How does the "InResponseTo" Attribute in SAMLResponse impact the Federation flows ?

book

Article ID: 37757

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Question:


During a Federation transaction, what makes Siteminder decide if we are in a SP or IDP initiated transaction ? What is used to redirect to the original protected target at the SP ?

Answer:


If you have the InResponseTo attribute in your response, Siteminder will decide if you are in a SP or IDP initated transaction. InResponseTo value means the SAMLRequest from SP had that value and IDP is sending a response to that request.

InResponseTo attribute present: SP initated
InResponseTo attribute not here: IDP initated

 

Example:


with InResponseTo:

[SAMLResponse: <Response Destination="http://sp.ur.com/affwebservices/public/saml2assertionconsumer" ID="_7b62a9c67881d75371d48d0480dee8f69008" InResponseTo="_b72caeb3612016665f851a5738e5062e491b" IssueInstant="2016-01-21T08:27:33Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IDP_FH</ns1:Issuer>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </Status>
    <ns2:Assertion ID="_349222fa33e3482bad2845d08c5a6c3fb5a6" IssueInstant="2016-01-21T08:27:33Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
        <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_FH</ns2:Issuer>
        <ns2:Subject>
            <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Robm</ns2:NameID>
            <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <ns2:SubjectConfirmationData InResponseTo="_b72caeb3612016665f851a5738e5062e491b" NotOnOrAfter="2016-01-21T08:29:02Z" Recipient="http://sp.ur.com/affwebservices/public/saml2assertionconsumer"/>
            </ns2:SubjectConfirmation>
        </ns2:Subject>
        <ns2:Conditions NotBefore="2016-01-21T08:27:02Z" NotOnOrAfter="2016-01-21T08:29:02Z">
            <ns2:AudienceRestriction>
                <ns2:Audience>SP_FH</ns2:Audience>
            </ns2:AudienceRestriction>
            <ns2:AudienceRestriction>
                <ns2:Audience>audience</ns2:Audience>
            </ns2:AudienceRestriction>
        </ns2:Conditions>
        <ns2:AuthnStatement AuthnInstant="2016-01-21T08:27:31Z" SessionIndex="+G2RCE3VutdIHKqhVe2ROm4qVRI=9q589Q==" SessionNotOnOrAfter="2016-01-21T08:29:02Z">
            <ns2:AuthnContext>
                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
            </ns2:AuthnContext>
        </ns2:AuthnStatement>
    </ns2:Assertion>
</Response>]

without InResponseTo:


--------------------
[SAMLResponse: <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://xxxx.yyyy.com/FWS/affwebservices/public/saml2assertionconsumer" ID="_81631e887197a8de1d68efee38ff1993d990" IssueInstant="2016-01-08T12:26:00Z" Version="2.0">
  <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_FH</ns1:Issuer>
  <Status>
      <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </Status>
  <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9819170bc4a45b3f979838ed999dcec61288" IssueInstant="2016-01-08T12:26:00Z" Version="2.0">
      <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_FH</ns2:Issuer>
      <ns2:Subject>
          <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Robm</ns2:NameID>
          <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <ns2:SubjectConfirmationData NotOnOrAfter="2016-01-08T12:31:00Z" Recipient="https://xxxx.yyyy.com/FWS/affwebservices/public/saml2assertionconsumer"/>
          </ns2:SubjectConfirmation>
      </ns2:Subject>
      <ns2:Conditions NotBefore="2016-01-08T12:26:00Z" NotOnOrAfter="2016-01-08T12:31:00Z">
          <ns2:AudienceRestriction>
              <ns2:Audience>SP_FH</ns2:Audience>
          </ns2:AudienceRestriction>
      </ns2:Conditions>
      <ns2:AuthnStatement AuthnInstant="2016-01-08T12:26:00Z" SessionIndex="sJZIc1HQv0Lejh6HqGjlvrcv4Ro=rPTt2Q==" SessionNotOnOrAfter="2016-01-08T12:31:00Z">
        <ns2:AuthnContext>
          <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
        </ns2:AuthnContext>
      </ns2:AuthnStatement>
    </ns2:Assertion>
</Response>]


SP initiated transaction : we will use the SMFED_TEMPORARY_STATE cookie for the RelayState
IDP initiated transaction : we will use the RelayState present in the URL to redirect


Additional information:


https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/implementing/implementing-federation-in-your-enterprise

Environment

Release:
Component: SMFSS