4.1 Message Flows
This section describes an example flow of messages among a web browser requestor, a WS resource, a resource IP/STS, and a requestor IP/STS, including example messages.
The web browser requestor sends a GET for the WS resource URL to the WS resource.
The WS resource returns a 302 Redirect to the resource IP/STS at the resource IP/STS URL.
Query string parameters are appended to the IP/STS URL, that forms a wsignin1.0 request message, as follows:
A query string parameter is added, which indicates that WS resource is the resource wanting authentication (wreply).
The original requested WS resource URL is saved as a context parameter in the sign-in message (wctx).
Example URL follows.
https://adfsresource1.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply= https%3a%2f%2fadfsweb1.treyresearch.net%3a8081%2fclaimapp%2f&wct= 2006-07-11T03%3a26%3a39Z&wctx=https%3a%2f%2fadfsweb1.treyresearch.net %3a8081%2fclaimapp%2fDefault.aspx
The web browser requestor sends a GET for the resource IP/STS URL.
The resource IP/STS returns a 302 Redirect to the requestor IP/STS URL:
Query string parameters are appended to the requestor IP/STS URL, which form a wsignin1.0 request message (section 2.2.3), as follows:
A query string parameter is added, which indicates that the resource IP/STS is the partner wanting authentication (wtrealm).
Any state required by the resource IP/STS to continue processing the request is saved as a context parameter in the sign-in message (wctx).
Example URL follows.
https://adfsaccount1.adatum.com/adfs/ls/auth/integrated/?wa=wsignin1.0 &wtrealm=urn%3afederation%3atreyCrazyResearch&wct=2006-07-11T03%3a28 %3a05Z&wctx=https%3a%2f%2fadfsweb1.treyresearch.net%3a8081%2fclaimapp %2f%5chttps%3a%2f%2fadfsweb1.treyresearch.net%3a8081%2fclaimapp%2f Default.aspx
The web browser requestor sends a GET for the requestor IP/STS URL.
Authentication occurs.
The requestor IP/STS sends a 200 response to the client with a POST Redirect to the resource IP/STS URL:
The returned [HTML] contains a hidden form that contains a wsignin1.0 response and JavaScript, which causes the form to POST immediately (optionally the form can have a visible Submit button). The form's target is the resource IP/STS URL.
The response contains a RequestSecurityTokenResponse message that includes a SAML token whose audience is the resource IP/STS. The token is signed by the requestor IP/STS X.509 certificate.
Example form follows.
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Working... </title> </head> <body> <form method="POST" action= "https://adfsresource1.treyresearch.net/adfs/ls/" /> <input type="hidden" name="wa" value="wsignin1.0" /> <input type="hidden" name="wresult" value=" <wst:RequestSecurityTokenResponse xmlns:wst=" http://schemas.xmlsoap.org/ws/2005/02/trust"> <wst:RequestedSecurityToken> <saml:Assertion AssertionID=" _784067ac-af2c-40b1-993a-cbb376597b6a" IssueInstant="2006-07-11T03:15:40Z" Issuer="urn:federation:apieceodata" MajorVersion="1" MinorVersion=" 1" xmlns:saml="urn:oasis:names:tc:SAML:1.0: assertion"> <saml:Conditions NotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"> <saml:AudienceRestrictionCondition> <saml:Audience>urn:federation:treyCrazyResearch </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:Advice> <adfs:CookieInfoHash xmlns:adfs="urn:microsoft: federation">11AMDR+AihBUJMPNKS3N64ruuaY= </adfs:CookieInfoHash> </saml:Advice> <saml:AuthenticationStatement AuthenticationInstant=& quot;2006-07-11T03:15:40Z" AuthenticationMethod= "urn:federation:authentication:windows"> <saml:Subject> <saml:NameIdentifier