The Shibboleth Protocol¶
- Table of contents
- The Shibboleth Protocol
Introduction to the Shibboleth Protocol¶
The Authentication and Authorization Infrastructure (AAI) provides general introduction to the Shibboleth Protocol in three levels of detail:
The lastest documents of the official technical documentation can be found here:
Regarding the integration of the CSSO Profiles, in particular the desktop application profile, more detailed information is necessary to determine the feasibility of the Shibboleth Proxy. Therefore we carried out a logging session to analyse the protocol observing the current EDIT Shibboleth demonstration scenario. The next paragraphs will focus on the current EDIT Shibboleth setup emphasising only on those protocol details necessary for the Shibboleth Proxy to intercept the Shibboleth protocol communication and carry out single sign-on functions in favour of the client user. Please refer to the logging session chapter, if you are interested in the complete logging results.
Initial setup¶
The current EDIT federation setup consists of the most simple Shibboleth configuration including one IdP responsible for authentication and attribute distribution, and one SP hosting some web applications like Drupal, Trac and Subversion to evaluate and demonstrate the EDIT Shibboleth framework.
The IdP host is installed on https://idp.e-taxonomy.eu and performs client authentication on request of the SP. Authentication is related to the actual BDTracker user database.
The SP is running on https://sp.e-taxonomy.eu/. Drupal, Trac and Subversion demo instances are available under the paths /drupal-5.2, /trac and /svn respectively.
Currently, no WAYF service is installed, since we only set up a single IdP instance in the EDIT federation. So, the following protocol description omit the WAYF-step also.
Initial Client Request (Step 1)¶
The Shibboleth protocol will be initialised by a client request to access the URL https://sp.e-taxonomy.eu/ on the service provider. This results in the following minimal HTTP-Request:
GET / HTTP/1.1 Host: sp.e-taxonomy.eu
Redirection to IdP for authentication (Step 2)¶
Since, the client user is not an authenticated Shibboleth user, the SP answers with an HTTP-Redirect to the IdP, where the client has to perform its login.
HTTP/1.1 302 Found Set-Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; path=/ Location: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Mainly, this response contains two relevant pieces of information:
Cookie _shibstate_XXX
Location URL instructing the client where to redirect to
The XXX naming part of the cookie represents the hash value of the providerId. The value of the cookie contains the target's URL and path of the initial client request to the SP.
The Location attribute contains the URL of the IdP, where the client has to direct his next request to.
https://idp.e-taxonomy.eu/shibboleth-idp/SSO? shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST& time=1194870964& target=cookie& providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp
Shibboleth calls this request authentication request. It includes the following parameters:
shire::
location of the assertion consumer service endpoint at the SP(!https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST). Becomes the value of the action attribute of the form element within the IdP response to this authentication request.
time::
This parameter is optional and represents the current time in seconds past the epoch, and may be used to assist the IdP in detecting stale requests from the client.
target::
contains the location of the target ressource and must be preserved by the IdP and included in its response to the SP. The target parameter refers to the _shibstate_XXX cookie denoting the initial target URL !https://sp.e-taxonomy.eu/.
providerId::
Unique indentifier(URI) of the SP(!https://sp.e-taxonomy.eu/shibboleth-sp). Can be used by the IdP for special processing of the authentication request.
As returned from the SP within the Location response attribute, the client sends the following authentication request to the IdP:
GET /shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp HTTP/1.1 Host: idp.e-taxonomy.eu
IdP Response to the Authentication Request (Step 3)¶
Since the client is not authenticated yet at the IdP, the client has to append corresponding Authorisation information to the request. The EDIT's IdP currently requires HTTP-Basic authentication, so the client has to add the related credentials to the attribute Authorisation of the request:
GET /shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp HTTP/1.1 Host: idp.e-taxonomy.eu Authorization: Basic bC5zdWhyYmlfkiiuwMHFlIy
After succesful authentication on the IdP, the SSO service of the IdP responds with an cookie and a HTML document containing a html form.
HTTP/1.1 200 OK Set-Cookie: JSESSIONID=41483D1EC5DC97338458848CC51FD0F1; Path=/shibboleth-idp; Secure ... <form id="shibboleth" action="https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST" method="post"> <div> <input type="hidden" name="TARGET" value="cookie" /> <input type="hidden" name="SAMLResponse" value="PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht ... ZGRyZXNzPSIxNjAuNDUuMTE0LjIxNSI+PC9TdWJqZWN0TG9jYWxpdHk+PC9BdXRoZW50aWNhdGlv blN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg== "
The cookie JSESSIONID ...
The form with the id shibboleth includes the URL of the assertion consumer service at the SP within the action parameter.
The form parameter TARGET contains the preserved target value from Step 2. The target will be delivered in the value of the related +shibstate_XXX_ cookie.
The form parameter SAMLResponse includes the case64 encoded and digitally signed SAML-response to the client's authentication request.
The HTML document itself contains a piece of javascript code automatically issuing the HTTP-POST request to the SP's assertion consumer service (!https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST):
POST /Shibboleth.sso/SAML/POST HTTP/1.1 Host: sp.e-taxonomy.eu Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F TARGET=cookie&SAMLResponse=PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht%0D%0AbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnNh%0X ... NzPSIxNjAuNDUuMTE0LjIxNSI%2BPC9TdWJqZWN0TG9jYWxpdHk%2BPC9BdXRoZW50aWNhdGlv%0D%0AblN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg%3D%3D%0D%0A
The POST request includes following relevant parameters:
Referer::
The HTTP-Referer attribute includes the URL transmitted by the SP to be send by the client to IdP as authentication request before.
