Optional Authentication

In Onegini IDP it is possible for the user to postpone registration by providing email address for future use.

Request structure

To enable for user such functionality SP should create proper SAML request with custom additional AuthnContext types.

Custom AuthnContext types :

  • urn:com:onegini:saml:OptionalAuthentication will show optional authentication form on login screen
  • urn:com:onegini:saml:NoRegistration will hide (if registration enabled) registration link on login form

Example :

   <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                        AssertionConsumerServiceURL="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
                        Destination="http://idp-core.dev.onegini.me:8989/saml/single-sign-on"
                        ForceAuthn="false"
                        ID="af7ef0gch7ii2331868dh5jfg871e3"
                        IsPassive="false"
                        IssueInstant="2016-09-19T12:47:17.907Z"
                        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Version="2.0"
                        >
       <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
       <saml2p:RequestedAuthnContext Comparison="exact">
           <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
           <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:OptionalAuthentication</saml2:AuthnContextClassRef>
       </saml2p:RequestedAuthnContext>
   </saml2p:AuthnRequest>

Or

   <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                        AssertionConsumerServiceURL="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
                        Destination="http://idp-core.dev.onegini.me:8989/saml/single-sign-on"
                        ForceAuthn="false"
                        ID="a34638290c8a0igf26hib778ecd7a01"
                        IsPassive="false"
                        IssueInstant="2016-09-19T12:48:22.037Z"
                        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Version="2.0"
                        >
       <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
       <saml2p:RequestedAuthnContext Comparison="exact">
           <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
           <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:OptionalAuthentication</saml2:AuthnContextClassRef>
           <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:NoRegistration</saml2:AuthnContextClassRef>
       </saml2p:RequestedAuthnContext>
   </saml2p:AuthnRequest>

Onegini IDP Response

If user choose to skip registration and left his email then Onegini IDP will return to SP Saml Response containing such properties:

  • Status code urn:oasis:names:tc:SAML:2.0:status:Responder with secondary status code urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal
  • Email attribute with 1.2.840.113549.1.9.1 oid

Example :

   <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                      Destination="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
                      ID="_d80dd0e0-0513-41e7-88ba-c1fbad3c0658"
                      InResponseTo="a34638290c8a0igf26hib778ecd7a01"
                      IssueInstant="2016-09-19T12:48:55.262Z"
                      Version="2.0"
                      >
         <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                       Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                       >http://idp-core.dev.onegini.me:8989</saml2:Issuer>
         <saml2p:Status>
             <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
                 <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" />
             </saml2p:StatusCode>
         </saml2p:Status>
         <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                          ID="_bf00fe5c-079e-40f9-8ae1-f8613ac796a9"
                          IssueInstant="2016-09-19T12:48:55.262Z"
                          Version="2.0"
                          xmlns:xs="http://www.w3.org/2001/XMLSchema"
                          >
             <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp-core.dev.onegini.me:8989</saml2:Issuer>
             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                ...
             </ds:Signature>
             <saml2:Subject>
                 <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                               NameQualifier="http://idp-core.dev.onegini.me:8989"
                               SPNameQualifier="spring:security:saml"
                               >ad7dd884-6406-4376-bba6-dc65052a9360</saml2:NameID>
                 <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                   ...
                 </saml2:SubjectConfirmation>
             </saml2:Subject>
             <saml2:Conditions NotBefore="2016-09-19T12:48:55.262Z"
                               NotOnOrAfter="2016-09-19T12:53:55.262Z"
                               >
                 <saml2:AudienceRestriction>
                     <saml2:Audience>spring:security:saml</saml2:Audience>
                 </saml2:AudienceRestriction>
             </saml2:Conditions>
             <saml2:AttributeStatement>
                 <saml2:Attribute FriendlyName="uid"
                                  Name="urn:oid:0.9.2342.19200300.100.1.1"
                                  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                  >
                     <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           xsi:type="xs:string"
                                           >ad7dd884-6406-4376-bba6-dc65052a9360</saml2:AttributeValue>
                 </saml2:Attribute>
                 <saml2:Attribute FriendlyName="email"
                                  Name="1.2.840.113549.1.9.1"
                                  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                  >
                     <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           xsi:type="xs:string"
                                           >[email protected]</saml2:AttributeValue>
                 </saml2:Attribute>
             </saml2:AttributeStatement>
         </saml2:Assertion>
   </saml2p:Response>

If user procced with login then normal SAML response will be returned