Format=" http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com </saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format=" http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>ClaimAppMapping </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>TokenAppMapping </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>ResearchPlatinum </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>ResearchPurchaser </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="ResearchFirstName" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue>Adam </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_784067ac-af2c-40b1-993a-cbb376597b6a"> <Transforms> <Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>Q4/7YEpc3fTVCzNPop6cyU+VAIE= </DigestValue> </Reference> </SignedInfo> <SignatureValue>tHgfkoQPiPTXnMWS3K1N6xkL5FOaRzoJIcg0ZqV3CImj gNtsAGhX8CKCJryYC3ARQdF6jCHHgthnPNyW0jPjA8/VPl1s+Nt5Pe9ODgwhJHx 3wk+gbQs8Ty0IYl+jftp4DM0WF6/LCvIxTmAZ4+GT40fCK9RxbgP4WbR4cj6lE6 C6wwX4odK+lqxVwtR5qx64SUyzPq0zbKG8YX0fSIuSgBJYKLJt+CUk+6YjCeY8m xH89iL2HWXEBTeMuLh32QrFV2+PFg3jeDcCxCIC9VjwmAyU6VZr3elSpqp/RgtN Dj8XckSZvwVdOrVztd7sEnJmJmmoeaLpbYNUJWmlbvGsvQ== </SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIC0jCCAb6gAwIBAgIQKVyguUrraIFEOd4S4lAnOTAJB gUrDgMCHQUAMCkxJzAlBgNVBAMTHkZlZGVyYXRpb24gU2VydmVyIEFERlNBY2NvdW 50MTAeFw0wNjAxMzEwMjU1MTZaFw0wNzAxMzEwODU1MTZaMCkxJzAlBgNVBAMTHkZ lZGVyYXRpb24gU2VydmVyIEFERlNBY2NvdW50MTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAL93fgaIJs+E+Y+eYhCrAVHYECQtE43ioEvvljz/4c81eC6i2 Rpiwc+2N+AXWaHqae3vWoCxkTCXWYomm9DXM1JpqTjq0pEWPLjkH7kMa34LUgaKxR bbmw6Bus9SwGjhCQKdtAwxO9wcp2gEW7FU+gkAtkcoQdv1bEOXwlCInWKXO5jbybT /l8qGHsz+69fhJdDNoQtjwkIAxqQd9PNdp7r4POG4p5+6kQtkmX3xIWIB0rh0Bml0 9GBbWQUoYbvjx6GH7LB/XJhLIJ7RdIHTv4yS2sTHEgLnF3nx1hjW4cZlznDA7OywV pZKerK81m7CrHzd78dOJeZYJs2taHUeHY0CAwEAATAJBgUrDgMCHQUAA4IBAQBx9D BI1t+3/efeQCQVuAwn9yp1nC7CwWGevW8ZyJe5V+3Lx9dQHiO1MpuXpOX+5tEdoDQ fqjNNvwmA6UM9v1b70CmjWtI/b77scaBAq6B0iQqWlEcyiHKNKjIvF3/ME/SYOL7p XmY1zvX9EqnOQVtNpLBueeesUo86APAzOqWWWeH5qVwrz73sDoJCToGAtsrnN2b3c 9415u1KSYQNfVQVQl3vCdJXEljuTv0PcGcibgKKT4bEKzHcdkYO38cuuNPgt1a7d0 QnrZ4ZgpjpThLuBLVbzyMP3FiQqFC2hiZ0IKb0uYG5hZY7+wIRhbuYgyqLWsimRL/ aw4m7NdL0RTBO </X509Certificate> </X509Data> </KeyInfo> </Signature> </saml:Assertion> </wst:RequestedSecurityToken> <wsp:AppliesTo xmlns:wsp=" http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa=" http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address>urn:federation:treyCrazyResearch </wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> </wst:RequestSecurityTokenResponse>" /> <input type="hidden" name="wctx" value= "https://adfsweb1.treyresearch.net:8081/claimapp/\ https://adfsweb1.treyresearch.net:8081/claimapp/Default.aspx" /> <noscript> <p>Script is disabled. Please click Submit to continue. </p> <input type="submit" value="Submit" /> </noscript> </form> <script language="javascript"> window.setTimeout('document.forms[0].submit()',0); </script> </body> </html>
The web browser requestor sends a POST to the resource IP/STS URL.
The resource IP/STS sends a 200 response to the client with a POST Redirect to the WS resource URL:
The returned HTML contains a hidden form that contains a wsignin1.0 response and JavaScript, which causes the form to POST immediately (optionally the form can have a visible Submit button). The form's target is the WS resource URL.
The response contains a RequestSecurityTokenResponse message that includes a SAML token whose audience is the WS resource. The token is signed by the resource IP/STS X.509 certificate.
Full-example HTML form follows.