_shibstate_XXX cookie::
The _shibstate_XXX cookie stores the target URL of the initial client request to the SP.
TARGET parameter::
Refers to the target stored within the _shibstate_XXX cookie.
SAMLResponse parameter::
Contains the URL encoded SAMLResponse from the IdP.
Final Request to the Target Resource (Step 4)¶
In response to the POST request, the SP's assertion consumer service creates a security context and returns and redirects the client to the originally requested resource.
HTTP/1.1 302 Found Set-Cookie: _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; path=/ Set-Cookie: _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D; path=/; Location: https://sp.e-taxonomy.eu/
Location attribute::
URL of the orinally requested target resource
_shibsession_XXX cookie::
cookie storing the client handle. May be used by the SP to issue an attribute request to the IdP.
_saml_idp cookie::
base64-encoded URI values of the IdP(s) unique ids used by the SP.
With the following request, the SP finally responds to the initial client request:
GET / HTTP/1.1 Host: sp.e-taxonomy.eu Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D
This, and any subsequent requests to the SP must include the _shibsession_XXX cookie*, *_shibstate_XXX cookie and the _saml_idp cookie::. This provides the SP with all information necessary and prevents the SP from repeating the authentication process.
I am not sure, if the Referer attribute is really necessary here.
Finally, the following chapter presents the complete results of Shibboleth protocol logging session.
Logging the HTTP-Shibboleth Protocol¶
Initial Service Provider Request¶
Request:
GET / HTTP/1.1 Host: sp.e-taxonomy.eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cache-Control: max-age=0
Response:
HTTP/1.1 302 Found Date: Mon, 12 Nov 2007 12:36:04 GMT Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Set-Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; path=/ Location: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp Content-Length: 572 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp">here</a>.</p> <hr> <address>Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at sp.e-taxonomy.eu Port 443</address> </body></html>
- The request is redirected to the following IdP Location (Return Code 302):
- A cookie is set within the browser:
Set-Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; path=/
Redirected Request to the Identity Provider¶
Request:
GET /shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp HTTP/1.1 Host: idp.e-taxonomy.eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic bC5zdWhyYmllcjo3aFRkMlIy
The browser redirects to the URL returned with the initial request to the SP.
A Basic Authentication result is introduced within the Header (Authorization)
Response:
HTTP/1.1 200 OK Date: Mon, 12 Nov 2007 12:36:29 GMT Server: Apache/2.2.3 (Debian) mod_jk/1.2.18 mod_ssl/2.2.3 OpenSSL/0.9.8c Set-Cookie: JSESSIONID=41483D1EC5DC97338458848CC51FD0F1; Path=/shibboleth-idp; Secure Expires: 19-Mar-1971 08:23:00 GMT Cache-control: no-cache Pragma: no-cache Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html;charset=ISO-8859-1 Content-Length: 9138 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" type="text/css" href="main.css" /> <title>Shibboleth Authentication Request Processed</title> </head> <body onload="document.forms[0].submit()"> <h1>Shibboleth Authentication Request Processed</h1> <script type="text/javascript"> <!-- document.write("<p>You are automatically being redirected to the requested site. "); document.write("If the browser appears to be hung up after 15-20 seconds, try reloading "); document.write("the page before contacting the technical support staff in charge of the "); document.write("desired resource or service you are trying to access.</p>"); document.write("<h2>Redirecting to requested site...