Optional Authentication
In Onegini IDP it is possible for the user to postpone registration by providing email address for future use.
Request structure
To enable for user such functionality SP should create proper SAML request with custom additional AuthnContext
types.
Custom AuthnContext
types :
urn:com:onegini:saml:OptionalAuthentication
will show optional authentication form on login screenurn:com:onegini:saml:NoRegistration
will hide (if registration enabled) registration link on login form
Example :
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
Destination="http://idp-core.dev.onegini.me:8989/saml/single-sign-on"
ForceAuthn="false"
ID="af7ef0gch7ii2331868dh5jfg871e3"
IsPassive="false"
IssueInstant="2016-09-19T12:47:17.907Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:OptionalAuthentication</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Or
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
Destination="http://idp-core.dev.onegini.me:8989/saml/single-sign-on"
ForceAuthn="false"
ID="a34638290c8a0igf26hib778ecd7a01"
IsPassive="false"
IssueInstant="2016-09-19T12:48:22.037Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:OptionalAuthentication</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:NoRegistration</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Onegini IDP Response
If user choose to skip registration and left his email then Onegini IDP will return to SP Saml Response containing such properties:
- Status code
urn:oasis:names:tc:SAML:2.0:status:Responder
with secondary status codeurn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal
- Email attribute with
1.2.840.113549.1.9.1
oid
Example :
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
ID="_d80dd0e0-0513-41e7-88ba-c1fbad3c0658"
InResponseTo="a34638290c8a0igf26hib778ecd7a01"
IssueInstant="2016-09-19T12:48:55.262Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://idp-core.dev.onegini.me:8989</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" />
</saml2p:StatusCode>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_bf00fe5c-079e-40f9-8ae1-f8613ac796a9"
IssueInstant="2016-09-19T12:48:55.262Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp-core.dev.onegini.me:8989</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://idp-core.dev.onegini.me:8989"
SPNameQualifier="spring:security:saml"
>ad7dd884-6406-4376-bba6-dc65052a9360</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
...
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-09-19T12:48:55.262Z"
NotOnOrAfter="2016-09-19T12:53:55.262Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>spring:security:saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>ad7dd884-6406-4376-bba6-dc65052a9360</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email"
Name="1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>[email protected]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
If user procced with login then normal SAML response will be returned