5ckY5bzE0d204c0lzOGl4amYyR3kxM3dNNTlv%0D%0AZWowb2NjVTQxaHJrK240NDJ1cUxNNjZmaFJBN0pWVVFnMjhVSFVHWXc3MEZKCnQ1WU81Z2lLaHNO%0D%0AWnRtVXZkOVJ4Q0NiVmFEbjh3cmVkUmVBMGtEVDU1RFE5R3dOSjRXS2hDNEFTNnlSY2QwMjdVM0My%0D%0AcG1DenNEb0QKQWpXNG80ek9JTGhyWUlyZkFJa1pHV2ZHOUd5clZjeWdNelc2S1NFRmdFeVc0QkJt%0D%0AQVBFWGNUSkluUmZ4V2FZRUY3RGJpa1RlUXVlVAprRmFjQitnMmE1c2RlWnZRb3NvVjVLMVZ2YUNn%0D%0AOVNGc3l5c1M4dlZyWGErTnJ6U3VwMmY0dVphUzlSOEZwNTgvcmJFQUdrTnB4QlUrClNpWGlWWFN0%0D%0Ad0lMcWZvelNVa05wc0lvNXZMQkxXY3ZxSFVTWFlWK2xwcjRyRXVOditDd1lmL2twbndwNXJHRnhn%0D%0AbFQ5akVmNEo5TGUKc3MrL2VQWmRYME04cTl5ZlVzR3ZTN0NVdGxsdWlna3JMdG5xSkhvaHhIbWNY%0D%0AWlBTdndxZWxmVnBsN0pkU1hETnZQT3VaQW0rQVdLbQpCSklZUlkvdzJBeGNUOUttN1psSkU4TE9q%0D%0AZUlwVUx6Y3BVK3NZSzNuZnlmMmlNNHVRRnVUZERSU1hpNnlPMFg0N3JEQWVaQTA5aFU9CjwvZHM6%0D%0AU2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE%2BCjxkczpYNTA5Q2VydGlm%0D%0AaWNhdGU%2BCk1JSUdvRENDQklpZ0F3SUJBZ0lCQlRBTkJna3Foa2lHOXcwQkFRVUZBRENCZ1RFTE1B%0D%0Aa0dBMVVFQmhNQ1JWVXhEVEFMQmdOVkJBb1QKQkVWRVNWUXhEekFOQmdOVkJBc1RCbGRRSURVdU56%0D%0ARW9NQ1lHQTFVRUF4UWZVMlZ5ZG1WeVEwRWdQSE5sWTNWeVpTNWxMWFJoZUc5dQpiMjE1TG1WMVBq%0D%0ARW9NQ1lHQ1NxR1NJYjNEUUVKQVJZWmMzVm9jbUpwWlhKQWFXNW1MbVoxTFdKbGNteHBiaTVrWlRB%0D%0AZUZ3MHdOekE0Ck1UUXhOREkyTUROYUZ3MHhNakE0TVRJeE5ESTJNRE5hTUVreEN6QUpCZ05WQkFZ%0D%0AVEFrVlZNUTB3Q3dZRFZRUUtFd1JGUkVsVU1ROHcKRFFZRFZRUUxFd1pYVUNBMUxqY3hHakFZQmdO%0D%0AVkJBTVRFV2xrY0M1bExYUmhlRzl1YjIxNUxtVjFNSUlDSWpBTkJna3Foa2lHOXcwQgpBUUVGQUFP%0D%0AQ0FnOEFNSUlDQ2dLQ0FnRUF5WUdHM1FEcFpTYzcvOUpTelYxeTRSTDQrQ3RiaEtEaGFCdTk1MXhw%0D%0ATlFuWm0xbE1sOVhhCjdpSkF0VWRGME9yd2dPVlpUcXJNUUFXNm96YW45a0l4cytDSDh2YUdEVk93%0D%0Ab2FrWWg1U2E4akFHWmxoeHhBRitpdmtjMUk5TzlrQmIKWVVzMHJJa0dSR2dPbnA4YlNvZWt4cXRV%0D%0AcmNTUkgrTDVNV2lGM0JZbkdxcnkzUTVWc3JHVTdnSTFhRFBMYkpQQlYvNWVWQ3VyUDUxRQpUdVMv%0D%0AaExjOTRQSDZNY0F4bDFoZnJCa3ByTDNTcXRvRWVJYW9iSWxNRldJdE13S0xCTjBTNWh4T2RCNTE3%0D%0AZ3NHaHpqOFJ0dVZMRWJKCjFQM1VuT2NaK3Q2cXpaREtCbEZEK2N4OEVHMkxRSGlnOVpxRUY3YVhC%0D%0ARmVJdzE2SGNwY2QxL3l6djRLSW5oWmlnOGFIblV3RGpBaWgKWXk2UG9tUGZZQUNGNkdRR0NWbnMr%0D%0AeVBlQzhDQWxOTmplaSt4SXRZOFZqT0d6UnRiQlAyaTZuTlF1aGpiWjMzSXVYS3ZPVUtpcS9tTgp1%0D%0AcHBxZ0ZWMU02NzJ2dkdZSm5zMmw3eXgvWE1LbWwwam84M0NocEVwNWFXZkhKZko2Nk1vNVZjYSto%0D%0AbkZkb3prbElQOXJYRC8zN3B2CnVKcDNUMTN2OFpabmFmanZKMjA2VFZ4N1ZrVFMvZFRQMXZzSGF5%0D%0AS1NMVTBqVlA4OE5vWXpOSzFmd2lBaDRmclU3eFFJY2JUQ0Y3czAKODRaQUdyTGVXWGRmWUhhL0xs%0D%0AUWdIL1hINi9oQStuMURxalFyaTIrdnJQWjQ2YkFvbVlad3p1em5qRzdtTTFQQVpxR3VQRkF6ZkF1%0D%0AUAoybSsrNEdUZjIwbU8rdUlsS1Qva1VLOENBd0VBQWFPQ0FWZ3dnZ0ZVTUFrR0ExVWRFd1FDTUFB%0D%0Ad0VRWUpZSVpJQVliNFFnRUJCQVFECkFnYkFNQ3NHQ1dDR1NBR0crRUlCRFFRZUZoeFVhVzU1UTBF%0D%0AZ1IyVnVaWEpoZEdWa0lFTmxjblJwWm1sallYUmxNQjBHQTFVZERnUVcKQkJRRGdtOGh1WldnOUZT%0D%0AYTlQWlR5OG9iZmdlRUhUQ0JvQVlEVlIwakJJR1lNSUdWZ0JSTjkrMUlXVlNFSlIvM2IxSlk2MTY2%0D%0Adk9IYwpaNkY2cEhnd2RqRUxNQWtHQTFVRUJoTUNSVlV4RFRBTEJnTlZCQW9UQkVWRVNWUXhEekFO%0D%0AQmdOVkJBc1RCbGRRSURVdU56RWRNQnNHCkExVUVBeE1VYzJWamRYSmxMbVV0ZEdGNGIyNXZiWGt1%0D%0AWlhVeEtEQW1CZ2txaGtpRzl3MEJDUUVXR1hOMWFISmlhV1Z5UUdsdVppNW0KZFMxaVpYSnNhVzR1%0D%0AWkdXQ0FRRXdKQVlEVlIwU0JCMHdHNEVaYzNWb2NtSnBaWEpBYVc1bUxtWjFMV0psY214cGJpNWta%0D%0AVEFQQmdOVgpIUkVFQ0RBR2h3U2dMVDhWTUE0R0ExVWREd0VCL3dRRUF3SUZvREFOQmdrcWhraUc5%0D%0AdzBCQVFVRkFBT0NBZ0VBUHF1bzY2aVVMWlBtCmx6MW9LOUw0S1grY2VodEwxYmJGS3Y5WHFNVjA1%0D%0AMHRxdXJrUnI5K21JT08xbUZ5ZTZ6WjlSTnM0MHl3MW40K2dFVm5qeDZ5OUprR3UKd2toejlFK1d5%0D%0AK0VVNE5NVld1V2t3blNUQktvREVQZjZDb3B2dTcrNmJBbFcrSFVKQUZqNVRocjNZTmdPS25sOXRu%0D%0AbDZ5S1pMNmh0RAp1S04rYVhLZU1oOEpkb1BFeTVZTnkrYjhuckM3eEVBdlJ3blYxYXEyY2E5S1Bx%0D%0AN0g0OGZVL3JQYWhkaVlQZVpxZExBYktUSDBubVlVCitmYTA4NjhVVmpNbWZvaWJmeU9iSVg3eFZ5%0D%0ATnlDaUM1WGNkOENibkRkSXZXbDMvM1pUbXJIdkp6c0xQUVFpZExSN0FrOXVqbzd5WFAKdTBXVzNI%0D%0AbHZ5cmlGd3dLVU9WbEw4MVhOcWxDZkVXVnM3YjhnZk9abXJMbmRVRXFINlk3dUZjb1ZOQ09DT3Iw%0D%0ARCtVcTdGTDNRSkY3dwpLbndpa3Bnd0xxbjh0bUZvTXIwTVRtTE9ZTWZLeSt1NVh2dzZPNUxZQlM0%0D%0AMnNKam4xQ2ZpUWJycmlJVUw0Sk5nbzNlZnNVMGRNK2l2CmNla1NSQ01GVEdVNjBDM3crc0Q4SE1u%0D%0AMjZ1eS9lbjRzVGFEUnN4WHlQZTdHeEpzRzQyV0dVSzZvZGRSRlhYZzdjUVozdTNZd3R0dlYKOGVl%0D%0AbGdGWFA5aHZ5azBKeHdHa3hPbElReDVlN2liUVRMd3NoUlZGWjgzcEJDRDhuaFBERElTTzh5dlNK%0D%0AdUJQSlVycDZZNzRBVGw2VgpjYWxLQ1YzUHNDOS9aQWRMS05Pckc5TDhJMXV0OU1ORTY0c3o3Qk9y%0D%0ASHVOUXVUbE9RaHh2eGEyMk13bDRDME09CjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlE%0D%0AYXRhPgo8L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1%0D%0AZT0ic2FtbHA6U3VjY2VzcyI%2BPC9TdGF0dXNDb2RlPjwvU3RhdHVzPjxBc3NlcnRpb24geG1sbnM9%0D%0AInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIEFzc2VydGlvbklEPSJfMjNi%0D%0AMGVkNGNjZTdmYTcxMjQ2YzdhYmFkYWNmZWY1YjYiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQx%0D%0AMjozNjozMC40MThaIiBJc3N1ZXI9Imh0dHBzOi8vaWRwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0%0D%0AaC1pZHAiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIxIj48Q29uZGl0aW9ucyBOb3RC%0D%0AZWZvcmU9IjIwMDctMTEtMTJUMTI6MzY6MzAuNDE4WiIgTm90T25PckFmdGVyPSIyMDA3LTExLTEy%0D%0AVDEyOjQxOjMwLjQxOFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjxBdWRpZW5jZT5o%0D%0AdHRwczovL3NwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0aC1zcDwvQXVkaWVuY2U%2BPEF1ZGllbmNl%0D%0APmh0dHBzOi8vc2hpYmJvbGV0aC5lLXRheG9ub215LmV1L0ZlZGVyYXRpb248L0F1ZGllbmNlPjwv%0D%0AQXVkaWVuY2VSZXN0cmljdGlvbkNvbmRpdGlvbj48L0NvbmRpdGlvbnM%2BPEF1dGhlbnRpY2F0aW9u%0D%0AU3RhdGVtZW50IEF1dGhlbnRpY2F0aW9uSW5zdGFudD0iMjAwNy0xMS0xMlQxMjozNjozMC40MTha%0D%0AIiBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVu%0D%0Ac3BlY2lmaWVkIj48U3ViamVjdD48TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46bWFjZTpzaGli%0D%0AYm9sZXRoOjEuMDpuYW1lSWRlbnRpZmllciIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9pZHAuZS10%0D%0AYXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcCI%2BXzI3ZTEwOTJhZGY5NzVlMTE3NmFjMWViZmQxZjQy%0D%0AZTY5PC9OYW1lSWRlbnRpZmllcj48U3ViamVjdENvbmZpcm1hdGlvbj48Q29uZmlybWF0aW9uTWV0%0D%0AaG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L0NvbmZpcm1hdGlvbk1l%0D%0AdGhvZD48L1N1YmplY3RDb25maXJtYXRpb24%2BPC9TdWJqZWN0PjxTdWJqZWN0TG9jYWxpdHkgSVBB%0D%0AZGRyZXNzPSIxNjAuNDUuMTE0LjIxNSI%2BPC9TdWJqZWN0TG9jYWxpdHk%2BPC9BdXRoZW50aWNhdGlv%0D%0AblN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg%3D%3D%0D%0A