</h2>"); // --> </script> <noscript> <p> <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed to the requested site. </p> </noscript> <form id="shibboleth" action="https://sp.e-taxonomy.eu/Shibboleth.sso/SAML/POST" method="post"> <div> <input type="hidden" name="TARGET" value="cookie" /> <input type="hidden" name="SAMLResponse" value="PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht bG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnNh bWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHhtbG5zOnhzZD0iaHR0 cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5v cmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQxMjoz NjozMC40MTlaIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgUmVjaXBpZW50PSJo dHRwczovL3NwLmUtdGF4b25vbXkuZXUvU2hpYmJvbGV0aC5zc28vU0FNTC9QT1NUIiBSZXNwb25z ZUlEPSJfNTUyZjdiZmYzNTQ5NzAxNjI1NDY1YTg0MGZkYTk3M2EiPjxkczpTaWduYXR1cmUgeG1s bnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5m bz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9y Zy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRz OlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s ZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+CjxkczpSZWZlcmVuY2UgVVJJPSIj XzU1MmY3YmZmMzU0OTcwMTYyNTQ2NWE4NDBmZGE5NzNhIj4KPGRzOlRyYW5zZm9ybXM+CjxkczpU cmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52 ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVO YW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0 biMiIFByZWZpeExpc3Q9ImNvZGUgZHMga2luZCBydyBzYW1sIHNhbWxwIHR5cGVucyAjZGVmYXVs dCB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM+PC9kczpUcmFuc2Zvcm0+CjwvZHM6 VHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn LzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD4KPGRzOkRpZ2VzdFZhbHVl PlpzNVJVT20rL0Uzd242NHpsQktWVXlMZERYYz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVy ZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CkhCWEU4UGsyV25qRGc3 SHlwYndjZE5XUmlad2xKWm9EUENuWDZBUURrZVRpZnlLUElXSFovYTllOFJObjJCcGQ2M1YzMTlr b3JkOUMKWXRidC8xWXk3QVo2cFJFV2x4anZNaHJySVN1WkJ4WmJseHVYdlRZYko3ZUZhMSt0cGVE ZUJXeHE5cHJWbEtqVzdSM3dobi84bWlOSgo2QjU5ckY5bzE0d204c0lzOGl4amYyR3kxM3dNNTlv ZWowb2NjVTQxaHJrK240NDJ1cUxNNjZmaFJBN0pWVVFnMjhVSFVHWXc3MEZKCnQ1WU81Z2lLaHNO WnRtVXZkOVJ4Q0NiVmFEbjh3cmVkUmVBMGtEVDU1RFE5R3dOSjRXS2hDNEFTNnlSY2QwMjdVM0My cG1DenNEb0QKQWpXNG80ek9JTGhyWUlyZkFJa1pHV2ZHOUd5clZjeWdNelc2S1NFRmdFeVc0QkJt QVBFWGNUSkluUmZ4V2FZRUY3RGJpa1RlUXVlVAprRmFjQitnMmE1c2RlWnZRb3NvVjVLMVZ2YUNn OVNGc3l5c1M4dlZyWGErTnJ6U3VwMmY0dVphUzlSOEZwNTgvcmJFQUdrTnB4QlUrClNpWGlWWFN0 d0lMcWZvelNVa05wc0lvNXZMQkxXY3ZxSFVTWFlWK2xwcjRyRXVOditDd1lmL2twbndwNXJHRnhn bFQ5akVmNEo5TGUKc3MrL2VQWmRYME04cTl5ZlVzR3ZTN0NVdGxsdWlna3JMdG5xSkhvaHhIbWNY WlBTdndxZWxmVnBsN0pkU1hETnZQT3VaQW0rQVdLbQpCSklZUlkvdzJBeGNUOUttN1psSkU4TE9q ZUlwVUx6Y3BVK3NZSzNuZnlmMmlNNHVRRnVUZERSU1hpNnlPMFg0N3JEQWVaQTA5aFU9CjwvZHM6 U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE+CjxkczpYNTA5Q2VydGlm aWNhdGU+Ck1JSUdvRENDQklpZ0F3SUJBZ0lCQlRBTkJna3Foa2lHOXcwQkFRVUZBRENCZ1RFTE1B a0dBMVVFQmhNQ1JWVXhEVEFMQmdOVkJBb1QKQkVWRVNWUXhEekFOQmdOVkJBc1RCbGRRSURVdU56 RW9NQ1lHQTFVRUF4UWZVMlZ5ZG1WeVEwRWdQSE5sWTNWeVpTNWxMWFJoZUc5dQpiMjE1TG1WMVBq RW9NQ1lHQ1NxR1NJYjNEUUVKQVJZWmMzVm9jbUpwWlhKQWFXNW1MbVoxTFdKbGNteHBiaTVrWlRB ZUZ3MHdOekE0Ck1UUXhOREkyTUROYUZ3MHhNakE0TVRJeE5ESTJNRE5hTUVreEN6QUpCZ05WQkFZ VEFrVlZNUTB3Q3dZRFZRUUtFd1JGUkVsVU1ROHcKRFFZRFZRUUxFd1pYVUNBMUxqY3hHakFZQmdO VkJBTVRFV2xrY0M1bExYUmhlRzl1YjIxNUxtVjFNSUlDSWpBTkJna3Foa2lHOXcwQgpBUUVGQUFP Q0FnOEFNSUlDQ2dLQ0FnRUF5WUdHM1FEcFpTYzcvOUpTelYxeTRSTDQrQ3RiaEtEaGFCdTk1MXhw TlFuWm0xbE1sOVhhCjdpSkF0VWRGME9yd2dPVlpUcXJNUUFXNm96YW45a0l4cytDSDh2YUdEVk93 b2FrWWg1U2E4akFHWmxoeHhBRitpdmtjMUk5TzlrQmIKWVVzMHJJa0dSR2dPbnA4YlNvZWt4cXRV cmNTUkgrTDVNV2lGM0JZbkdxcnkzUTVWc3JHVTdnSTFhRFBMYkpQQlYvNWVWQ3VyUDUxRQpUdVMv aExjOTRQSDZNY0F4bDFoZnJCa3ByTDNTcXRvRWVJYW9iSWxNRldJdE13S0xCTjBTNWh4T2RCNTE3 Z3NHaHpqOFJ0dVZMRWJKCjFQM1VuT2NaK3Q2cXpaREtCbEZEK2N4OEVHMkxRSGlnOVpxRUY3YVhC RmVJdzE2SGNwY2QxL3l6djRLSW5oWmlnOGFIblV3RGpBaWgKWXk2UG9tUGZZQUNGNkdRR0NWbnMr