Usage of SAML Artifacts Between Browser and Web Server |
|
Process Platform can be configured to work with SAML artifacts for authentication.
SAML artifacts are similar to SAML assertions, that is both are used to authenticate users in Process Platform. For information on SAML assertions, refer to SAML. SAML artifacts can be found within SAML assertions. SAML assertions are a set of XML tags which are signed with a certificate where as SAML artifact is a string of length 40 bytes out of which 20 bytes contains source identifier information and an additional random 20 bytes. A SAML artifact is related to a SAML Assertion on an one to one basis, that is for every SAML artifact there is a corresponding SAML assertion. SAML artifacts are short lived in comparison to SAML assertions.
SAML Artifacts within Process Platform
Let us consider an example where a service group is accessed for processing a request. The first time the service group is accessed using 'Anonymous user' identity type. The Process Platform framework sends a HTTP request to the service group through the Web gateway. If the service group is not accessible by an anonymous user, the service group does not recognize the identity of the sender. The request therefore fails and the Process Platform framework is notified. The Process Platform framework now sends the user's name and password in SAML to Single Sign-On (SSO).
SSO assigns the SAML an artifact ID and sends the artifact ID to the Process Platform framework. The artifact ID is cached at the Process Platform framework. SSO maintains a register of SAML assertions and their associated artifact ID(s).
The HTTP request containing the artifact ID is sent to the gateway. The gateway at this point cannot recognize the artifact ID. Therefore the gateway sends the request again to SSO to resolve the artifact ID. SSO looks up the artifact ID in its register and sends the SAML assertion to the gateway. The gateway on receiving the artifact ID and the SAML assertion caches the details. The HTTP request is then forwarded to the appropriate service group with the SAML assertion as part of the SOAP request. The service group processes the request and sends the response back to the Process Platform framework through the gateway.
All requests from this point are sent to the service group as the artifact information is cached.
Using SAML Artifacts in Applications
Process Platform supports two ways of using the SAML artifacts. When the user authenticates, the client application retrieves SAML assertions. A part of the SAML assertion is the SAML artifact and the SSO client-side component will store them in the Web browser. The Web gateway caches the SAML artifact so that it can be mapped to a SAML assertion.
SAML artifact can be used in any of the following methods in a client application:
- Used as an URL parameter - When the SAML Artifact is used as an URL parameter, the SOAP request does not contain any SAML related details. There is no SAML assertion in the SOAP header. The SOAP requests resemble the ones that are sent with Web server authentication.
- Sent in a HTTP header variable
In the back-end, the Identity Framework checks the authentication option used. When a SAML artifact is used, the Web gateway maps it to a SAML assertion. The SAML assertion is used to determine the user context since the user identity is part of the SAML assertion.
For information on using SAML artifacts in your applications, refer to Using SAML Artifacts.Retrieving SAML Assertions using SAML Artifacts
You can retrieve SAML Assertion using its corresponding SAML Artifact from the Process Platform back-end.
The following SOAP request can be sent to the Process Platform Web Gateway to retrieve the SAML Assertion using a SAML artifact:<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <samlp:Request MajorVersion="1" MinorVersion="1" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <samlp:AssertionArtifact xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"/> </samlp:Request> </SOAP:Body> </SOAP:Envelope>SAML Assertions that are returned can be used in the SOAP header.
SAML artifacts can be used when SAML assertions are too big to be sent. SAML artifacts are used when it is only possible to use HTTP Get requests, for example Process Platform XForms. In this case SAML artifact must be used either as URL parameter or using a session cookie. Otherwise, SAML assertions can be used, for example in theBusDataIslandfrom the Process Platform Ajax toolkit.