202 lines
9.6 KiB
Plaintext
202 lines
9.6 KiB
Plaintext
Single Sign-On and Federation
|
|
SP
|
|
/login (* url not normative *)
|
|
login = lasso_login_new(server)
|
|
lasso_login_init_authn_request(login, idpProviderId, method)
|
|
# method is one of:
|
|
# - LASSO_HTTP_METHOD_REDIRECT
|
|
# - LASSO_HTTP_METHOD_POST
|
|
|
|
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(login)->request)
|
|
|
|
request->NameIDPolicy = strdup(policy)
|
|
# policy is one of:
|
|
# - LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED (for SSO and federation)
|
|
# - LASSO_LIB_NAMEID_POLICY_TYPE_NONE (for SSO only)
|
|
# - LASSO_LIB_NAMEID_POLICY_TYPE_ONE_TIME (anonymous SSO)
|
|
# - LASSO_LIB_NAMEID_POLICY_TYPE_ANY (Tries FEDERATED otherwise ONE_TIME)
|
|
request->ForceAuthn = TRUE;
|
|
request->IsPassive = FALSE;
|
|
request->ProtocolProfile = strdup(protocol_profile);
|
|
# protocol_profile is one of:
|
|
# - LASSO_LIB_PROTOCOL_PROFILE_BRWS_ART;
|
|
# - LASSO_LIB_PROTOCOL_PROFILE_BRWS_POST;
|
|
request->consent = strdup(consent);
|
|
# consent is one of:
|
|
# - LASSO_LIB_CONSENT_OBTAINED
|
|
# - LASSO_LIB_CONSENT_OBTAINED_PRIOR
|
|
# - LASSO_LIB_CONSENT_OBTAINED_CURRENT_IMPLICIT
|
|
# - LASSO_LIB_CONSENT_OBTAINED_CURRENT_EXPLICIT
|
|
# - LASSO_LIB_CONSENT_UNAVAILABLE
|
|
# - LASSO_LIB_CONSENT_INAPPLICABLE
|
|
|
|
lasso_login_build_authn_request_msg(login)
|
|
|
|
IF method == REDIRECT
|
|
REDIRECT TO LASSO_PROFILE(login)->msg_url
|
|
|
|
IF method == POST
|
|
DISPLAY HTML FORM
|
|
<body onload="document.forms[0].submit()">
|
|
<form action="** LASSO_PROFILE(login)->msg_url **" method="post">
|
|
<input type="hidden" name="LAREQ"
|
|
value="** LASSO_PROFILE(login)->msg_body **"/>
|
|
</form>
|
|
</body>
|
|
|
|
|
|
IdP
|
|
/singleSignOn (* normative, Single Sign On service URL *)
|
|
login = lasso_login_new(server)
|
|
lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump)
|
|
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
|
|
IF METHOD IS GET
|
|
IF lasso_profile_is_liberty_query(/query string/)
|
|
authn_request_msg = /query string/
|
|
ELSE
|
|
# The single sign-on service URL has been accessed directly by the user, so
|
|
# proceed to an IDP initiated SSO.
|
|
# First ask the user the SP for which he wants to proceed to sign-on.
|
|
lasso_login_init_idp_initiated_authn_request(serviceProviderId)
|
|
ELSE (METHOD IS POST)
|
|
authn_request_msg = /form submitted LAREQ field/
|
|
|
|
IF authn_request_msg:
|
|
lasso_login_process_authn_request_msg(login, authn_request_msg)
|
|
|
|
IF lasso_login_must_authenticate(login)
|
|
# proceed to authentication
|
|
# may serialize login object now: lasso_login_dump(login)
|
|
|
|
# (...)
|
|
|
|
# may be coming back from another function; another url
|
|
# unserialize with lasso_login_new_from_dump(dump)
|
|
userAuthenticated = TRUE # or FALSE if authentication failed
|
|
ELSE
|
|
userAuthenticated = TRUE
|
|
# or FALSE if it was not authenticated previously
|
|
|
|
consentObtained = FALSE
|
|
IF userAuthenticated
|
|
IF lasso_login_must_ask_for_consent(login)