Response:

HTTP/1.1 302 Found
Date: Mon, 12 Nov 2007 12:36:19 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c
Set-Cookie: _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; path=/
Set-Cookie: _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D; path=/; expires=Mon, 19 Nov 2007 12:36:19 GMT
Location: https://sp.e-taxonomy.eu/
Content-Length: 385
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://sp.e-taxonomy.eu/">here</a>.</p>
<hr>
<address>Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at sp.e-taxonomy.eu Port 443</address>
</body></html>

The request forwards the POST request return within the last response from the IdP to the SP.

The response sets two cookies

  1. Shibboleth Session Cookie

  2. SAML-IdP Cookie

Furthermore the response redirects the browser to the URL on the SP requested originally.

Final Redirected Request to the Service Provider

Request:

GET / HTTP/1.1
Host: sp.e-taxonomy.eu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D

Response:

HTTP/1.1 200 OK
Date: Mon, 12 Nov 2007 12:36:19 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c
Content-Length: 1378
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="apache2-default/">apache2-default/</a></td><td align="right">20-Nov-2004 20:16  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="apache2-env/">apache2-env/</a></td><td align="right">02-Nov-2007 21:43  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="drupal-5.2/">drupal-5.2/</a></td><td align="right">12-Dec-2006 09:32  </td><td align="right">  - </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="trac/">trac/</a></td><td align="right">21-Aug-2007 16:13  </td><td align="right">  - </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at sp.e-taxonomy.eu Port 443</address>
</body></html>

This final request tries to get the originally requested URL. It transmits three cookies:

  1. Shibstate

  2. Shibsession

  3. SAML_IDP

Conclusion

It appears, that such kind of Shibboleth proxy should work, simply by establishing SSL-Connections to SP and IdP, and reimplementing the protocol presented above.

The only problem left, is to recognise the authentication method requested from the IdP, and to provide the necessary credentials.

Updated by Andreas Müller about 2 years ago · 25 revisions