eVBlQzhDQWxOTmplaSt4SXRZOFZqT0d6UnRiQlAyaTZuTlF1aGpiWjMzSXVYS3ZPVUtpcS9tTgp1 cHBxZ0ZWMU02NzJ2dkdZSm5zMmw3eXgvWE1LbWwwam84M0NocEVwNWFXZkhKZko2Nk1vNVZjYSto bkZkb3prbElQOXJYRC8zN3B2CnVKcDNUMTN2OFpabmFmanZKMjA2VFZ4N1ZrVFMvZFRQMXZzSGF5 S1NMVTBqVlA4OE5vWXpOSzFmd2lBaDRmclU3eFFJY2JUQ0Y3czAKODRaQUdyTGVXWGRmWUhhL0xs UWdIL1hINi9oQStuMURxalFyaTIrdnJQWjQ2YkFvbVlad3p1em5qRzdtTTFQQVpxR3VQRkF6ZkF1 UAoybSsrNEdUZjIwbU8rdUlsS1Qva1VLOENBd0VBQWFPQ0FWZ3dnZ0ZVTUFrR0ExVWRFd1FDTUFB d0VRWUpZSVpJQVliNFFnRUJCQVFECkFnYkFNQ3NHQ1dDR1NBR0crRUlCRFFRZUZoeFVhVzU1UTBF Z1IyVnVaWEpoZEdWa0lFTmxjblJwWm1sallYUmxNQjBHQTFVZERnUVcKQkJRRGdtOGh1WldnOUZT YTlQWlR5OG9iZmdlRUhUQ0JvQVlEVlIwakJJR1lNSUdWZ0JSTjkrMUlXVlNFSlIvM2IxSlk2MTY2 dk9IYwpaNkY2cEhnd2RqRUxNQWtHQTFVRUJoTUNSVlV4RFRBTEJnTlZCQW9UQkVWRVNWUXhEekFO QmdOVkJBc1RCbGRRSURVdU56RWRNQnNHCkExVUVBeE1VYzJWamRYSmxMbVV0ZEdGNGIyNXZiWGt1 WlhVeEtEQW1CZ2txaGtpRzl3MEJDUUVXR1hOMWFISmlhV1Z5UUdsdVppNW0KZFMxaVpYSnNhVzR1 WkdXQ0FRRXdKQVlEVlIwU0JCMHdHNEVaYzNWb2NtSnBaWEpBYVc1bUxtWjFMV0psY214cGJpNWta VEFQQmdOVgpIUkVFQ0RBR2h3U2dMVDhWTUE0R0ExVWREd0VCL3dRRUF3SUZvREFOQmdrcWhraUc5 dzBCQVFVRkFBT0NBZ0VBUHF1bzY2aVVMWlBtCmx6MW9LOUw0S1grY2VodEwxYmJGS3Y5WHFNVjA1 MHRxdXJrUnI5K21JT08xbUZ5ZTZ6WjlSTnM0MHl3MW40K2dFVm5qeDZ5OUprR3UKd2toejlFK1d5 K0VVNE5NVld1V2t3blNUQktvREVQZjZDb3B2dTcrNmJBbFcrSFVKQUZqNVRocjNZTmdPS25sOXRu bDZ5S1pMNmh0RAp1S04rYVhLZU1oOEpkb1BFeTVZTnkrYjhuckM3eEVBdlJ3blYxYXEyY2E5S1Bx N0g0OGZVL3JQYWhkaVlQZVpxZExBYktUSDBubVlVCitmYTA4NjhVVmpNbWZvaWJmeU9iSVg3eFZ5 TnlDaUM1WGNkOENibkRkSXZXbDMvM1pUbXJIdkp6c0xQUVFpZExSN0FrOXVqbzd5WFAKdTBXVzNI bHZ5cmlGd3dLVU9WbEw4MVhOcWxDZkVXVnM3YjhnZk9abXJMbmRVRXFINlk3dUZjb1ZOQ09DT3Iw RCtVcTdGTDNRSkY3dwpLbndpa3Bnd0xxbjh0bUZvTXIwTVRtTE9ZTWZLeSt1NVh2dzZPNUxZQlM0 MnNKam4xQ2ZpUWJycmlJVUw0Sk5nbzNlZnNVMGRNK2l2CmNla1NSQ01GVEdVNjBDM3crc0Q4SE1u MjZ1eS9lbjRzVGFEUnN4WHlQZTdHeEpzRzQyV0dVSzZvZGRSRlhYZzdjUVozdTNZd3R0dlYKOGVl bGdGWFA5aHZ5azBKeHdHa3hPbElReDVlN2liUVRMd3NoUlZGWjgzcEJDRDhuaFBERElTTzh5dlNK dUJQSlVycDZZNzRBVGw2VgpjYWxLQ1YzUHNDOS9aQWRMS05Pckc5TDhJMXV0OU1ORTY0c3o3Qk9y SHVOUXVUbE9RaHh2eGEyMk13bDRDME09CjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlE YXRhPgo8L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1 ZT0ic2FtbHA6U3VjY2VzcyI+PC9TdGF0dXNDb2RlPjwvU3RhdHVzPjxBc3NlcnRpb24geG1sbnM9 InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIEFzc2VydGlvbklEPSJfMjNi MGVkNGNjZTdmYTcxMjQ2YzdhYmFkYWNmZWY1YjYiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQx MjozNjozMC40MThaIiBJc3N1ZXI9Imh0dHBzOi8vaWRwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0 aC1pZHAiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIxIj48Q29uZGl0aW9ucyBOb3RC ZWZvcmU9IjIwMDctMTEtMTJUMTI6MzY6MzAuNDE4WiIgTm90T25PckFmdGVyPSIyMDA3LTExLTEy VDEyOjQxOjMwLjQxOFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjxBdWRpZW5jZT5o dHRwczovL3NwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0aC1zcDwvQXVkaWVuY2U+PEF1ZGllbmNl Pmh0dHBzOi8vc2hpYmJvbGV0aC5lLXRheG9ub215LmV1L0ZlZGVyYXRpb248L0F1ZGllbmNlPjwv QXVkaWVuY2VSZXN0cmljdGlvbkNvbmRpdGlvbj48L0NvbmRpdGlvbnM+PEF1dGhlbnRpY2F0aW9u U3RhdGVtZW50IEF1dGhlbnRpY2F0aW9uSW5zdGFudD0iMjAwNy0xMS0xMlQxMjozNjozMC40MTha IiBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVu c3BlY2lmaWVkIj48U3ViamVjdD48TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46bWFjZTpzaGli Ym9sZXRoOjEuMDpuYW1lSWRlbnRpZmllciIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9pZHAuZS10 YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcCI+XzI3ZTEwOTJhZGY5NzVlMTE3NmFjMWViZmQxZjQy ZTY5PC9OYW1lSWRlbnRpZmllcj48U3ViamVjdENvbmZpcm1hdGlvbj48Q29uZmlybWF0aW9uTWV0 aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L0NvbmZpcm1hdGlvbk1l dGhvZD48L1N1YmplY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxTdWJqZWN0TG9jYWxpdHkgSVBB ZGRyZXNzPSIxNjAuNDUuMTE0LjIxNSI+PC9TdWJqZWN0TG9jYWxpdHk+PC9BdXRoZW50aWNhdGlv blN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg== " /> </div> <noscript> <div> <input type="submit" value="Continue" /> </div> </noscript> </form> </body> </html>
The response sets the cookie JSESSIONID.