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head><title>Working...</title></head> <body> <form method="POST" action= "https://adfsweb1.treyresearch.net:8081/claimapp/" /> <input type="hidden" name="wa" value="wsignin1.0" /> <input type="hidden" name="wresult" value=" <wst:RequestSecurityTokenResponse xmlns:wst=" http://schemas.xmlsoap.org/ws/2005/02/trust"> <wst:RequestedSecurityToken> <saml:Assertion AssertionID=" _f81faa32-fc47-4ddb-98a2-0bda61b7ead2" IssueInstant="2006-07-11T03:19:05Z" Issuer="urn:federation:treyCrazyResearch" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore=" 2006-07-11T03:19:05Z"NotOnOrAfter=" 2006-07-11T03:20:05Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://adfsweb1.treyresearch.net:8081/claimapp/ </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:Advice> <adfs:ClaimSource xmlns:adfs="urn: microsoft:federation"> urn:federation:apieceodata </adfs:ClaimSource> <adfs:CookieInfoHash xmlns:adfs="urn: microsoft:federation"> fA4h78BffP5tdaujuJ39y0b4qEo= </adfs:CookieInfoHash> </saml:Advice> <saml:AuthenticationStatement AuthenticationInstant=& quot;2006-07-11T03:15:40Z" AuthenticationMethod=" urn:federation:authentication:windows"> <saml:Subject> <saml:NameIdentifier Format=" http://schemas.xmlsoap.org/claims/UPN"> adamcar@adatum.com </saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format=" http://schemas.xmlsoap.org/claims/UPN"> adamcar@adatum.com </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue> Adatum TokenApp Claim </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue> Adatum ClaimApp Claim </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue> Purchaser </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="FirstName" AttributeNamespace="http://schemas.xmlsoap.org/claims"> <saml:AttributeValue> Adam </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <Signature xmlns=" http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=" #_f81faa32-fc47-4ddb-98a2-0bda61b7ead2"> <Transforms> <Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue> iLxgLs5ZLZZePFwiGqrGBddqtUI= </DigestValue> </Reference> </SignedInfo> <SignatureValue>SeWQYd9ejm1KGmZoi3wWO3wrFGfvtUfBus 7KtdVUovYlha4ov7BVo3NO8lmou/Fd4+dEHbKmgAMWnEgmGygR2bXfNxJzHUvKf YKCZoZu/T0tB1QK6mvRnMmcMPtLmmXY1Ckkd8Up2oVf7peFHDo1pPlJPUdloYtb DwBn8Z2Z bjN/ktBH9bFRa7A17QM5RhC0/5HKU8n4fHQOZ3GhwXWtfiy uTFYxjofG9nBm1ehgKXPD3jfTYrP/gCQf4QwCOtQHDyatBDOs/8gEhaTjO49oN8 E8MuaoyGg8kRV7/+K9H6jYD6NlN8e5mAoXW5x1irTFM4yGkLFr8UfVo8PT3pUBg g== </SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIC1DCCAcCgAwIBAgIQ/EU1/PmUxKt NHdsEKf/aODAJBgUrDgMCHQUAMCoxKDAmBgNVBAMTH0ZlZGVyYXRpb24gU2VydmVy IEFERlNSZXNvdXJjZTEwHhcNMDYwMTMxMDI1OTAwWhcNMDcwMTMxMDg1O TAwWjAqMSgwJgYDVQQDEx9GZWRlcmF0aW9uIFNlcnZlciBBREZTUmVzb3VyY2UxMI IBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspXHOLNdt4DP7EOT27sQgiR ILGW9Bsk+HwcGwiTWnedGeG6IJatjragHdW7MYnLrMyiHY9Jc0e4NwzHPDt4qyXlU C5c8XuHbr74lc32Jq6vlrRWYA/rxo+inRfxCrBkh5SOVRv4fiSyXya6jvbal1EhVc sORV6g9iG3xW1Ja1GWOfwXUkfPqqeXCJynG/NHe2HqNqPTFCHOoqciHBNHYXZPEo7 W0C8XBPaVOEQ+1pVGaIubbcTsd3I15uuQGAr5Agce/FquUj4BCiQa8UkcTuuF7mmd SOajnnNS784/5PK3Nc4CTNYiHPUyjg3r/O23z9BaOVIxVgWuTbLr0i/RmtQIDAQAB MAkGBSsOAwIdBQADggEBAKLIcrdYRgYTYd/HGQCQDOoDrqAQFYDbU72hvPoc5Jknl wZu3Jc1V8u5ZszRstBenrnJmNWNTBmJrwZ6xRl1eIYNfpCPY5o3dLK6JMSNgp/oT7 7pn6aYZ5/LpxhF3WGWWBg64/n4pOC5SSDteP1PsCm3LjW6Z9zYOL3mkqui3OLqMBK cCo+JDMMnKgFDqcxutQ3YMPWDuYX+rvabhxMK2JZgWHhXyhWhn2qzi1z5cCFDA1hK eMBcqDAMFlSsfbejL5tjapuUkiwAraa4BeTCJYz5/w1aeg2XGeTYOFAWPoJG8vvno n9R37QIBz/Y8IKdDwZc6zAgTJjLZFhDreZbIvM= </X509Certificate> </X509Data> </KeyInfo> </Signature> </saml:Assertion> </wst:RequestedSecurityToken> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa=" http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address> https://adfsweb1.treyresearch.net:8081/claimapp/ </wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> </wst:RequestSecurityTokenResponse>" /> <input type="hidden" name="wctx" value=" https://adfsweb1.treyresearch.net:8081/claimapp/Default.aspx" /> <noscript><p>Script is disabled. Please click Submit to continue.</p><input type="submit" value="Submit" /></noscript></form> <script language="javascript"> window.setTimeout('document.forms[0].submit()',0);</script> </body> </html>
The web browser requestor sends a POST to the WS resource URL.
The WS resource validates the SAML token.
The WS resource returns a 200 response from the application to the client. This message is an internal implementation detail of the WS-Resource and is mentioned here for completeness only. This message is not necessary for interoperability. The WS-Resource is not restricted by the protocol once it has received the token.
The WS resource authorizes a user's request based on attributes from the SAML token.
The web browser requestor continues to browse the application at the WS resource, which results in additional traffic.