|
|
# ask user if he consents to federation
|
|
# may serialize login object now: lasso_login_dump(login)
|
|
|
|
# (...)
|
|
|
|
# may be coming back from another function; another url
|
|
# unserialize with lasso_login_new_from_dump(dump)
|
|
consentObtained = TRUE # or FALSE if user didn't give its consent
|
|
|
|
IF lasso_login_validate_request_msg(login, userAuthenticated, consentObtained) == 0:
|
|
# build and fill assertion
|
|
lasso_login_build_assertion(login, authenticationMethod,
|
|
authenticationInstant, reauthenticationTime
|
|
assertionIsNotBefore, assertionIsNotOnOrAfter)
|
|
# any other change to the assertion can take place here
|
|
|
|
IF login->protocolProfile IS LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART
|
|
lasso_login_build_artifact_msg(login, LASSO_HTTP_METHOD_REDIRECT)
|
|
ELSE # IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
|
|
lasso_login_build_authn_response_msg(login)
|
|
|
|
# map LASSO_PROFILE(login)->nameIdentifier to user and session
|
|
# (write this down in a database)
|
|
|
|
IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
|
|
identity = lasso_profile_get_identity(LASSO_PROFILE(login))
|
|
# save identity;
|
|
# serialization with lasso_identity_dump(identity)
|
|
|
|
IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
|
|
session = lasso_profile_get_session(LASSO_PROFILE(login))
|
|
# save session;
|
|
# serialization with lasso_session_dump(session)
|
|
|
|
IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt
|
|
# map assertionArtifact to login.remote_providerID and web session
|
|
# FIXME : artifact can be either Redirect or POST
|
|
REDIRECT TO LASSO_PROFILE(login)->msg_url
|
|
|
|
ELSE # IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
|
|
DISPLAY HTML FORM
|
|
<body onload="document.forms[0].submit()">
|
|
<form action="** LASSO_PROFILE(login)->msg_url **" method="post">
|
|
<input type="hidden" name="LARES"
|
|
value="** LASSO_PROFILE(login)->msg_body **"/>
|
|
</form>
|
|
</body>
|
|
|
|
|
|
SP
|
|
/assertionConsumer (* normative, assertion consumer service URL *)
|
|
login = lasso_login_new(server)
|
|
IF METHOD IS GET OR SUBMITTED FORM HAS LAREQ FIELD
|
|
IF METHOD IS GET
|
|
artifact_msg = /query string/
|
|
relayState = /query string, RelayState var/
|
|
method = LASSO_HTTP_METHOD_REDIRECT
|
|
ELSE # IF METHOD IS POST
|
|
artifact_msg = /form submitted LAREQ field/
|
|
relayState = /form submitted RelayState field/
|
|
method = LASSO_HTTP_METHOD_POST
|
|
|
|
lasso_login_init_request(login, artifact_msg, method)
|
|
lasso_login_build_request_msg(login)
|
|
|
|
SOAP CALL ---------------------------------------------------------\
|
|
TO LASSO_PROFILE(login)->msg_url |
|
|
BODY LASSO_PROFILE(login)->msg_body
|
|
|
|
lasso_login_process_response_msg(login, soap_answer_message)
|
|
|
|
ELSE IF SUBMITTED FORM HAS LARES FIELD
|
|
response_msg = /form submitted LARES field/
|
|
lasso_login_process_authn_response_msg(login, response_msg)
|
|
relayState = LASSO_PROFILE(login)->msg_RelayState
|
|
|
|
nameIdentifier = LASSO_PROFILE(login)->nameIdentifier
|
|
|
|
IF known nameIdentifier
|
|
# GET BACK identity_dump and session_dump
|
|
# First retrieve session and user by nameIdentifier
|
|
lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump)
|
|
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
|
|
|
|
lasso_login_accept_sso(login)
|
|
|
|
IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
|
|
identity = lasso_profile_get_identity(LASSO_PROFILE(login))
|
|
# save identity;
|
|
# serialization with lasso_identity_dump(identity)
|
|
|
|
IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
|
|
session = lasso_profile_get_session(LASSO_PROFILE(login))
|
|
# save session;
|
|
# serialization with lasso_session_dump(session)
|
|
|
|
IF nameIdentifier was not known:
|
|
# if the user was not yet logged on SP before SSO, it is a good place to ask the
|
|
# user to register on SP, to create a web session and store lasso_session_dump in
|
|
# it, and to create or retrieve user account and store lasso_identity_dump there.
|
|
|
|
REDIRECT anywhere # SSO is finished
|
|
|
|
|
|
IdP |
|
|
/soapEndPoint (* normative, SOAP endpoint *) <----/
|
|
soap_msg # is the received SOAP message body
|
|
request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
|
|
|
|
IF request_type IS lassoRequestTypeLogin
|
|
login = lasso_login_new(server);
|
|
lasso_login_process_request_msg(login, soap_msg);
|
|
# Retrieve remote_providerID and web session using login->assertionArtifact
|
|
# and then remove them.
|
|
# Retrieve session_dump stored in session.
|
|
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
|
|
lasso_login_build_response_msg(login, remote_providerID)
|
|
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(login)->msg_body
|
|
|