Optional Authentication¶
In Onegini IdP it is possible for the user to postpone registration by providing email address for future use.
Request structure¶
To enable for user such functionality SP should create proper SAML request with custom additional AuthnContext types.
Custom AuthnContext types:
urn:com:onegini:saml:OptionalAuthenticationwill show optional authentication form on login screenurn:com:onegini:saml:NoRegistrationwill hide (if registration enabled) registration link on login form
Example:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
Destination="http://idp-core.dev.onegini.me:8989/saml/single-sign-on"
ForceAuthn="false"
ID="af7ef0gch7ii2331868dh5jfg871e3"
IsPassive="false"
IssueInstant="2016-09-19T12:47:17.907Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:OptionalAuthentication</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Or
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
Destination="http://idp-core.dev.onegini.me:8989/saml/single-sign-on"
ForceAuthn="false"
ID="a34638290c8a0igf26hib778ecd7a01"
IsPassive="false"
IssueInstant="2016-09-19T12:48:22.037Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spring:security:saml</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:OptionalAuthentication</saml2:AuthnContextClassRef>
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:NoRegistration</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Onegini IdP Response¶
If user choose to skip registration and left his email then Onegini IdP will return to SP Saml Response containing such properties:
- Status code
urn:oasis:names:tc:SAML:2.0:status:Responderwith secondary status codeurn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal - Email attribute with
1.2.840.113549.1.9.1oid
Example :
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://localhost:8080/spring-security-saml2-sample/saml/SSO"
ID="_d80dd0e0-0513-41e7-88ba-c1fbad3c0658"
InResponseTo="a34638290c8a0igf26hib778ecd7a01"
IssueInstant="2016-09-19T12:48:55.262Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>http://idp-core.dev.onegini.me:8989</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" />
</saml2p:StatusCode>
<saml2p:StatusMessage>...</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_bf00fe5c-079e-40f9-8ae1-f8613ac796a9"
IssueInstant="2016-09-19T12:48:55.262Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://idp-core.dev.onegini.me:8989</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="http://idp-core.dev.onegini.me:8989"
SPNameQualifier="spring:security:saml"
>ad7dd884-6406-4376-bba6-dc65052a9360</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
...
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-09-19T12:48:55.262Z"
NotOnOrAfter="2016-09-19T12:53:55.262Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>spring:security:saml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>ad7dd884-6406-4376-bba6-dc65052a9360</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email"
Name="1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>[email protected]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
If user proceeds with the login, then the normal SAML response will be returned.