Further more, it contains a javascript from, which automatically generates a new request to the SP if javascript is installed. Otherwise, the button "Continue" must be pressed (Or the resulting request must be generated otherwise).
The submitted action sends a POST request to the service provider URL given within the action parameter, transmitting
IdP Cookie
Coded SAML-Response
Stylesheet Request to the Identity Provider¶
Request:
GET /shibboleth-idp/main.css HTTP/1.1 Host: idp.e-taxonomy.eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Accept: text/css,*/*;q=0.1 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp Cookie: JSESSIONID=41483D1EC5DC97338458848CC51FD0F1 If-Modified-Since: Wed, 26 Feb 2003 07:35:02 GMT If-None-Match: W/"440-1046244902000" Authorization: Basic bC5zdWhyYmm345ksdsg9FRkMlIy Cache-Control: max-age=0
Response:
HTTP/1.1 304 Not Modified Date: Mon, 12 Nov 2007 12:36:31 GMT Server: Apache/2.2.3 (Debian) mod_jk/1.2.18 mod_ssl/2.2.3 OpenSSL/0.9.8c Connection: Keep-Alive Keep-Alive: timeout=15, max=100
IdP-Generated POST Request to the Service Provider¶
Request:
POST /Shibboleth.sso/SAML/POST HTTP/1.1 Host: sp.e-taxonomy.eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F Content-Type: application/x-www-form-urlencoded Content-Length: 8161 TARGET=cookie&SAMLResponse=PFJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHht%0D%0AbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnNh%0D%0AbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHhtbG5zOnhzZD0iaHR0%0D%0AcDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5v%0D%0AcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQxMjoz%0D%0ANjozMC40MTlaIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgUmVjaXBpZW50PSJo%0D%0AdHRwczovL3NwLmUtdGF4b25vbXkuZXUvU2hpYmJvbGV0aC5zc28vU0FNTC9QT1NUIiBSZXNwb25z%0D%0AZUlEPSJfNTUyZjdiZmYzNTQ5NzAxNjI1NDY1YTg0MGZkYTk3M2EiPjxkczpTaWduYXR1cmUgeG1s%0D%0AbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5m%0D%0Abz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9y%0D%0AZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRz%0D%0AOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s%0D%0AZHNpZyNyc2Etc2hhMSI%2BPC9kczpTaWduYXR1cmVNZXRob2Q%2BCjxkczpSZWZlcmVuY2UgVVJJPSIj%0D%0AXzU1MmY3YmZmMzU0OTcwMTYyNTQ2NWE4NDBmZGE5NzNhIj4KPGRzOlRyYW5zZm9ybXM%2BCjxkczpU%0D%0AcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52%0D%0AZWxvcGVkLXNpZ25hdHVyZSI%2BPC9kczpUcmFuc2Zvcm0%2BCjxkczpUcmFuc2Zvcm0gQWxnb3JpdGht%0D%0APSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVO%0D%0AYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0%0D%0AbiMiIFByZWZpeExpc3Q9ImNvZGUgZHMga2luZCBydyBzYW1sIHNhbWxwIHR5cGVucyAjZGVmYXVs%0D%0AdCB4c2QgeHNpIj48L2VjOkluY2x1c2l2ZU5hbWVzcGFjZXM%2BPC9kczpUcmFuc2Zvcm0%2BCjwvZHM6%0D%0AVHJhbnNmb3Jtcz4KPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3Jn%0D%0ALzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD4KPGRzOkRpZ2VzdFZhbHVl%0D%0APlpzNVJVT20rL0Uzd242NHpsQktWVXlMZERYYz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVy%0D%0AZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU%2BCkhCWEU4UGsyV25qRGc3%0D%0ASHlwYndjZE5XUmlad2xKWm9EUENuWDZBUURrZVRpZnlLUElXSFovYTllOFJObjJCcGQ2M1YzMTlr%0D%0Ab3JkOUMKWXRidC8xWXk3QVo2cFJFV2x4anZNaHJySVN1WkJ4WmJseHVYdlRZYko3ZUZhMSt0cGVE%0D%0AZUJXeHE5cHJWbEtqVzdSM3dobi84bWlOSgo2QjU5ckY5bzE0d204c0lzOGl4amYyR3kxM3dNNTlv%0D%0AZWowb2NjVTQxaHJrK240NDJ1cUxNNjZmaFJBN0pWVVFnMjhVSFVHWXc3MEZKCnQ1WU81Z2lLaHNO%0D%0AWnRtVXZkOVJ4Q0NiVmFEbjh3cmVkUmVBMGtEVDU1RFE5R3dOSjRXS2hDNEFTNnlSY2QwMjdVM0My%0D%0AcG1DenNEb0QKQWpXNG80ek9JTGhyWUlyZkFJa1pHV2ZHOUd5clZjeWdNelc2S1NFRmdFeVc0QkJt%0D%0AQVBFWGNUSkluUmZ4V2FZRUY3RGJpa1RlUXVlVAprRmFjQitnMmE1c2RlWnZRb3NvVjVLMVZ2YUNn%0D%0AOVNGc3l5c1M4dlZyWGErTnJ6U3VwMmY0dVphUzlSOEZwNTgvcmJFQUdrTnB4QlUrClNpWGlWWFN0%0D%0Ad0lMcWZvelNVa05wc0lvNXZMQkxXY3ZxSFVTWFlWK2xwcjRyRXVOditDd1lmL2twbndwNXJHRnhn%0D%0AbFQ5akVmNEo5TGUKc3MrL2VQWmRYME04cTl5ZlVzR3ZTN0NVdGxsdWlna3JMdG5xSkhvaHhIbWNY%0D%0AWlBTdndxZWxmVnBsN0pkU1hETnZQT3VaQW0rQVdLbQpCSklZUlkvdzJBeGNUOUttN1psSkU4TE9q%0D%0AZUlwVUx6Y3BVK3NZSzNuZnlmMmlNNHVRRnVUZERSU1hpNnlPMFg0N3JEQWVaQTA5aFU9CjwvZHM6%0D%0AU2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPgo8ZHM6WDUwOURhdGE%2BCjxkczpYNTA5Q2VydGlm%0D%0AaWNhdGU%2BCk1JSUdvRENDQklpZ0F3SUJBZ0lCQlRBTkJna3Foa2lHOXcwQkFRVUZBRENCZ1RFTE1B%0D%0Aa0dBMVVFQmhNQ1JWVXhEVEFMQmdOVkJBb1QKQkVWRVNWUXhEekFOQmdOVkJBc1RCbGRRSURVdU56%0D%0ARW9NQ1lHQTFVRUF4UWZVMlZ5ZG1WeVEwRWdQSE5sWTNWeVpTNWxMWFJoZUc5dQpiMjE1TG1WMVBq%0D%0ARW9NQ1lHQ1NxR1NJYjNEUUVKQVJZWmMzVm9jbUpwWlhKQWFXNW1MbVoxTFdKbGNteHBiaTVrWlRB%0D%0AZUZ3MHdOekE0Ck1UUXhOREkyTUROYUZ3MHhNakE0TVRJeE5ESTJNRE5hTUVreEN6QUpCZ05WQkFZ%0D%0AVEFrVlZNUTB3Q3dZRFZRUUtFd1JGUkVsVU1ROHcKRFFZRFZRUUxFd1pYVUNBMUxqY3hHakFZQmdO%0D%0AVkJBTVRFV2xrY0M1bExYUmhlRzl1YjIxNUxtVjFNSUlDSWpBTkJna3Foa2lHOXcwQgpBUUVGQUFP%0D%0AQ0FnOEFNSUlDQ2dLQ0FnRUF5WUdHM1FEcFpTYzcvOUpTelYxeTRSTDQrQ3RiaEtEaGFCdTk1MXhw%0D%0ATlFuWm0xbE1sOVhhCjdpSkF0VWRGME9yd2dPVlpUcXJNUUFXNm96YW45a0l4cytDSDh2YUdEVk93%0D%0Ab2FrWWg1U2E4akFHWmxoeHhBRitpdmtjMUk5TzlrQmIKWVVzMHJJa0dSR2dPbnA4YlNvZWt4cXRV%0D%0AcmNTUkgrTDVNV2lGM0JZbkdxcnkzUTVWc3JHVTdnSTFhRFBMYkpQQlYvNWVWQ3VyUDUxRQpUdVMv%0D%0AaExjOTRQSDZNY0F4bDFoZnJCa3ByTDNTcXRvRWVJYW9iSWxNRldJdE13S0xCTjBTNWh4T2RCNTE3%0D%0AZ3NHaHpqOFJ0dVZMRWJKCjFQM1VuT2NaK3Q2cXpaREtCbEZEK2N4OEVHMkxRSGlnOVpxRUY3YVhC%0D%0ARmVJdzE2SGNwY2QxL3l6djRLSW5oWmlnOGFIblV3RGpBaWgKWXk2UG9tUGZZQUNGNkdRR0NWbnMr%0D%0AeVBlQzhDQWxOTmplaSt4SXRZOFZqT0d6UnRiQlAyaTZuTlF1aGpiWjMzSXVYS3ZPVUtpcS9tTgp1%0D%0AcHBxZ0ZWMU02NzJ2dkdZSm5zMmw3eXgvWE1LbWwwam84M0NocEVwNWFXZkhKZko2Nk1vNVZjYSto%0D%0AbkZkb3prbElQOXJYRC8zN3B2CnVKcDNUMTN2OFpabmFmanZKMjA2VFZ4N1ZrVFMvZFRQMXZzSGF5%0D%0AS1NMVTBqVlA4OE5vWXpOSzFmd2lBaDRmclU3eFFJY2JUQ0Y3czAKODRaQUdyTGVXWGRmWUhhL0xs%0D%0AUWdIL1hINi9oQStuMURxalFyaTIrdnJQWjQ2YkFvbVlad3p1em5qRzdtTTFQQVpxR3VQRkF6ZkF1%0D%0AUAoybSsrNEdUZjIwbU8rdUlsS1Qva1VLOENBd0VBQWFPQ0FWZ3dnZ0ZVTUFrR0ExVWRFd1FDTUFB%0D%0Ad0VRWUpZSVpJQVliNFFnRUJCQVFECkFnYkFNQ3NHQ1dDR1NBR0crRUlCRFFRZUZoeFVhVzU1UTBF%0D%0AZ1IyVnVaWEpoZEdWa0lFTmxjblJwWm1sallYUmxNQjBHQTFVZERnUVcKQkJRRGdtOGh1WldnOUZT%0D%0AYTlQWlR5OG9iZmdlRUhUQ0JvQVlEVlIwakJJR1lNSUdWZ0JSTjkrMUlXVlNFSlIvM2IxSlk2MTY2%0D%0Adk9IYwpaNkY2cEhnd2RqRUxNQWtHQTFVRUJoTUNSVlV4RFRBTEJnTlZCQW9UQkVWRVNWUXhEekFO%0D%0AQmdOVkJBc1RCbGRRSURVdU56RWRNQnNHCkExVUVBeE1VYzJWamRYSmxMbVV0ZEdGNGIyNXZiWGt1%0D%0AWlhVeEtEQW1CZ2txaGtpRzl3MEJDUUVXR1hOMWFISmlhV1Z5UUdsdVppNW0KZFMxaVpYSnNhVzR1%0D%0AWkdXQ0FRRXdKQVlEVlIwU0JCMHdHNEVaYzNWb2NtSnBaWEpBYVc1bUxtWjFMV0psY214cGJpNWta%0D%0AVEFQQmdOVgpIUkVFQ0RBR2h3U2dMVDhWTUE0R0ExVWREd0VCL3dRRUF3SUZvREFOQmdrcWhraUc5%0D%0AdzBCQVFVRkFBT0NBZ0VBUHF1bzY2aVVMWlBtCmx6MW9LOUw0S1grY2VodEwxYmJGS3Y5WHFNVjA1%0D%0AMHRxdXJrUnI5K21JT08xbUZ5ZTZ6WjlSTnM0MHl3MW40K2dFVm5qeDZ5OUprR3UKd2toejlFK1d5%0D%0AK0VVNE5NVld1V2t3blNUQktvREVQZjZDb3B2dTcrNmJBbFcrSFVKQUZqNVRocjNZTmdPS25sOXRu%0D%0AbDZ5S1pMNmh0RAp1S04rYVhLZU1oOEpkb1BFeTVZTnkrYjhuckM3eEVBdlJ3blYxYXEyY2E5S1Bx%0D%0AN0g0OGZVL3JQYWhkaVlQZVpxZExBYktUSDBubVlVCitmYTA4NjhVVmpNbWZvaWJmeU9iSVg3eFZ5%0D%0ATnlDaUM1WGNkOENibkRkSXZXbDMvM1pUbXJIdkp6c0xQUVFpZExSN0FrOXVqbzd5WFAKdTBXVzNI%0D%0AbHZ5cmlGd3dLVU9WbEw4MVhOcWxDZkVXVnM3YjhnZk9abXJMbmRVRXFINlk3dUZjb1ZOQ09DT3Iw%0D%0ARCtVcTdGTDNRSkY3dwpLbndpa3Bnd0xxbjh0bUZvTXIwTVRtTE9ZTWZLeSt1NVh2dzZPNUxZQlM0%0D%0AMnNKam4xQ2ZpUWJycmlJVUw0Sk5nbzNlZnNVMGRNK2l2CmNla1NSQ01GVEdVNjBDM3crc0Q4SE1u%0D%0AMjZ1eS9lbjRzVGFEUnN4WHlQZTdHeEpzRzQyV0dVSzZvZGRSRlhYZzdjUVozdTNZd3R0dlYKOGVl%0D%0AbGdGWFA5aHZ5azBKeHdHa3hPbElReDVlN2liUVRMd3NoUlZGWjgzcEJDRDhuaFBERElTTzh5dlNK%0D%0AdUJQSlVycDZZNzRBVGw2VgpjYWxLQ1YzUHNDOS9aQWRMS05Pckc5TDhJMXV0OU1ORTY0c3o3Qk9y%0D%0ASHVOUXVUbE9RaHh2eGEyMk13bDRDME09CjwvZHM6WDUwOUNlcnRpZmljYXRlPgo8L2RzOlg1MDlE%0D%0AYXRhPgo8L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1%0D%0AZT0ic2FtbHA6U3VjY2VzcyI%2BPC9TdGF0dXNDb2RlPjwvU3RhdHVzPjxBc3NlcnRpb24geG1sbnM9%0D%0AInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIEFzc2VydGlvbklEPSJfMjNi%0D%0AMGVkNGNjZTdmYTcxMjQ2YzdhYmFkYWNmZWY1YjYiIElzc3VlSW5zdGFudD0iMjAwNy0xMS0xMlQx%0D%0AMjozNjozMC40MThaIiBJc3N1ZXI9Imh0dHBzOi8vaWRwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0%0D%0AaC1pZHAiIE1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIxIj48Q29uZGl0aW9ucyBOb3RC%0D%0AZWZvcmU9IjIwMDctMTEtMTJUMTI6MzY6MzAuNDE4WiIgTm90T25PckFmdGVyPSIyMDA3LTExLTEy%0D%0AVDEyOjQxOjMwLjQxOFoiPjxBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjxBdWRpZW5jZT5o%0D%0AdHRwczovL3NwLmUtdGF4b25vbXkuZXUvc2hpYmJvbGV0aC1zcDwvQXVkaWVuY2U%2BPEF1ZGllbmNl%0D%0APmh0dHBzOi8vc2hpYmJvbGV0aC5lLXRheG9ub215LmV1L0ZlZGVyYXRpb248L0F1ZGllbmNlPjwv%0D%0AQXVkaWVuY2VSZXN0cmljdGlvbkNvbmRpdGlvbj48L0NvbmRpdGlvbnM%2BPEF1dGhlbnRpY2F0aW9u%0D%0AU3RhdGVtZW50IEF1dGhlbnRpY2F0aW9uSW5zdGFudD0iMjAwNy0xMS0xMlQxMjozNjozMC40MTha%0D%0AIiBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVu%0D%0Ac3BlY2lmaWVkIj48U3ViamVjdD48TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46bWFjZTpzaGli%0D%0AYm9sZXRoOjEuMDpuYW1lSWRlbnRpZmllciIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9pZHAuZS10%0D%0AYXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcCI%2BXzI3ZTEwOTJhZGY5NzVlMTE3NmFjMWViZmQxZjQy%0D%0AZTY5PC9OYW1lSWRlbnRpZmllcj48U3ViamVjdENvbmZpcm1hdGlvbj48Q29uZmlybWF0aW9uTWV0%0D%0AaG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L0NvbmZpcm1hdGlvbk1l%0D%0AdGhvZD48L1N1YmplY3RDb25maXJtYXRpb24%2BPC9TdWJqZWN0PjxTdWJqZWN0TG9jYWxpdHkgSVBB%0D%0AZGRyZXNzPSIxNjAuNDUuMTE0LjIxNSI%2BPC9TdWJqZWN0TG9jYWxpdHk%2BPC9BdXRoZW50aWNhdGlv%0D%0AblN0YXRlbWVudD48L0Fzc2VydGlvbj48L1Jlc3BvbnNlPg%3D%3D%0D%0A
Response:
HTTP/1.1 302 Found Date: Mon, 12 Nov 2007 12:36:19 GMT Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Set-Cookie: _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; path=/ Set-Cookie: _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D; path=/; expires=Mon, 19 Nov 2007 12:36:19 GMT Location: https://sp.e-taxonomy.eu/ Content-Length: 385 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://sp.e-taxonomy.eu/">here</a>.</p> <hr> <address>Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at sp.e-taxonomy.eu Port 443</address> </body></html>
The request forwards the POST request return within the last response from the IdP to the SP.
The response sets two cookies
Shibboleth Session Cookie
SAML-IdP Cookie
Furthermore the response redirects the browser to the URL on the SP requested originally.
Final Redirected Request to the Service Provider¶
Request:
GET / HTTP/1.1 Host: sp.e-taxonomy.eu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://idp.e-taxonomy.eu/shibboleth-idp/SSO?shire=https%3A%2F%2Fsp.e-taxonomy.eu%2FShibboleth.sso%2FSAML%2FPOST&time=1194870964&target=cookie&providerId=https%3A%2F%2Fsp.e-taxonomy.eu%2Fshibboleth-sp Cookie: _shibstate_696dfa45123e105c56d68e2dc402728cf50d208c=https%3A%2F%2Fsp.e-taxonomy.eu%2F; _shibsession_696dfa45123e105c56d68e2dc402728cf50d208c=_19e3ab8d899be0053e1901e6e4a915a5; _saml_idp=aHR0cHM6Ly9pZHAuZS10YXhvbm9teS5ldS9zaGliYm9sZXRoLWlkcA%3D%3D
Response:
HTTP/1.1 200 OK Date: Mon, 12 Nov 2007 12:36:19 GMT Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Content-Length: 1378 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="apache2-default/">apache2-default/</a></td><td align="right">20-Nov-2004 20:16 </td><td align="right"> - </td></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="apache2-env/">apache2-env/</a></td><td align="right">02-Nov-2007 21:43 </td><td align="right"> - </td></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="drupal-5.2/">drupal-5.2/</a></td><td align="right">12-Dec-2006 09:32 </td><td align="right"> - </td></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="trac/">trac/</a></td><td align="right">21-Aug-2007 16:13 </td><td align="right"> - </td></tr> <tr><th colspan="5"><hr></th></tr> </table> <address>Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch7 mod_ssl/2.2.3 OpenSSL/0.9.8c Server at sp.e-taxonomy.eu Port 443</address> </body></html>
This final request tries to get the originally requested URL. It transmits three cookies:
Shibstate
Shibsession
SAML_IDP
Conclusion¶
It appears, that such kind of Shibboleth proxy should work, simply by establishing SSL-Connections to SP and IdP, and reimplementing the protocol presented above.
The only problem left, is to recognise the authentication method requested from the IdP, and to provide the necessary credentials.
Updated by Andreas Müller about 2 years ago · 25 revisions